![]() |
![]() | Rootkit Identification With ClamWin | ![]() |
![]() |
![]() | ![]() |
sherpya
![]() |
![]() |
hmm no, currently the memory scan code, that is not exactly a memory scan, but rather it take a snapshot of processes then scans on disk the loaded modules, uses dbghelp.dll, that should be the same or similar that task manager does
A rootkit detection in process list needs to be helped by a kernel driver, currently I don't have the knowledge to make such driver ![]() |
|||||||||||
|
![]() |
![]() | ![]() |
GuitarBob
![]() |
![]() |
Thanks for the info. Is this true for both userland and kernel mode rootkits?
Not all RK makers are as good as Holy Father or Fu, and not all RK users are Einsteins, so if there is a base they have not covered--something they have not hidden very well, there might be a chance to find it by conventional means. Regards, |
|||||||||||
|
![]() |
![]() | ![]() |
b0ne
![]() |
![]() |
There is enough cut-and-paste code available such that even newbie programmers can create rootkits. On to task manager, clamwin, and anything that operates on process ids. The typical way to obtain this information is via the Toolhelp32Snapshot or the EnumProcesses WIN32 APIs. Kernel mode rootkits hook the "kernel" versions of these functions, usermode rootkits hook these functions directly. When your program attempts to call these, and discover the list of running processes, the hooks interfere with the returned data such that the process ID of the rootkit'd pid is no longer available in the list when it is returned. ClamWin and taskmgr operate in the same regard, calling the same APIs to enumerate the same process list. If a rootkit affects taskmgr, it will also affect Clamwin. (generally speaking) |
|||||||||||||
|
![]() |
![]() | ![]() |
GuitarBob
![]() |
![]() |
Thanks for that explanation, bOne. That'll give me something to chew on for awhile. It looks like a low-tech scanner needs to devote a lot of effort to identifying RKs before they attach to a system then.
Regards, |
|||||||||||
|
![]() |
![]() | Rootkit Identification With ClamWin | ![]() |
|
||
![]() |
![]() |
Powered by phpBB © phpBB Group
Design by phpBBStyles.com | Styles Database.
Content © ClamWin Free Antivirus GNU GPL Free Software Open Source Virus Scanner. Free Windows Antivirus. Stay Virus Free with Free Software.
Design by phpBBStyles.com | Styles Database.
Content © ClamWin Free Antivirus GNU GPL Free Software Open Source Virus Scanner. Free Windows Antivirus. Stay Virus Free with Free Software.