Would a comparison of the processes found in a Clamwin memory scan with the processes found by Windows Task Manager be able to turn up any rootkits on a system? If not in normal mode, then how about in Safe Mode?

Regards,

hmm no, currently the memory scan code, that is not exactly a memory scan, but rather it take a snapshot of processes then scans on disk the loaded modules, uses dbghelp.dll, that should be the same or similar that task manager does
A rootkit detection in process list needs to be helped by a kernel driver,
currently I don't have the knowledge to make such driver

Thanks for the info. Is this true for both userland and kernel mode rootkits?

Not all RK makers are as good as Holy Father or Fu, and not all RK users are Einsteins, so if there is a base they have not covered--something they have not hidden very well, there might be a chance to find it by conventional means.

Regards,

There is enough cut-and-paste code available such that even newbie programmers can create rootkits.

On to task manager, clamwin, and anything that operates on process ids. The typical way to obtain this information is via the Toolhelp32Snapshot or the EnumProcesses WIN32 APIs. Kernel mode rootkits hook the "kernel" versions of these functions, usermode rootkits hook these functions directly.

When your program attempts to call these, and discover the list of running processes, the hooks interfere with the returned data such that the process ID of the rootkit'd pid is no longer available in the list when it is returned.

ClamWin and taskmgr operate in the same regard, calling the same APIs to enumerate the same process list. If a rootkit affects taskmgr, it will also affect Clamwin. (generally speaking)

Thanks for that explanation, bOne. That'll give me something to chew on for awhile. It looks like a low-tech scanner needs to devote a lot of effort to identifying RKs before they attach to a system then.

Regards,