ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
Rootkit Identification With ClamWin
GuitarBob


Joined: 09 Jul 2006
Posts: 9
Location: USA
Reply with quote
Would a comparison of the processes found in a Clamwin memory scan with the processes found by Windows Task Manager be able to turn up any rootkits on a system? If not in normal mode, then how about in Safe Mode?

Regards,
View user's profileSend private message
sherpya


Joined: 22 Mar 2006
Posts: 0
Location: Italy
Reply with quote
hmm no, currently the memory scan code, that is not exactly a memory scan, but rather it take a snapshot of processes then scans on disk the loaded modules, uses dbghelp.dll, that should be the same or similar that task manager does
A rootkit detection in process list needs to be helped by a kernel driver,
currently I don't have the knowledge to make such driver Sad
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 9
Location: USA
Reply with quote
Thanks for the info. Is this true for both userland and kernel mode rootkits?

Not all RK makers are as good as Holy Father or Fu, and not all RK users are Einsteins, so if there is a base they have not covered--something they have not hidden very well, there might be a chance to find it by conventional means.

Regards,
View user's profileSend private message
b0ne


Joined: 26 Oct 2006
Posts: 0
Reply with quote
GuitarBob wrote:
Not all RK makers are as good as Holy Father or Fu, and not all RK users are Einsteins, so if there is a base they have not covered--something they have not hidden very well, there might be a chance to find it by conventional means.


There is enough cut-and-paste code available such that even newbie programmers can create rootkits.

On to task manager, clamwin, and anything that operates on process ids. The typical way to obtain this information is via the Toolhelp32Snapshot or the EnumProcesses WIN32 APIs. Kernel mode rootkits hook the "kernel" versions of these functions, usermode rootkits hook these functions directly.

When your program attempts to call these, and discover the list of running processes, the hooks interfere with the returned data such that the process ID of the rootkit'd pid is no longer available in the list when it is returned.

ClamWin and taskmgr operate in the same regard, calling the same APIs to enumerate the same process list. If a rootkit affects taskmgr, it will also affect Clamwin. (generally speaking)
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 9
Location: USA
Reply with quote
Thanks for that explanation, bOne. That'll give me something to chew on for awhile. It looks like a low-tech scanner needs to devote a lot of effort to identifying RKs before they attach to a system then.

Regards,
View user's profileSend private message
Rootkit Identification With ClamWin
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic