Tuesday, February 22, 2005

SysInternals gets in on the game

I received an IM from a friend of mine tonight informing me of a new tool released on the SysInternals site called RootkitRevealer. According to the write up, the basic idea of the tool (both the GUI and CLI versions) is to do a comparison of high-level and low-level APIs for accessing the Registry and file system.

I ran the tool on my system and saw a lot of "hidden from Windows API" messages. I need to read through the information about the tool to see what that's all about, but this seems like a step in the right direction. At the very least, it's another tool for the arsenal that the bad guys are going to have to figure out a way around.

3 comments:

Brandon said...

I got the same messages, and if you check out http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml the hackdefender.gif shows the same messages. In the little bit of time I have put into this so far (not much as I just got the tool), I haven't come across anything explaining this yet.

Keydet89 said...

I'd highly recommend adding rootkitrevcons.exe, with the '-c' switch, to your fruc.ini file.

Brandon said...

I just got this on isc.org...

What you are seeing is RootkitRevealer noting NTFS metafiles. Metafiles are listed in the MFT (Master File Table) but are not intended for usersace access, thus are "hidden" from the Windows API. RootkitRevealer identifies discrepancies between low-level access results and API access results, thus can't make any determinations on the integrity of metadata files.