|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: RKDetect - behaviour based rootkit detection (updated)
From: Chris Fontenot (Chris.Fontenot
lamar.edu)
Date: Tue Sep 14 2004 - 16:07:22 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I want to thank the developer of this script. We recently had need for
something just like this and it came in handy. Opened my newbie eyes to
the p0w3r of those who want in your system...
-cfont
-----Original Message-----
From: Harlan Carvey [mailto:keydet89yahoo.com]
Sent: Friday, September 10, 2004 4:42 PM
To: focus-mssecurityfocus.com
Cc: Frank Knobbe; gordeyitsecurity.ru
Subject: Re: RKDetect - behaviour based rootkit detection (updated)
> That sparks a question though. I assume the answer
> is "yes", but I ask
> anyway. Can you detect rootkits that install
> themselves as a "device" remotely?
It depends on the API calls that are hooked...
> Is it a matter of remotely listing
> Registry keys associated
> with services and devices (which I guess would
> answer my question with a
> yes), or are there other efforts required to
> remotely list devices?
It maybe, yes. I think that's what WMI does...most of
the information it obtains (depends on the class, of
course) is pulled right out of the Registry.
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]