I want to thank the developer of this script. We recently had need for
something just like this and it came in handy. Opened my newbie eyes to
the p0w3r of those who want in your system...
-cfont
-----Original Message-----
From: Harlan Carvey [mailto:keydet89 (at) yahoo (dot) com [email concealed]]
Sent: Friday, September 10, 2004 4:42 PM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Cc: Frank Knobbe; gordey (at) itsecurity (dot) ru [email concealed]
Subject: Re: RKDetect - behaviour based rootkit detection (updated)
> That sparks a question though. I assume the answer
> is "yes", but I ask
> anyway. Can you detect rootkits that install
> themselves as a "device" remotely?
It depends on the API calls that are hooked...
> Is it a matter of remotely listing
> Registry keys associated
> with services and devices (which I guess would
> answer my question with a
> yes), or are there other efforts required to
> remotely list devices?
It maybe, yes. I think that's what WMI does...most of
the information it obtains (depends on the class, of
course) is pulled right out of the Registry.
something just like this and it came in handy. Opened my newbie eyes to
the p0w3r of those who want in your system...
-cfont
-----Original Message-----
From: Harlan Carvey [mailto:keydet89 (at) yahoo (dot) com [email concealed]]
Sent: Friday, September 10, 2004 4:42 PM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Cc: Frank Knobbe; gordey (at) itsecurity (dot) ru [email concealed]
Subject: Re: RKDetect - behaviour based rootkit detection (updated)
> That sparks a question though. I assume the answer
> is "yes", but I ask
> anyway. Can you detect rootkits that install
> themselves as a "device" remotely?
It depends on the API calls that are hooked...
> Is it a matter of remotely listing
> Registry keys associated
> with services and devices (which I guess would
> answer my question with a
> yes), or are there other efforts required to
> remotely list devices?
It maybe, yes. I think that's what WMI does...most of
the information it obtains (depends on the class, of
course) is pulled right out of the Registry.
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]