Re: Hidden Applications and rootkits for Windows

RootkitRevealer by SysInternals is an excellent demonstration of using this 
differential analysis technique to detect hidden objects, but perhaps it is 
easier for rootkits to circumvent this technique than is currently thought - at 
least in this implementation. To perform the 'raw' scanning, RootkitRevealer 
calls CreateFile on "\\.\C:" to open a handle to the drive. Considering the 
current abilities of rootkits it would be fairly trivial for them to intercept 
such calls and prevent a handle from being opened, but there are issues the 
rootkit developer would have to consider such as legitimate programs that need 
to open that handle. Plus, preventing read access would no doubt result in a 
suspicious error message from the program that failed to open the drive, which 
would tip the user off that something wasn't right. However it would stop the 
scan from being used, so the rootkit itself would remain hidden and the scanner 
tool rendered useless.
  
On the related note of PREVENTING rootkit infections, ProcessGuard 
(http://www.diamondcs.com.au/processguard/) has a feature called "Block 
Rootkit/Driver/Service Installation" which allows you to prevent unauthorised 
installation of drivers and services. All of the main rootkits for Windows 
(such as Hacker Defender, fu, and so on) install a driver in order to 'get 
root', so they are easily blocked by this simple but effective method. An 
example of ProcessGuard blocking the installation of the fu rootkit can be seen 
here: http://www.diamondcs.com.au/processguard/index.php?page=attack-rootkits
  
Cheers,
Wayne Langlois