Rootkit Revealer
RootkitRevealer is an advanced rootkit detection tool made by SysInternals (acquired by Microsoft in 2006)
Introduction
RootkitRevealer is an advanced rootkit detection utility. It runs
on Windows NT 4 and higher and its output lists Registry and file
system API discrepancies that may indicate the presence of a
user-mode or kernel-mode rootkit. RootkitRevealer successfully
detects all persistent rootkits published at www.rootkit.com,
including AFX, Vanquish and HackerDefender (note: RootkitRevealer is
not intended to detect rootkits like Fu that don't attempt to hide
their files or registry keys). If you use it to identify the
presence of a rootkit please let us know!
The reason that there is no longer a command-line version is that
malware authors have started targetting RootkitRevealer's scan by
using its executable name. We've therefore updated RootkitRevealer
to execute its scan from a randomly named copy of itself that runs
as a Windows service. This type of execution is not conducive to a
command-line interface. Note that you can use command-line options
to execute an automatic scan with results logged to a file, which is
the equivalent of the command-line version's behavior.
How RootkitRevealer Works
Since persistent rootkits work by changing API results so that a system view using APIs differs from the actual view in storage, RootkitRevealer compares the results of a system scan at the highest level with that at the lowest level. The highest level is the Windows API and the lowest level is the raw contents of a file system volume or Registry hive (a hive file is the Registry's on-disk storage format). Thus, rootkits, whether user mode or kernel mode, that manipulate the Windows API or native API to remove their presence from a directory listing, for example, will be seen by RootkitRevealer as a discrepancy between the information returned by the Windows API and that seen in the raw scan of a FAT or NTFS volume's file system structures.
Can a Rootkit hide from RootkitRevealer
It is theoretically possible for a rootkit to hide from RootkitRevealer. Doing so would require intercepting RootkitRevealer's reads of Registry hive data or file system data and changing the contents of the data such that the rootkit's Registry data or files are not present. However, this would require a level of sophistication not seen in rootkits to date. Changes to the data would require both an intimate knowledge of the NTFS, FAT and Registry hive formats, plus the ability to change data structures such that they hide the rootkit, but do not cause inconsistent or invalid structures or side-effect discrepancies that would be flagged by RootkitRevealer.
Is there a sure-fire way to know of a rootkit's presence
In general, not from within a running system. A kernel-mode
rootkit can control any aspect of a system's behavior so information
returned by any API, including the raw reads of Registry hive and
file system data performed by RootkitRevealer, can be compromised.
While comparing an on-line scan of a system and an off-line scan
from a secure environment such as a boot into an CD-based operating
system installation is more reliable, rootkits can target such tools
to evade detection by even them.
The bottom line is that there will never be a universal rootkit
scanner, but the most powerful scanners will be on-line/off-line
comparison scanners that integrate with antivirus.
Using RootkitRevealer
RootkitRevealer requires that the account from which its run has
assigned to it the Backup files and directories, Load drivers and
Perform volume maintenance tasks (on Windows XP and higher)
privileges. The Administrators group is assigned these privileges by
default. In order to minimize false positives run RootkitRevealer on
an idle system.
For best results exit all applications and keep the system otherwise
idle during the RootkitRevealer scanning process.
Download
Click here to download RootkitRevealer for free