It’s one thing to detect evil processes running on a linux system, it’s quite another to detect them when they’re hidden from the system itself. A rootkit does just that. It runs one, or several, processes and hides them from the system so they become undetectable.
I’ve recently shared how to detect bad processes if they’re not hidden on a Linux system, but how do you go about discovering processes that are inherently hidden to you, on a windows device?
Back in 2008, ProcL (with a guide on ScanIT.net) looked like a neat solution to this particular problem. Both that tool and its host site have since disappeared from the web, so if you land here today, reach for Microsoft’s own Sysinternals RootkitRevealer instead. It’s old (Mark Russinovich built it for 32-bit Windows XP / Server 2003), but Microsoft still hosts it, and the detection principle below is exactly the one it uses. Here’s a little excerpt of the original ScanIT article on the idea.
Hiding a process is particularly threatening because it represents some malicious code running on your system that you are completely unaware of. Process hiding has a significant effect. Many of the trojan, virus, spyware, rootkit writers use similar techniques to hide themselves and stay undetected as long as possible on target machines. Finding all the ways a rootkit might hide a process is just the first step in defending against the rootkits. Detecting hidden objects is a promising new area in rootkit detection. It is necessary to have protection against the hidden processes, if you want to stay secured. Many of the antivirus and antispyware manufacturing companies falling back as they are not able to come up with any solutions for hidden processes. There are only few tools which can detect hidden processes, but are you willing to pay them considerable amount of money?
The idea is to scan your system for any kind of security leaks by examining each kernel-object in detail (EPROCESS, ETHREADS, HANDLES, JOBS). RootkitRevealer takes the same approach: it compares the high-level Windows API view of your files and registry against a raw, low-level read of the disk and hive, and flags anything that’s visible in one but hidden in the other. That mismatch is the rootkit.
Other tools used to be around as well, such as DeepMonitor (now only available via the Wayback Machine ). And if you’re interested in a good read about Windows Security, with specific detail to Rootkits and Trojans (complete with screenshots & nice hints), there’s a not-to-miss article that has since moved to TechGenix: Hidden Backdoors, Trojan Horses and Rootkit Tools in a Windows Environment .
Note: I had no experience whatsoever with ProcL or DeepMonitor when I wrote this, but the idea was cool and sounded like it could be worth something. Please share any comments you might have, or any user experience.