RootRepeal - Rootkit Detector
RootRepeal is a new rootkit detector currently in public beta. It is designed with the following goals in mind:
Easy to use - a user with little to no computer experience should be able to use it.
Powerful - it should be able to detect all publicly available rootkits.
Stable - it should work on as many different system configurations as possible, and, in the event of an incompatibility, not crash the host computer.
Safe - it will not use any rootkit-like techniques (hooking, etc.) to protect itself.
Currently, RootRepeal includes the following features:
Driver Scan - scans the system for kernel-mode drivers. Displays all drivers currently loaded, and shows if a driver has been hidden, and whether the driver's file is visible on-disk.
Files Scan - scans any fixed drive on the system for hidden, locked or falsified* files.
Processes Scan - scans the system for processes. Displays all processes currently running, and shows if a processes is hidden or locked.
SSDT Scan - shows whether any of the functions in the System Service Descriptor Table (SSDT) are hooked.
Stealth Objects Scan - attempts to determine if any rootkits are active by looking for typical symptoms.
Hidden Services Scan - scans for hidden system services.
Shadow SSDT Scan - counterpart to the SSDT Scan, but deals mostly with graphics and window-related functions.
* - falsified files are files which have their size mis-reported to the Windows API. Some rootkits use this to hide data.
PR: 4