|
RootkitRevealer is an advanced rootkit detection
utility. It runs on Windows NT 4 and higher and its
output lists Registry and file system API
discrepancies that may indicate the presence of a
user-mode or kernel-mode rootkit. RootkitRevealer
successfully detects many persistent rootkits
including AFX, Vanquish and HackerDefender (note:
RootkitRevealer is not intended to detect rootkits
like Fu that don't attempt to hide their files or
registry keys).
Since persistent rootkits work by changing API
results so that a system view using APIs differs from
the actual view in storage, RootkitRevealer compares
the results of a system scan at the highest level with
that at the lowest level. The highest level is the
Windows API and the lowest level is the raw contents
of a file system volume or Registry hive (a hive file
is the Registry's on-disk storage format).
Thus, rootkits, whether user mode or kernel mode,
that manipulate the Windows API or native API to
remove their presence from a directory listing, for
example, will be seen by RootkitRevealer as a
discrepancy between the information returned by the
Windows API and that seen in the raw scan of a FAT or
NTFS volume's file system structures.
|
Rootkit Revealer 1.71