Welcome Guest.   Make a donation to an author on the site April 19, 2014, 05:17:41 PM  *

Please login or register.
Or did you miss your validation email?


Login with username and password (forgot your password?)
Why not become a lifetime supporting member of the site with a one-time donation of any amount? Your donation entitles you to a ton of additional benefits, including access to exclusive discounts and downloads, the ability to enter monthly free software drawings, and a single non-expiring license key for all of our programs.


You must sign up here before you can post and access some areas of the site. Registration is totally free and confidential.
 
The N.A.N.Y. Challenge 2012! Download dozens of custom programs!
   
   Forum Home   Thread Marks Chat! Downloads Search Login Register  
Pages: [1]   Go Down
  Reply  |  New Topic  |  Print  
Author Topic: IDEA: File lister  (Read 4163 times)
BinderDundat
Supporting Member
**
Posts: 31

View Profile Give some DonationCredits to this forum member
« on: November 02, 2007, 12:46:45 AM »

I know that this is fairly trivial - boring even - but let me explain the purpose.  With a list of files on the hard drive, you can discover RootKits.  First, run the lister under your normal boot O/S.  Then boot to a C/D or key drive and run it again.  RootKits stealth their files so that they are not seen by normal scans by AV programs, but that means that they do not show up on a normal file list.  But, if the same list is created using an O/S that is not infected from a CD or key drive, the files will be on that list.  Ideally, the list would be in the form Drive:\Directory\\FileName.Ext and the list would be saved as a text file.  In a perfect world, the utility would have the ability to compare the lists and generate a difference list.  I seem to have picked up a fairly mean rootkit somewhere - it has crashed IceSword and prevented the new Comodo Firewall from completely installing.  I have also had trouble running Sysinternals' Autoruns, so I will have to do this in a fairly elementary fashion.
Logged
app103
That scary taskbar girl
Global Moderator
*****
Posts: 5,020



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #1 on: November 02, 2007, 01:05:15 AM »

If you are looking to find & remove a rootkit, there are at least 3 free tools to find & remove them:


Read all instructions & documentation very carefully before use.
Logged

PhilB66
Supporting Member
**
Posts: 1,510


View Profile Give some DonationCredits to this forum member
« Reply #2 on: November 02, 2007, 01:27:57 AM »

A list of Rootkit Detection & Removal Software.
Logged
jgpaiva
Global Moderator
*****
Posts: 4,710



Artificial Idiocy

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #3 on: November 02, 2007, 01:56:31 PM »

I see what you mean, and you are right about its use.

It's easy!:
[copy or print]
dir /s > out.txt

That'll save a listing of every file/folder under the current and sub-folders to the file named "out.txt".

Then, run a diff of those Wink
Logged

BinderDundat
Supporting Member
**
Posts: 31

View Profile Give some DonationCredits to this forum member
« Reply #4 on: November 03, 2007, 01:26:21 PM »

Thanks for all the suggestions.  I had the idea that there was a problem due to three things:  a new piece of software reported .dll's that were supposedly in the C:\documents and settings\Admin\Local Settings\Temp folder that I did not find when I looked using Explorer - so I thought it might be stealthed .dll's.  I ran Ice Sword and did a log and reboot but that program failed to start up after that due to an initialization error, so I was starting to worry.  I found nothing with Process Explorer, but a well-stealthed root kit might not show with that.  I then ran Rootkit Revealer and found two keys with embedded nulls and a key that Revealer could not access.  I booted with a PE disk and looked at the \Temp folder again and saw a .dll file, but with a different name than the ones reported before.  I  tried using the Regdelnull (Sysinternals) file on the registry and used the remote registry editor to look at the result.  Well, the inaccessible key turned out to be a SCSI driver key, with an owner name that was a long string of numbers.  I could not delete the key, but I was able to edit the key's values and I renamed the .sys file that it pointed to (no SCSI connections on my system, so I was not worried).  The owner string probably refers to a system ID for SCSI devices, but I didn't need to take the chance that it was dangerous, so I nuked it.  Turns out the file was harmless according to Virustotal's scan.  The keys with embedded nulls are apparently legitimate??!!!  If you see a Rootkit Revealer report that shows:
HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\SAC
HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\SAI
as keys with embedded nulls, they are probably not a problem (although a rootkit that used those keys would be a real problem, because Regdelnulls doesn't touch it).  After a few more checks, I think that it was a false alarm, But I was beginning to think that I had an unknown rootkit, especially when I had crash problems with Sysinternals' Autoruns when I referred listed items to Process Explorer.  Anyway, thanks again, especially for your suggestion jgpaiva.
Logged
belkira
Member
**
Posts: 52



see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #5 on: November 06, 2007, 11:06:08 AM »

an AHK script to list every file in the given directory and all it's sub directorys. So if you want to know every file on your C drive tell it to search C:\.
It also tells you when the file was created and last modified as well as its file size. It is setup to dump the data into an excel format for easier reading.

[copy or print]

;
; AutoHotkey Version: 1.x
; Language:       English
; Platform:       Win9x/NT
; Author:         A.N.Other <myemail@nowhere.com>
;
; Script Function:
; Template script (you can customize this template by editing "ShellNew\Template.ahk" in your Windows folder)
;

#NoEnv ; Recommended for performance and compatibility with future AutoHotkey releases.
SendMode Input ; Recommended for new scripts due to its superior speed and reliability.
; FileDelete %A_Desktop%\%A_UserName%_Files.csv
IfNotExist, %A_Desktop%\%A_UserName%_Files.xls
{
FileAppend,
(
Path`tFile Name`tExtension`tTime Created`tTime Modified`tFile Size (bytes)`n
),%A_Desktop%\%A_UserName%_Files.xls
}
Else
FileList =
FileSelectFolder, SearchFolder,,0,Select the folder to scan
SearchFolder := RegExReplace(SearchFolder, "\\$")  ; Removes the trailing backslash, if present.
Loop, %SearchFolder%\*.*,, 1
    FileList = %FileList%%A_LoopFileDir%`t%A_LoopFileName%`t%A_LoopFileExt%`t%A_LoopFileTimeCreated%`t%A_LoopFileTimeModified%`t%A_LoopFileSize%`n
Sort, FileList  ; Sort by date.
Loop, parse, FileList, `n
{
    if A_LoopField =  ; Omit the last linefeed (blank item) at the end of the list.
        continue
    StringSplit, FileItem, A_LoopField, %A_Tab%  ; Split into two parts at the tab char.
    FormatTime, Created, %FileItem4%, MM/dd/yyyy ; 'at' h:mm tt
FormatTime, Modified, %FileItem5%, MM/dd/yyyy ; 'at' h:mm tt
FileAppend,
(
%FileItem1%`t%FileItem2%`t%FileItem3%`t%Created%`t%Modified%`t%FileItem6%`n
),%A_Desktop%\%A_UserName%_Files.xls

}
msgbox Done!
Logged
BinderDundat
Supporting Member
**
Posts: 31

View Profile Give some DonationCredits to this forum member
« Reply #6 on: November 14, 2007, 12:04:21 AM »

Looks like a winner!  I have determined that it was a false alarm, but a tool for comparing file listings (I'll let excel find the differences) is a great way to discover hidden rootkit files.  Thanks again!
Logged
PhilB66
Supporting Member
**
Posts: 1,510


View Profile Give some DonationCredits to this forum member
« Reply #7 on: November 18, 2007, 12:15:19 AM »

Check out FileMap. Also mentioned in this thread:
http://www.donationcoder....topic=734.msg4425#msg4425

Logged
f0dder
Charter Honorary Member
***
Posts: 8,774



[Well, THAT escalated quickly!]

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #8 on: November 18, 2007, 07:11:49 AM »

A simple file list isn't enough though, you'll also need to enumerate NTFS alternate streams...
Logged

- carpe noctem
Pages: [1]   Go Up
  Reply  |  New Topic  |  Print  
 
Jump to:  
   Forum Home   Thread Marks Chat! Downloads Search Login Register  

DonationCoder.com | About Us
DonationCoder.com Forum | Powered by SMF
[ Page time: 0.04s | Server load: 0.05 ]