Website Home | Blog | Software | Reviews and Features | Forum | Help | Donate | About us
topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • August 30, 2015, 05:31:33 PM
  • Proudly celebrating 10 years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: IDEA: File lister  (Read 4867 times)

BinderDundat

  • Supporting Member
  • Joined in 2007
  • **
  • gravatar avatar
  • Posts: 31
    • View Profile
    • Donate to Member
IDEA: File lister
« on: November 02, 2007, 12:46:45 AM »
I know that this is fairly trivial - boring even - but let me explain the purpose.  With a list of files on the hard drive, you can discover RootKits.  First, run the lister under your normal boot O/S.  Then boot to a C/D or key drive and run it again.  RootKits stealth their files so that they are not seen by normal scans by AV programs, but that means that they do not show up on a normal file list.  But, if the same list is created using an O/S that is not infected from a CD or key drive, the files will be on that list.  Ideally, the list would be in the form Drive:\Directory\\FileName.Ext and the list would be saved as a text file.  In a perfect world, the utility would have the ability to compare the lists and generate a difference list.  I seem to have picked up a fairly mean rootkit somewhere - it has crashed IceSword and prevented the new Comodo Firewall from completely installing.  I have also had trouble running Sysinternals' Autoruns, so I will have to do this in a fairly elementary fashion.

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,559
    • View Profile
    • App's Apps
    • Donate to Member
Re: IDEA: File lister
« Reply #1 on: November 02, 2007, 01:05:15 AM »
If you are looking to find & remove a rootkit, there are at least 3 free tools to find & remove them:


Read all instructions & documentation very carefully before use.

PhilB66

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,513
    • View Profile
    • Donate to Member
Re: IDEA: File lister
« Reply #2 on: November 02, 2007, 01:27:57 AM »

jgpaiva

  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 4,727
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: IDEA: File lister
« Reply #3 on: November 02, 2007, 01:56:31 PM »
I see what you mean, and you are right about its use.

It's easy!:
Code: [Select]
dir /s > out.txt

That'll save a listing of every file/folder under the current and sub-folders to the file named "out.txt".

Then, run a diff of those ;)

BinderDundat

  • Supporting Member
  • Joined in 2007
  • **
  • gravatar avatar
  • Posts: 31
    • View Profile
    • Donate to Member
Re: IDEA: File lister
« Reply #4 on: November 03, 2007, 01:26:21 PM »
Thanks for all the suggestions.  I had the idea that there was a problem due to three things:  a new piece of software reported .dll's that were supposedly in the C:\documents and settings\Admin\Local Settings\Temp folder that I did not find when I looked using Explorer - so I thought it might be stealthed .dll's.  I ran Ice Sword and did a log and reboot but that program failed to start up after that due to an initialization error, so I was starting to worry.  I found nothing with Process Explorer, but a well-stealthed root kit might not show with that.  I then ran Rootkit Revealer and found two keys with embedded nulls and a key that Revealer could not access.  I booted with a PE disk and looked at the \Temp folder again and saw a .dll file, but with a different name than the ones reported before.  I  tried using the Regdelnull (Sysinternals) file on the registry and used the remote registry editor to look at the result.  Well, the inaccessible key turned out to be a SCSI driver key, with an owner name that was a long string of numbers.  I could not delete the key, but I was able to edit the key's values and I renamed the .sys file that it pointed to (no SCSI connections on my system, so I was not worried).  The owner string probably refers to a system ID for SCSI devices, but I didn't need to take the chance that it was dangerous, so I nuked it.  Turns out the file was harmless according to Virustotal's scan.  The keys with embedded nulls are apparently legitimate??!!!  If you see a Rootkit Revealer report that shows:
HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\SAC
HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\SAI
as keys with embedded nulls, they are probably not a problem (although a rootkit that used those keys would be a real problem, because Regdelnulls doesn't touch it).  After a few more checks, I think that it was a false alarm, But I was beginning to think that I had an unknown rootkit, especially when I had crash problems with Sysinternals' Autoruns when I referred listed items to Process Explorer.  Anyway, thanks again, especially for your suggestion jgpaiva.

belkira

  • Member
  • Joined in 2006
  • **
  • Posts: 52
    • View Profile
    • Donate to Member
Re: IDEA: File lister
« Reply #5 on: November 06, 2007, 11:06:08 AM »
an AHK script to list every file in the given directory and all it's sub directorys. So if you want to know every file on your C drive tell it to search C:\.
It also tells you when the file was created and last modified as well as its file size. It is setup to dump the data into an excel format for easier reading.

Code: [Select]

;
; AutoHotkey Version: 1.x
; Language:       English
; Platform:       Win9x/NT
; Author:         A.N.Other <myemail@nowhere.com>
;
; Script Function:
; Template script (you can customize this template by editing "ShellNew\Template.ahk" in your Windows folder)
;

#NoEnv ; Recommended for performance and compatibility with future AutoHotkey releases.
SendMode Input ; Recommended for new scripts due to its superior speed and reliability.
; FileDelete %A_Desktop%\%A_UserName%_Files.csv
IfNotExist, %A_Desktop%\%A_UserName%_Files.xls
{
FileAppend,
(
Path`tFile Name`tExtension`tTime Created`tTime Modified`tFile Size (bytes)`n
),%A_Desktop%\%A_UserName%_Files.xls
}
Else
FileList =
FileSelectFolder, SearchFolder,,0,Select the folder to scan
SearchFolder := RegExReplace(SearchFolder, "\\$")  ; Removes the trailing backslash, if present.
Loop, %SearchFolder%\*.*,, 1
    FileList = %FileList%%A_LoopFileDir%`t%A_LoopFileName%`t%A_LoopFileExt%`t%A_LoopFileTimeCreated%`t%A_LoopFileTimeModified%`t%A_LoopFileSize%`n
Sort, FileList  ; Sort by date.
Loop, parse, FileList, `n
{
    if A_LoopField =  ; Omit the last linefeed (blank item) at the end of the list.
        continue
    StringSplit, FileItem, A_LoopField, %A_Tab%  ; Split into two parts at the tab char.
    FormatTime, Created, %FileItem4%, MM/dd/yyyy ; 'at' h:mm tt
FormatTime, Modified, %FileItem5%, MM/dd/yyyy ; 'at' h:mm tt
FileAppend,
(
%FileItem1%`t%FileItem2%`t%FileItem3%`t%Created%`t%Modified%`t%FileItem6%`n
),%A_Desktop%\%A_UserName%_Files.xls

}
msgbox Done!

BinderDundat

  • Supporting Member
  • Joined in 2007
  • **
  • gravatar avatar
  • Posts: 31
    • View Profile
    • Donate to Member
Re: IDEA: File lister
« Reply #6 on: November 14, 2007, 12:04:21 AM »
Looks like a winner!  I have determined that it was a false alarm, but a tool for comparing file listings (I'll let excel find the differences) is a great way to discover hidden rootkit files.  Thanks again!

PhilB66

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,513
    • View Profile
    • Donate to Member
Re: IDEA: File lister
« Reply #7 on: November 18, 2007, 12:15:19 AM »
Check out FileMap. Also mentioned in this thread:
http://www.donationc...=734.msg4425#msg4425

2007-11-18_141458.jpg

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 8,858
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Donate to Member
Re: IDEA: File lister
« Reply #8 on: November 18, 2007, 07:11:49 AM »
A simple file list isn't enough though, you'll also need to enumerate NTFS alternate streams...
- carpe noctem