Free download - Rootkit analyzer

[Carol Haynes]

I'm just downloading this freebie. It will becaome part of a commercial release later on but is free at the moment.

Resplendence write some good stuff - I can really recommend their Registry Manager as a replacement to Regedit. It has excellent fast seach functions and registry bookmarking. It can also defrag your registry and backup/restore your entire registry amongsth lots of other features (like remote editing ...). There is also a free lit version to download.

Here is a screenshot of the RootKit Analyzer. It detects where NTKernal hooks havebeen intercepted and displays these 'hooks' with where they are linked to and the name of the software/program producer. Its a useful display, and far easier to interpret than other rootkit detectors I have seen. Definitely worth a look.

[f0dder]

Looks pretty interesting - another tool of the trade would be http://www.sysintern...RootkitRevealer.html . Sysinternals tools are simply invaluable, and I have a load of them installed by default with my unattended CD.

[Carol Haynes]

Yes, I have tried the sysinternals one, but I think the results are easier to interpret in this one.

[f0dder]

Well, they're two different tools; one checks for registry and file mismatches (sysinternals), the other for kernel hooks. You really should use both to check for errors, although I'd say kernel hooks are more serious than some of the other discrepancies.

None of the tools are foolproof, though - there are more stealthy methods available than "direct" hooking

[Carol Haynes]

Quite correct ... the trouble I have with the sysinternals program is that the output seems almost inpenertable if you aren't an expert in the registry.

On my system it reports a couple of files are different, but I have no way of knowing what made them different or if they actually need to be different versions. They could for example have been updated by Microsoft Update since the last SysInternals update.

[f0dder]

Quite correct ... the trouble I have with the sysinternals program is that the output seems almost inpenertable if you aren't an expert in the registry.

On my system it reports a couple of files are different, but I have no way of knowing what made them different or if they actually need to be different versions. They could for example have been updated by Microsoft Update since the last SysInternals update.

-CarolHaynes (November 14, 2005, 04:42 PM)

Hm, could you post an example of your output? I know a few apps like Daemon-Tools try to hide some of it's registry entries so it won't get detected by games etc., but generally if there's discrepancies it might mean trouble. You could also PM me a RKR log if you don't feel like putting it on the forum...

[Carol Haynes]

Here is my output from SysInternals RevealRootKit, I don't think there is any sensitive data on display here (if there is let me know and I will edit the message to remove it!):

[Select]

HKLM\SOFTWARE\Classes\CLSID\{0461F6B6-066E-9BE4-35A30E37E302FE67}\{60F18D06-2547-D7B5-3F6FEAC167531534}\{03821BF4-A5A3-BF72-1BF7DBE36D239A74}*:
   Description: Key name contains embedded nulls (*)
   Date:        01/11/2005 10:02
   Size:        0 bytes
HKLM\SOFTWARE\Classes\CLSID\{0A2C6EC6-E1BC-9BF5-B3F7D282645EFB0F}\{C08E0694-C5E1-48EE-3ACF6A24AC2BF796}\{A9549B8D-B7EF-15E1-4BD44DC35FFCD192}*:
   Description: Key name contains embedded nulls (*)
   Date:        01/11/2005 10:02
   Size:        0 bytes
HKLM\SOFTWARE\Classes\CLSID\{1159B246-0933-86DB-AD593C3CB7051897}\{4B332D01-174C-E53B-FFAF1A8AAD861E31}\{3A54BA3C-24AD-210D-6C7EF9C90D2B01E7}*:
   Description: Key name contains embedded nulls (*)
   Date:        01/11/2005 10:02
   Size:        0 bytes
HKLM\SOFTWARE\Classes\CLSID\{11B5C8DC-3FEA-1682-D4F0355518481497}\{414E0745-768E-27E6-1A22BEEA50FFC306}\{0F77990A-A8C5-E83C-A2DEB9098A2A23DE}*:
   Description: Key name contains embedded nulls (*)
   Date:        01/11/2005 10:02
   Size:        0 bytes
HKLM\SOFTWARE\Classes\CLSID\{3749AA95-0B95-97D6-573EA782D1087389}\{140D5DD1-4454-9D01-1A62C863EE2D72CA}\{AFBD57C5-0E25-C0E9-BB318052A3DC6730}*:
   Description: Key name contains embedded nulls (*)
   Date:        01/11/2005 10:02
   Size:        0 bytes
HKLM\SOFTWARE\Classes\CLSID\{41499515-FE1F-2B25-9CCAFA7C1BD1CD4F}\{E760D6E7-B184-EBBF-DA510F4FC9719600}\{4E25D3C0-199C-C2DC-33A6CFCC543E6F29}*:
   Description: Key name contains embedded nulls (*)
   Date:        01/11/2005 10:01
   Size:        0 bytes
HKLM\SOFTWARE\Classes\CLSID\{4233ADD3-CD31-D295-804BA870321FDEF4}\{F4A8E5F3-7E68-2DD0-FA9D328203A7D1A7}\{07380252-9142-5EC5-94F639FC4AE64832}*:
   Description: Key name contains embedded nulls (*)
   Date:        01/11/2005 10:01
   Size:        0 bytes
HKLM\SOFTWARE\Classes\CLSID\{4E801B1F-2C34-C71B-55752B4DE71FAE4A}\{6707E13D-DFA5-4083-2A160A7F601D7F5F}\{38345692-AD4C-2D4A-1F4885FC450939AB}*:
   Description: Key name contains embedded nulls (*)
   Date:        01/11/2005 10:02
   Size:        0 bytes
HKLM\SOFTWARE\Classes\CLSID\{6041C420-22B4-140A-3B055037524C6B59}\{9A77D18C-4DFD-83C2-41C1A5F44022B903}\{B579578C-D2DD-BD46-01C9D6D000184189}*:
   Description: Key name contains embedded nulls (*)
   Date:        01/11/2005 10:01
   Size:        0 bytes
HKLM\SOFTWARE\Classes\CLSID\{60778762-8BE2-5BE8-74B1F534DECE7DD7}\{033814D8-F5F0-69C3-B63A6822FA3F97AC}\{BB1878CD-9C66-F7AC-793F8981AF2E0354}*:
   Description: Key name contains embedded nulls (*)
   Date:        01/11/2005 10:01
   Size:        0 bytes
HKLM\SOFTWARE\Classes\CLSID\{61A3D62A-E669-8B2B-95B7C505631D6590}\{1D71893B-0DD3-8FF9-31AA9E7B284EB027}\{CF9E2073-5E5A-1B13-96346A906352FBBE}*:
   Description: Key name contains embedded nulls (*)
   Date:        01/11/2005 10:01
   Size:        0 bytes
HKLM\SOFTWARE\Classes\CLSID\{8FD8A5D7-9511-025F-16B31A5B051F5A4D}\{7F4BC209-0230-7A50-936F3704F4AD01D8}\{4F172B6C-B722-D8DB-046FD06C67D2EAC6}*:
   Description: Key name contains embedded nulls (*)
   Date:        01/11/2005 10:01
   Size:        0 bytes
HKLM\SOFTWARE\Classes\CLSID\{90C9B227-00E9-ED2B-D8335C00663422E2}\{BA143829-6513-6AB3-17B76E63BBBF825B}\{B7811D8F-B091-6828-D848878685722533}*:
   Description: Key name contains embedded nulls (*)
   Date:        01/11/2005 10:02
   Size:        0 bytes
HKLM\SOFTWARE\Classes\CLSID\{A211FD50-104A-552A-E783321B77B5C9DA}\{4E700FFC-D5B6-D24A-08D9C51A05E3FA14}\{72F82311-8741-4D82-9043D22F7FAD5282}*:
   Description: Key name contains embedded nulls (*)
   Date:        01/11/2005 10:01
   Size:        0 bytes
HKLM\SOFTWARE\Classes\CLSID\{AD212F18-226F-19C5-6836DC0F322A8CD1}\{165CDB28-57BC-2FFB-C17032E84F1598CE}\{1D773DA2-1E07-1A59-CFCCE9D8E9744932}*:
   Description: Key name contains embedded nulls (*)
   Date:        01/11/2005 10:02
   Size:        0 bytes
HKLM\SOFTWARE\Classes\CLSID\{BE08C2D3-409A-BA9A-CCC3BF5A93C4C5B2}\{31E0C4F5-10D2-2559-BD8FA6F8E4FD42BD}\{0C75E684-EF64-45D0-854DEF6D927DBB7D}*:
   Description: Key name contains embedded nulls (*)
   Date:        01/11/2005 10:01
   Size:        0 bytes
HKLM\SOFTWARE\Classes\CLSID\{BF11F383-757D-CF48-6D213AC2BB6130AD}\{12507465-D6D8-AFB1-97ED5D21195D77D5}\{90E47118-DD98-E716-1AABCD138C042D55}*:
   Description: Key name contains embedded nulls (*)
   Date:        01/11/2005 10:01
   Size:        0 bytes
HKLM\SOFTWARE\Classes\CLSID\{C925DBC2-2F83-42AD-B0CBB854A5BF695B}\{7C26F213-28FC-ED62-CBDE7EE0F1CEF59B}\{619A38BB-0D53-1157-F7C7CBB2EE20607F}*:
   Description: Key name contains embedded nulls (*)
   Date:        01/11/2005 10:02
   Size:        0 bytes
HKLM\SOFTWARE\Classes\CLSID\{CD33F05B-57D8-EB8D-1C637C8E18479BDE}\{4B66B287-DF55-8BF6-0C7A245C073DF874}\{2B094E66-D192-13E4-CB3BD0799FCAC2FC}*:
   Description: Key name contains embedded nulls (*)
   Date:        01/11/2005 10:02
   Size:        0 bytes
HKLM\SOFTWARE\Classes\CLSID\{D891502B-DC36-B293-121D9D2985957827}\{239EA7E9-C7D1-EF13-CC952A60F4AD7A0B}\{9E7939D5-CFE3-7B10-257B198232E2E5B7}*:
   Description: Key name contains embedded nulls (*)
   Date:        01/11/2005 10:02
   Size:        0 bytes
HKLM\SOFTWARE\Classes\CLSID\{E20DD46F-0CC4-5960-1B1F69E13D145F9C}\{B130274E-D0E8-282B-E7F07B1EE1210709}\{71D795F0-66AF-00D6-EF71DCAC5CDD95C3}*:
   Description: Key name contains embedded nulls (*)
   Date:        01/11/2005 10:01
   Size:        0 bytes
HKLM\SOFTWARE\Classes\CLSID\{EDCF6AC6-CDE0-1F6D-043771A983FAB740}\{0B884C8F-0AAB-F925-A63B97C7F3A43931}\{965D33BD-6599-2D1D-7E8A152D666CAEE5}*:
   Description: Key name contains embedded nulls (*)
   Date:        01/11/2005 10:01
   Size:        0 bytes
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed:
   Description: Data mismatch between Windows API and raw hive data.
   Date:        15/11/2005 01:26
   Size:        4 bytes
HKLM\SYSTEM\ControlSet001\Services\Eventlog\Application\UDC\EventMessageFile:
   Description: Data mismatch between Windows API and raw hive data.
   Date:        25/05/2005 08:47
   Size:        59 bytes
HKLM\SYSTEM\ControlSet001\Services\Eventlog\Application\UDC\CategoryMessageFile:
   Description: Data mismatch between Windows API and raw hive data.
   Date:        25/05/2005 08:47
   Size:        59 bytes
HKLM\SYSTEM\ControlSet002\Services\Eventlog\Application\UDC\EventMessageFile:
   Description: Data mismatch between Windows API and raw hive data.
   Date:        25/05/2005 08:47
   Size:        59 bytes
HKLM\SYSTEM\ControlSet002\Services\Eventlog\Application\UDC\CategoryMessageFile:
   Description: Data mismatch between Windows API and raw hive data.
   Date:        25/05/2005 08:47
   Size:        59 bytes
C:\$AttrDef:
   Description: Hidden from Windows API.
   Date:        27/12/2004 02:00
   Size:        2.50 KB
C:\$BadClus:
   Description: Hidden from Windows API.
   Date:        27/12/2004 02:00
   Size:        0 bytes
C:\$BadClus:$Bad:
   Description: Hidden from Windows API.
   Date:        27/12/2004 02:00
   Size:        45.00 GB
C:\$Bitmap:
   Description: Hidden from Windows API.
   Date:        27/12/2004 02:00
   Size:        1.41 MB
C:\$Boot:
   Description: Hidden from Windows API.
   Date:        27/12/2004 02:00
   Size:        8.00 KB
C:\$Extend:
   Description: Hidden from Windows API.
   Date:        27/12/2004 02:00
   Size:        0 bytes
C:\$Extend\$ObjId:
   Description: Hidden from Windows API.
   Date:        27/12/2004 02:01
   Size:        0 bytes
C:\$Extend\$Quota:
   Description: Hidden from Windows API.
   Date:        27/12/2004 02:01
   Size:        0 bytes
C:\$Extend\$Reparse:
   Description: Hidden from Windows API.
   Date:        27/12/2004 02:01
   Size:        0 bytes
C:\$Extend\$UsnJrnl:
   Description: Hidden from Windows API.
   Date:        23/03/2005 09:48
   Size:        0 bytes
C:\$Extend\$UsnJrnl:$Max:
   Description: Hidden from Windows API.
   Date:        23/03/2005 09:48
   Size:        32 bytes
C:\$LogFile:
   Description: Hidden from Windows API.
   Date:        27/12/2004 02:00
   Size:        64.00 MB
C:\$MFT:
   Description: Hidden from Windows API.
   Date:        27/12/2004 02:00
   Size:        244.16 MB
C:\$MFTMirr:
   Description: Hidden from Windows API.
   Date:        27/12/2004 02:00
   Size:        4.00 KB
C:\$Secure:
   Description: Hidden from Windows API.
   Date:        27/12/2004 02:00
   Size:        0 bytes
C:\$UpCase:
   Description: Hidden from Windows API.
   Date:        27/12/2004 02:00
   Size:        128.00 KB
C:\$Volume:
   Description: Hidden from Windows API.
   Date:        27/12/2004 02:00
   Size:        0 bytes

[f0dder]

Seems like you either have an old version of RKR, or have "hide standard NTFS metadata files" unchecked (that's why it shows files like $Volume etc - these are part of how NTFS manages the disk and can be safely ignored). The "Key name contains embedded nulls" seems a bit weird, but since those nulls are only located at the end of the names, this seems like a typical off-by-one error in somebody's registry handling code rather than malicious purpose.

The line related to Prefetcher\TracesProcessed doesn't seem dangerous either, the prefetcher runs all the time (unless you have disabled it ), and has probably done some work between the time where RKR uses the windows API to get the reg value, and the time where it manually parses the registry hive file.

Dunno about the UDC\* lines, but they seem harmless enough considering their location.

I'm a bit curious which components or whatever those null-char-embdeed CLSIDs are referring to, even if they probably aren't malicious or anything

[Carol Haynes]

I'm a bit curious which components or whatever those null-char-embdeed CLSIDs are referring to, even if they probably aren't malicious or anything

Yes - trouble is how do you find out? If I use a registry editor they don't seem to show up (presumably there is an end of string marker at the end of the visible section)

[f0dder]

Hm, is it just the "end" part (ie, the bold part of HKLM\SOFTWARE\Classes\CLSID\{E20DD46F-0CC4-5960-1B1F69E13D145F9C}\{B130274E-D0E8-282B-E7F07B1EE1210709}\{71D795F0-66AF-00D6-EF71DCAC5CDD95C3}*) that doesn't show up, or is it the whole "folder"?

If it's just the end part, you could try using regedit to export, for example, HKLM\SOFTWARE\Classes\CLSID\{E20DD46F-0CC4-5960-1B1F69E13D145F9C} + subkeys to a .reg file and put it here, perhaps key/value data in there has something to tell (especially keys like InProcServer32, since they point to executable code).

[Carol Haynes]

OK. I took the first entry in the output abouv and exported the whole key:


Here is the log entry:

[Select]

HKLM\SOFTWARE\Classes\CLSID\{0461F6B6-066E-9BE4-35A30E37E302FE67}\{60F18D06-2547-D7B5-3F6FEAC167531534}\{03821BF4-A5A3-BF72-1BF7DBE36D239A74}*:
   Description: Key name contains embedded nulls (*)
   Date:        01/11/2005 10:02
   Size:        0 bytes

and here is the exported key HKLM\SOFTWARE\Classes\CLSID\{0461F6B6-066E-9BE4-35A30E37E302FE67}:

[Select]

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0461F6B6-066E-9BE4-35A30E37E302FE67}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0461F6B6-066E-9BE4-35A30E37E302FE67}\{60F18D06-2547-D7B5-3F6FEAC167531534}]

It is somewhat odd that the last leaf "{03821BF4-A5A3-BF72-1BF7DBE36D239A74}" doesn't appear in the exported RegFile at all!! Although it does appear in the registry editor. I have checked the permissions set on the key and they seem to be set to allow everyone on the system full control. It does however appear in red (in Resplendent Registry Manager) which means:

Why some registry keys in my registry appear in red ?
These are system critical keys which are normally only accessible from the System account.

Even more oddly the 'last leaf' appears twice (!!!) in Windows RegEdit ???? (see second graphic) and exports as:

[Select]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0461F6B6-066E-9BE4-35A30E37E302FE67}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0461F6B6-066E-9BE4-35A30E37E302FE67}\{60F18D06-2547-D7B5-3F6FEAC167531534}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0461F6B6-066E-9BE4-35A30E37E302FE67}\{60F18D06-2547-D7B5-3F6FEAC167531534}\{03821BF4-A5A3-BF72-1BF7DBE36D239A74}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0461F6B6-066E-9BE4-35A30E37E302FE67}\{60F18D06-2547-D7B5-3F6FEAC167531534}\{03821BF4-A5A3-BF72-1BF7DBE36D239A74}]

Just to check further I did a hex dump of the exported files (see graphics - sdump from Registrar RM, sdump3 from RegEdit).

The values following {03821BF4-A5A3-BF72-1BF7DBE36D239A74} seem to be ] and alternation OA OD which are just line feed, carriage return characters - but that may just be function of exporting to a reg file.

Is there any way to see a hex dump of a section of the registry?

[f0dder]

Hm, unless there's some other hiding thingamajig going on, I'll just attribute this weirdness to buggy software doing it's registry writes in a silly way . Pretty weird that all the keys are empty though. You could try posting about this at the sysinternals RKR forum, see if anybody there has a clue.