I should have figured it is packed. I presume you used the ollydmp plugin? I have some experience with unpacking, namelly Vbox-style packers that obfuscate the IAT. If this is the case here, perhaps you should look into a tool like ImpRec?
To actually get back on Perl, i believe basic RR copycat functionality is possible. At the very least, for finding files that aren't shown as a result of API hooking, you can use the "remote view" trick. It is all about accessing regular resources (files) remotelly, like from a shared disk.
The idea is to use a local Perl script that generates an internal treeish representation of the filesystem structure, even NTFS metadata (File::Find and Win32::File possibly). Then, run from another machine in the LAN (or experiment with Perl from within a VM, YMMV) the same set of code, only now reading the initial machine's maped-over drive. Compare the results, and voila, every file found in the second run has possibly been hidden from view by a rootkit. I say possibly because Windows by default hides certain files either way from local view.
I hope it makes some sense. | [reply] |
I'll give the tool a try.
But as far as different methods of detecting a RK, I of course have done remote analyzation and in general for a decently adept computer guy finding them is not the issue, even without great tools such as RR. The trick is how to make a tool like RR that allows even a noveice to know whether or not they are compromised, and of course have that tool be free & open, and in perl!, or I'd even settle for being wrapped by perl.
But i think first I need to learn about things I have not done before like accessing the disk directly
| [reply] |