Re^3: raw file system and registry data

I should have figured it is packed. I presume you used the ollydmp plugin? I have some experience with unpacking, namelly Vbox-style packers that obfuscate the IAT. If this is the case here, perhaps you should look into a tool like ImpRec?

To actually get back on Perl, i believe basic RR copycat functionality is possible. At the very least, for finding files that aren't shown as a result of API hooking, you can use the "remote view" trick. It is all about accessing regular resources (files) remotelly, like from a shared disk.

The idea is to use a local Perl script that generates an internal treeish representation of the filesystem structure, even NTFS metadata (File::Find and Win32::File possibly). Then, run from another machine in the LAN (or experiment with Perl from within a VM, YMMV) the same set of code, only now reading the initial machine's maped-over drive. Compare the results, and voila, every file found in the second run has possibly been hidden from view by a rootkit. I say possibly because Windows by default hides certain files either way from local view.

I hope it makes some sense.

Comment on Re^3: raw file system and registry data

Replies are listed 'Best First'.
Re^4: raw file system and registry data by ketema (Scribe) on Dec 02, 2005 at 14:35 UTC
I'll give the tool a try. But as far as different methods of detecting a RK, I of course have done remote analyzation and in general for a decently adept computer guy finding them is not the issue, even without great tools such as RR. The trick is how to make a tool like RR that allows even a noveice to know whether or not they are compromised, and of course have that tool be free & open, and in perl!, or I'd even settle for being wrapped by perl. But i think first I need to learn about things I have not done before like accessing the disk directly	[reply]

Replies are listed 'Best First'.

Re^4: raw file system and registry data
by ketema (Scribe) on Dec 02, 2005 at 14:35 UTC

[reply]