Service Descriptor Table State Monitoring/Restoring
Hidden Processes Detector (ultimate, powered by Stealth Engine)
Hidden Drivers Detector (powerful, powered by DnG Core)
System Call Hook Detection
Ability to Generate Report
Note: there are small amount of BSOD's was reported when used "Unhook" functions
RkU contains super code that can be used only if "Run Always" is enabled
RkU requires Administrator privileges to run and work.
When "Run Always" is enabled RkU will works in Safe Mode.
SSDT Hooks Detector/Restorer
Hidden Processes Detector
Hidden Drivers Detector
Report
Here description of each of them.
SSDT Hooks Detector/Restorer
To speak user friendly - System Service Descriptor Table is an place where system stores pointers on the main system functions. Some kernel mode rootkits usually using the following technic - replace actual address of function in this table on address of their own handler-function. Some commercial software also uses this technic, for example Panda Antivirus hooks NtTerminateProcess function to prevent terminating of antivirus executables. Agnitum Outpost uses the same and additionally hooks NtWriteVirtualMemory to protect users from malware technics known as code injection. Alcohol\Daemon Tools CD emulation software hooks registry-related functions to defeat DRM.
RkU can show you actual state of SSDT, show which functions (they also called services in MS terminology) are hooked and unhook them. When RkU makes unhook its replace hooked addresses with original.
Hidden Processes Detector
Main purpose of rootkits - hide itself from user. Some of rootkits hides its executables from API, so standard processes monitoring tools like Task Manager, Process Explorer can't see them. RkU uses ultimate processes detection engine that shows you everything.
Hidden Drivers Detector
Rootkits also hides their own drivers to prevent user from removing them. RkU powered by special core that can detect hidden drivers.
Report
When you are asking for help it is very useful to get report of your system state. This page gives you that possibility.
发表于 2008-9-30 12:20
