Rootkits that hide files, directories and Registry keys can either execute in user mode by patching Windows APIs in each process that applications use to access those objects, or in kernel mode by intercepting the associated kernel-mode APIs. I next turned toĪnd that lets you explore the internals of a live system using the Microsoft kernel debugger, to determine what component was responsible for the cloaking. To look for evidence of code that would activate the rootkit each boot, but I came up empty with both tools. Given the fact that I’m careful in my surfing habits and only install software from reputable sources I had no idea how I’d picked up a real rootkit, and if it were not for the suspicious names of the listed files I would have suspected RKR to have a bug. The RKR results window reported a hidden directory, several hidden device drivers, and a hidden application: Rootkits are cloaking technologies that hide files, Registry keys, and other system objects from diagnostic and security software, and they are usually employed by malware attempting to keep their implementation hidden (see myĪrticle from thre June issue of Windows IT Pro Magazine for more information on rootkits). (RKR) I ran a scan on one of my systems and was shocked to see evidence of a rootkit.
Last week when I was testing the latest version of First published on TechNet on Oct 31, 2005
