Publié le par Kareldjag


In this article, we'll try to provide free prevention and detection measures against the most common Windows rootkits.
Currently, many effective free and paid anti-rootkits security softwares are available on the market, even if Windows is armoured to fight them.

In the first part, we'll summarize the rootkit subject: what they are and how they work.
In the second part, we'll show the most popular of them in action: HackerDefender.
In the last part, we'll try to develop free and paid rootkits countermeasures.


 it's important to note that i'm not a developer; but anyone who is concerned about the security of systems (network manager, systems administrator, security analyst and so on) is ipso facto concerned about rootkits.
I've studied the problem seriously, and these suggested countermeasures are not wild imaginings...
As usual, these coutermeasures are provided as is, with no kind of warranty: read, use and apply at your own risks.

 NB: Links are provided only for information.
It would be really a big work to link any free anti-rookits.
And for paid products, this is not the policy of this blog to make any kind of advertising, or to recommend any product: it's sometimes suggested that a product is more intended for some users (P2P, beginners...).
I've heard that Google and Yahoo are the best linkers...

"Give a saltwater fish to a Man, he'll eat for one day; learn him how to fish, he will eat all his life"


A  short introduction to Rootkits

It's not a virus: not intended to modify files or to cause any damage;
It's not a worm: it does not apply the Bible law (grow, reproduce and spread!);
It's not a spyware, but it can spy its victim;
It has R.A.T, Trojan and backdoor features, but it's much more:
it is a Rootkit.

A few definitions:

-From Wikipedia

-From Microsoft


-SANS1: "A collection of tools (programs) that a hacker uses to mask intrusion and obtain administrator-level access to a computer or computer network."

-NSA2: "A hacker security tool that captures passwords and message traffic to and from a computer.
A collection of tools that allows a hacker to provide a backdoor into a system, collect information on the network, mask the fact that the system is compromised, and much more.
Rootkits is a classic example of trojan horse software.
Rootkit is available for a wide range of operating systems."

-Greg Hoglund: "A set of programs which patch and trojan existing execution paths within the system".

-Saliman Manap3:

 "Rootkit name are combination from two words, "root" and "kit".

"Root" was taken from "root", a name of UNIX administrator, which is the highest-access in UNIX environment while "kit" can be refer as tools.

From this word we can interpret rootkit as tools or collection of tools that enable attacker to keep the root power on the compromised server he/she should hide their presence from being detected by administrator.

This is what actually rootkit do.

So the best meaning we can describe rootkit is it a tool or collection of tools that hide an attacker presence and at the same time give the attacker ability to keep full control the server or host continously without being detected."

My definition: A software package designed to haunt a target host by patching the system in order to hide and preserve attacker's  presence and activities.


It's important to note that Windows rootkits are not designed to gain access on a system: "root" is just the word for the highest level privileges in UNIX systems, as "administrator" is the hightest level privileges in Windows systems.

The attacker must firstly gain access on the target host (by a flaw, a zero day or any other method), and then install the rootkit to hide his presence.
The main target of a rootkit is to keep the door open for future access, and then to allow the intruder to come back by mitigating risks of being detected.

A rootkit is one of the most effective hacker tool to keep the control of a compromised host by being as unseen and undetectable as possible from security softwares, system administrators or network managers.





Windows is a complex operating system, and the kernel is not well documented (native APIs, NTDLL.DLL for instance).

Therefore, many subversions, escalations, exploits or vulnerabilities are still always possible.


Generally, Windows rootkits have the ability to hide:



-files (.txt, .exe, .jpg, .sys etc) and folders,

-registry entries,

-services and drivers,

-ports and connections,

-anyother code or soft included or added in the package like backdoors, keyloggers, sniffers, virus and so on.


Many methods4 are used by rootkits to hide their presence: basics dll injection/infection (Vanquish), API hooking (HackerDefender) or more advanced like kernel data manipulation and memory subversion (FU).

Rootkits are generally classified on two categories from the privilege level they operate:


-User rootkits,

-Kernel rootkits.


An application which operates in Ring 3 has not the same rights as an application which operates in Ring 0.

This is a direct implication of the Microsoft Windows architecture.


-Processor manufacturers (Intel and AMD) architecture has four privileges level (usually called "Ring"),

-but Windows uses only Ring 3/User mode and Ring 0/kernel mode of Intel/AMD architecture.


-User mode: concerns only applications, processes, services...

It's a restricted mode (common APIs from Kernel32.dll and Ntdll.dll; no acess to device drivers and memory).


-kernel mode: concerns all objects (no restrictions) : executive APIs, registry, HAL (hardware abstraction layer) and then access to physical memory, peripherals and hardwares devices.

It is the core of the Operating System.


Rootkits writers take advantage of this architecture: with only two level in used, there is no "secure" area or Ring to separate and protect the kernel functions from being accessed from the user land.

Native APIs are used by the subsystem to communicate wth the kernel area, and by hooking some native APIs which are accessible with Ntdll.dll, a rootkit can have access to the kernel in order to manipulate data, install drivers, hide its presence and finally get the control of all OS functions.


The jump from Ring 3 to Ring 0 is the key for advanced Operating System subterfuges and masquarades, and is also the first goal for most rootkits.

Once in the kernel, the second phase consists in hooking System Call Table like Service Descriptor Table (SSDT),  Interrupt Descriptor Table (IDT), Import Addresses Table (IAT),  Export Addresses Table (EAT), hooking driver dispatch tables, intercept and manipulate kernel data...

This is what common rootkits do, but FU rootkit, certainly one of the most sophisticated, uses Direct Kernel Object Modification or DKOM5: via a device driver or any loadable kernel module, this rootkit has the ability to manipulate and modify objects on the fly and directly in memory, and in this case acts as a Man-in-the-Middle attack.






Since the beginning of computing age, attackers and malwares coders are always looking for the most efficient ways to penetrate and get full control of systems.

A rootkit is certainly one of the most sophisticated tool for an attacker: by hiding its own presence from users, administartors and security softwares, the attacker acts as a ghost on the target machine.

Consequently a rootkit package is not really intended to be used for only one attack (like data theft or destruction ), but mostly for spying objectives for instance.

The first Windows rootkit (NTRootkit) was released by Greg Hoglund in  1999, but rootkits are well known in Unix systems since twenty years.

Being invisible and undetectable in Windows is a challenge for any coder, as it was a challenge to walk on the Moon for physicists and astronomers .

There is no ethical problem for coding rootkits: attacking systems is also a way to improve them!

The problem is more what we do with such tools.

Since 2004, the rootkits danger has generated a real paranoia, is in vogue and then become a real business:


-Greg Hoglund has coded the first Windows rootkit, James/Jamie Butler has coded the most advanced of them (FU), and both are working in the same firm (HBGary), write books and give interviews and conferences about the subject.


-Holy Father, the coder of the most popular rootkit (HackerDefender) said in an interview that he wrote it for fun.

But since a few years, he sells paid and stealthier versions of its rootkit: then it would be more correct to say "originally for fun and now also for profit".

-some web sites take advantage of the rootkit paranoia:
 "you have a rootkit hidden perhaps in FlashRAM or EEPROM; give us your money and we'll get ride of them all!"

Example (visit at your own risk): httt://

On the other side, anti-rootkits softwares have emerged from publishers to take the succession of Tripwire and Pedestal driver protections, but for securing Windows home users systems.

Diamondcs with ProcessGuard was one the first security publisher to take seriously into consideration the rootkit threat for home users.

And other security software have been designed and released to prevent and detect specially rootkits: UnHackMe or RootkitShark for paid ones, RootkitRevealer from Sysinternals, BlackLight and RootkitDetector for free ones.

Computers magazines have done their job to inform people about the subject, and actually, most of aware users know that solutions exist against this nasty threat.




Rootkits can be used legally or not, with or without a physical access to a machine.

- for personal research, education, for anti-rootkits development;

-for hiding files from others users (porn pics and so on)4a,

-for increasing the stealth abilities of a spy software (a basic keylogger hidden by a rootkit can be more stealth than some "invisible keyloggers),

-Script-Kiddies for fun,

- advanced criminal attackers for criminal goals (like cyber extorsions),

-people involved in warez and piracy (hidding files on servers)4a,

- private and government security agencies for spying firms for patent, sensitive and promising technologies (CHINA is well known for that) or potential terrorists and activists,

In fact, anyone can use a rootkit.

And the problem is that we know more who wrote them than who use them.




There is many possibilities to place a rootkit on a system:

-vulnerable machine: the attacker can scan the web for vulnerable computers and servers (open ports, unpatched OS etc) to introduce his rootkit,

-P2P network: the attacker includes his rootkit in a special package (like games), 

-Physical access: the attacker just installs the rootkit on public computers (libraries, Universities, Internet Cafes etc) or on corporate computers by using social enginneering,

-By using a zero day attack (like buffer overflow,  Windows kernel vulnerability and exploitation6 and privileges escalation etc),

- via a link and a  Bot from IRC, ICQ (....)


Generally for a remote installation: more protected and hardened is the target host, more advanced must be the attack.




-NTRootkit7: first Windows rootkit released by Greg Hoglund in 1999.

This rootkit is more a Proof-of-Concept and training tool than a real threat.


-FU: one of the most sophisticated rootkit which uses DKOM (kernel data modification direcly in memory).

If NTRootkit is the baby of Greg Hoglund, FU is the one of James/Jamie Butler, alias Fuzen.

Heavy (2.53 Mo), but can really be used in the wild.


-He4Hook: known as the russian rootkit, open source,  based on hooking, requires a"little skill".


-Vanquish: coded by Xshadow; very light (42.7 ko); based on dll injection/infection.

Mostly a" hider".


-AFXRootkit 2005: the new version of Aphex rootkit; light (263 ko); mostly a "hider".


-HackerDefender: the star of rootkits; coded by Holy Father; light (199 ko) and exhaustive package.

Classified on the top 21 threats by Microsoft.

More info in the second section of this article.


We can also mention:


-EeyeGootRoot: first "BIOS NDIS rootkit backdoor", by the Eeye team.

Can theorically load from any bootable media (CDRom etc), hooks and patch OSLOADER during the boot, and then loads after the Bios but before the OS.

More a Proof-of-Cocept and demonstration tool than a real threat.


-ByShell: the chinese user rootkit backdoor by Baiyuanfan, implement a new technique for hiding TCP connections by hooking asynchronous I/O call.





The first implication of rootkit technologies is that more and more malwares developers implement these technologies in their spywares,, backdoors, keyloggers and spy softwares which consequently become much hardier to detect for scanners programs:

-the SIS team for instance sells a spy software (trojan keylogger) which includes antivirus, firewall and almost anti-rootkits evasion techniques;

- one of the most famous trojan like BackOrifice has been released with some FU rootkit features: malwares are become more and more sophisticated,  malwares coders integrate stealth features in their virus, backdoor (like Lecna), spyware, worm (such as MyPhip) and trojans (like kalshi);

-recently8, Mark Russinovitch has discovered a legal rootkit introduced in SONY DRM protection (more info on his blog here and here): if it is not really a rootkit, it has rootkit functions.
And immediately after, some malwares coders have taken advantage of this DRM protection for a trojan.

But fortunately, it seems that security community efforts contrained SONY to suspend its piracy protection.

And this invasion of rootkit technologies is just a beginning...
We can logically expect that legitimate (with EULA) rootkits will be released by softwares publishers and hardwares manufacturers.

At Blackhat 2005 in Vegas, Sparks and Butler have demonstrated  with Shadow Walker9 how a rootkit can manipulate and modify directly all objects in memory; the EEYE team has shown the first Proof-of-Concept Bios rootkit backdoor (Eeyebootroot) that which has the ability to load from most usual bootable medias.


In a foreseeable future, the next generation of rootkits will certainly colonize peripherical hardwares and Bios areas.

And at the same time, Microsoft will certainly take care10 of this evolution by increasing the architecture of its future OS.

In all cases, the cat and mouse game will continue for a long time...





Most of these references are available as .pdf and .txt papers.

-1 and 2: "Rootkit Analysis and Detection", by Parial and Kumar Singh, Cert .

-3: "Rootkits: Attacker undercover tools", by Saliman Manap.

-4: "API Hooking revealed", by Ivo Ivanov.

"How to become unseen on Windows NT", by Holy Father, Codebreakers-journal.

"Hooking Windows API: Technics of hooking API functions on Windows", by Holy Father, Assembly-journal.

"Concepts fot the Stealth Windows Rootkit (the Chameleon project)", by Joanna Rutkowska.

"Advanced Windows 2000 Rootkits Detection", by Jan K. Rutkowski.

"Hidden Processes: the implication for intrusion detection", by Jamie Butler.

4a: "Hide' N Seek Revisited-Full Stealth is Back", by the F-Secure Research team.

-5: "DKOM (Direct Kernel Oct Manipulation)", by Jamie Butler.

-6: "Window Local Kernel Exploitation", by the Scan-Associates team.

"Hacking Windows Internals", by Cesar Cerrudo.

-7: "Beware of Geeks Bearing Gifts: A Windows NT Rootkit Explored", by F.J.Cibelli.

-8: the publication of this article has been adjourned in order to see the development of this affair.

-9: "Shadow Walker: Raising the Bar for Windows Rootkit Detection", by Sherri Sparks and Jamie Butler (Phrack and BlackHat).

-10: "Strider GhostBuster: Why It's a Bad Idea For Stealth Software to Hide Files", by the Microsoft Research team.





WINDOWS ROOTKIT COUNTEARMESURES Part 2: Profiling a Rootkit: HackerDefender 



Publié dans LINE DEFENSE

Commenter cet article

Target Stores Online 14/01/2010 21:26

Thank you for this great blog information!I'm finding this whole blogging world a great resource for any topic, and really inspirational.

Target Stores Online