iattable

Userland rootkits: Part 1, IAT hooks 7

Userland rootkits: Part 1, IAT hooks   This is the first part of this series about Userland rootkits, I wanted to write on it and demonstrate how some rootkits do to hide files by using IAT hooks.   This post is about a classic trick, known for decades. Malware specialists may know this already, so […]


RogueKiller V10 is here!

RogueKiller V10 is here   …With a brand new UI and a Premium version (beta)   No worries, user experience is still the same (fortunately, or unfortunately, it’s up to you :)) Here’s what it looks like:       What’s new?   New UI, based on Qt Framework. All the forms have been redesigned, […]

Capture

RogueKillerCMD can read the full content

Poweliks removal with RogueKiller 12

Poweliks removal with RogueKiller   How to remove Poweliks with RogueKiller     EDIT 10/10/2014: Poweliks has a new variant: Now there’s no more RUN key, only a CLSID hijack in HKEY_LOCAL_MACHINE\Software\classes\clsid\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32: Your reports should look like this (with your own language text):   ¤¤¤ Processus malicieux : 1 ¤¤¤ [Tr.Poweliks] dllhost.exe — C:\WINDOWS\system32\dllhost.exe[7] -> […]


KernelMode rootkits: Part 3, kernel filters 9

KernelMode rootkits: Part 3, kernel filters   This is the third part of this series about Kernel Mode rootkits, I wanted to write on it and demonstrate how some rootkits (Ex: Keyloggers) do to intercept keystrokes by using kernel filters.   To understand the basics of kernelmode, drivers, please refer to the first part.   […]

filesystem filter

IRP hook

KernelMode rootkits: Part 2, IRP hooks 6

KernelMode rootkits: Part 2, IRP hooks   This is the second part of this series about Kernel Mode rootkits, I wanted to write on it and demonstrate how some rootkits (Ex: TDL4) do to hijack disk access by using IRP hooks.   To understand the basics of kernelmode, drivers, please refer to the first part. […]


KernelMode rootkits: Part 1, SSDT hooks 4

KernelMode rootkits: Part 1, SSDT hooks   This is the first part of this series about Kernel Mode rootkits, I wanted to write on it and demonstrate how some rootkits (Ex: Necurs) do to hide their presence and protect themselves from removal by using SSDT hooks.   I’ll first introduce what is KernelMode (against UserLand), […]

Src: Microsoft

stats1

New RogueKiller statistics are here!

New RogueKiller statistics are here!   And they are way more sexy than before…   RogueKiller’s statistics are a way to display the data sent by the software to our webserver database.   The statistics are displayed in real time (you have to refresh the page though), so there’s no need to have human action […]