Full Disclosure: RKDetect - behaviour based rootkit detection (updated)

[offtopic <offtopic () mail ru>]

Hi list. 

New features:

Localized systems support and extended information about service added. 

Details:

RKDetect is a little anomaly detection tool that can find services hidden by generic Windows rootkits like Hacker 
Defender. The tool enumerates the services on a remote computer via WMI (user level) and Services Control Manager 
(kernel level), the result is then compared and any difference is displayed. In this way we can find hidden services 
that are usually used to start rootkits. Similar approach can be used to enumerate processes, files, registry keys and 
anything that rootkits usually hides. 

Source Code: 
The tool is a VB script which requires the sc.exe application that can be found in %WINDIR%\system32\sc.exe or can be 
downloaded along with the source code below at: http://www.security.nnov.ru/files/rkdetect.zip

Sample:

C:\hack\rkd>cscript rkdetect.vbs 200.4.4.4
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

Query services by WMI...
Detected 70 services
Query services by SC...
Detected 71 services
Finding hidden services...

Possible rootkit found: HXD Service 100 - HackerDefender100
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: HackerDefender100
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 0   IGNORE
        BINARY_PATH_NAME   : C:\rootkits\hxdef100\hxdef100.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : HXD Service 100
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

Done

(c)oded by offtopic

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html