Archive for the ‘CodeWalker: Another AntiRootkit Tool’ Category

CodeWalker: Another AntiRootkit Tool
Author : Thug4lif3 (aka Sơn “bird”, my brother :D)

He has developed an antirootkit tool called CodeWalker which can:

+ Detect hidden processes
+ Detect hidden drivers
+ Detect hidden files (support NTFS only)
+ Detect hooks in both kernel mode and usermode.
+ Works on Windows English 2000/XP/2003/Vista/2008.

The tool is currently in beta stage and im looking for people for testing it. I’ve already tested it with all rootkits samples I have and its detection rate seems optimistic. I think it’s very great if you guys test it against your rootkit zoo and provide the result you got with the tool. If there’s BSOD (of cos, you can never write a bug free proggie, rite? :P), it would be very appreciated of you to upload minidumps to help me correct the tool. Thanks in advance.

I will update this tool frequently for new detection methods, bug fixs etc. Welcome for your all suggestions, bugs and minidumps

In this beta version, the main improves to other ark is heavily put in hidden driver object (System Modules tab) and code hooking detection.

For hidden driver detection, you can test it with some pretty well hidden driver PoC such as phide_ex and many builds of Rustock.B variants. Although you have to use the “Hardcore Scan” method to detect them.

For code hooking detection, the engine walks all the branches of scanned module i.e any execution path of it to detect modification (btw, that’s why i call it CodeWalker). IMHO, It can detect code hooking very well especially with rootkits that place abnormal hooks, although there’re false-positive detections.

Here’s the tool:

Thanx Thug4lif3 for sharing his Tool.