Lately I had an idea to simply detect loaded kernel drivers which hide their presence after their execution. I'm sure this method is already known/used but because I never read of it I decided to write it down.
You have to reboot your box and start the system with enabled boot logging - hit F8 before Windoze boot screen and select the entry "
Enable Boot Logging". Another possibilty to boot with enabled logging is to hand the
/BOOTLOG option to the Windoze kernel as a parameter by editing the `boot.ini' file.
If the Windoze kernel detects the above mentioned option, the I/O manager calls
IopBootLog() to record all loaded drivers. Even disabled drivers are logged.
IopBootLog() cannot simply write the data into a log file because the Session Manager Subsystem (Smss.exe) is going to execute `chkdsk', to ensure the system drives consistency, later in the boot process. Therfore
IopBootLog() has to save all messages in the
HKLM\SYSTEM\CurrentControlSet\BootLog registry value. Later on the kernel invokes the
IopCopyBootLogRegistryToFile() method which creates the file
`%SYSTEMROOT%\Ntbtlog.txt' and copies the contents of the
BootLog registry value to the file.
Now we have a complete list with
all loaded drivers because the rootkit which would hide drivers after its initialization is loaded and executed after the boot logging. Then we can compare the "clean" list with another list retrieved by querying the standard APIs for enumerating drivers. For example:
EnumServicesStatusA(),
EnumServiceGroupW(),
EnumServicesStatusExA() and
EnumServicesStatusExW().
The big disadvantage of this method is the necessary reboot. It would be easy for a rootkit to manipulate the
`Ntbtlog.txt' file, or better, the
`BootLog' registry value. We could circumvent this problem by booting from Windoze CD or boot disks and starting the recovery console. The recovery console is able to list all Windoze installations and to "log into" a selected installation. It loads the SYSTEM hive
`%SYSTEMROOT%\System32\Config\System' which contains the
HKLM\SYSTEM\CurrentControlSet\Services' registry key for the specified installation . The `Services' key stores all services and drivers.
The recovery console also supports commands to list all services/drivers and to enable/disable them. So you could easily dump all drivers (and even services) to a file, reboot the system and compare this file with the data returned by an API. It's more effort to start the recovery console but you can be sure that the list is not manipulated by any malware.
We are able to beat rootkits which use any kind of hooking technique and we are able to detect rootkits which use
Direct Kernel Object Manipulation (DKOM) to hide their presence too. Logically, it's not possible to find rootkits which use the 'Memory Cloaking Concept' described in Phrack 63-0x08
Raising The Bar For Windows Rootkit Detection.
I have another idea for detecting hidden files without rebooting the system but this idea needs more research and some coding effort to be usefull. So stay tuned..
np: Seether - Fine again
