At the time of this writing, Rootkit Unhooker, shown in Figure A-7, is the best rootkit detection tool available at any price - and it’s free. This will make revenue generation in the rootkit detection industry extremely difficult for the foreseeable future, but it’s great news for anyone worried about rootkits.
Rootkit Unhooker has six major functions:
Kernel hook detection and restoration
Hidden process detection
Hidden device driver detection
Hidden file detection
Code hook detection
The five detectors can spot all of the rootkit techniques detailed in this book.
The first tab, SSDT Hooks Detector/Restorer, displays all the functions from the kernel system call table, the address of the function, a hook indicator, and, when a hook is detected, the name of the module that hooked the function. This tab alone provides enough information to detect and clear 90% of all rootkits. After detecting a hook and tracing the hooking module to a rootkit (as opposed to security software), you can clear all SSDT hooks, search the registry for the module and delete the keys referencing the module, and then delete the module itself and reboot.
The second tab, Hidden Process Detector, displays all running processes, the EPROCESS address of the process, and the status of the process. Any process with the status “Hidden from Windows API” is both running and not in the process link list. The hidden process can be either a rootkit or a process being hidden with rootkit technology.
The third tab, Hidden Drivers Detector, displays all loaded drivers, the location of the driver, the address and size of the loaded driver, a Hidden indication, and a References column. Any driver marked as hidden is both running and not in the device driver link list. This is a clear indication of a kernel-level rootkit.
The forth tab, Hidden Files Detector, displays a list of all hidden files detected. This detector does not account for hidden directories, so it will not catch the file-hiding technique detailed in this book, but expect the next version of Rootkit Unhooker to include all files in hidden directories as well as individually hidden files.
The fifth tab, Code Hooks Detector, displays the User Mode Hooks (process injection) for every loaded process. As with kernel hooks, the operator can unhook all injected processes or selectively unhook individual processes. The code hook detector also displays the name of the module that placed the hook whenever possible.
The sixth tab, Report, displays all the detected anomalies from all the detectors. Just press the Scan button to initiate a report.