Important Announcement

StreamArmor and SpyDLLRemover are NOT associated with RootkitAnalytics by any means. Due to some unforeseen circumstances, we had to let go of the corresponding volunteer and remove all his contributions.

dwtf v1.0

dwtf v1.0

dwtf v3 is a fake DLL maker. It creates the fake DLL, based on the original DLL given to it as input. It exports all symbols of real.dll and imports all exports of real.dll (including Forwarder). It creates an area code with a JMP DWORD [ADDRESS] for each export and more.

Learn More

ElfStat

ElfStat is a tool designed for detecting any kernel level rootkit [or other malwares] that modifies the text segment of the kernel in memory -- this implies any malware that modifies the code of the running kernel.

Learn More

KsiD

This tool is designed to detect kernel rootkits and kernel malware which hijack syscalls and kernel functions by modifying the first several bytes of the routine to jump to a hacked version of the syscall or function.

Learn More

Kernel Rootkits

LKM in action

Kernel rootkits are the tools that run in the kernel, hence making it really hard to detect. The entire operating system would be altered in the process, which would help in the process of hiding the fact that the system is compromised.

Learn More

Blog

Rootkit Analytics blog, would encompass anything ranging from analysis of rootkits, to something like status update. This blog is hosted at Kaffe News, which is part of the EvilFingers group of Sites.

Learn More

Tweet

Check out our dedicated "AntiRootkit" Twitter account for update on RootkitAnalytics. We try to keep our users up to date on what we do the best.

Learn More

Hypervisor Rootkits

Hypervisor Rootkits in action

This comes under both firmware and hardware rootkits. The reason being, hypervisor is a virtual environment that runs on the hardware, but basically it is a firmware. Hence, we have drawn the line and dropped this rootkit in the firmware category of rootkits.

Learn More

EvilFingers Arsenal

Socialize with RootkitAnalytics

Links

Rootkits & Enterprise: Enterprise is a major victim to rootkits. What could rootkits do to them?[read more]

Rootkits & Home-users: Do home-users know the seriousness of rootkits? What should a home-user know about rootkits?[read more]

Rootkits & Information Warfare: What does the silent war of intelligence and national security, got to do with rootkit analysis?[read more]

Userland Rootkits: What should one know about userland rootkits?[read more]

Kernelland Rootkits: What should one know about kernelland rootkits?[read more]

ElfStat: ElfStat is a tool designed for detecting any kernel malware that modifies the text segment of the kernel in memory...[read more]

Syscall/Kernel function interception: This is a more stealth method of syscall hijacking without having to directly modify the syscall table; instead the first several bytes of the syscall are overwritten with a jump to the new code...[read more]

Syscall Interception: What should you know about Syscall interception by directly modifying the Syscall table?[read more]

KsiD [Kernel Symbol Interception Detection]: This tool is designed to detect kernel rootkits and kernel malware which hijack syscalls and kernel functions ...[read more]

IDT /dev/kmem rootkit method: This can be done using several methods including overwriting the first several bytes of the syscall with a jump to other code, or modifying the function pointers.[read more]

Hidden Process Detection: Hidden Process Detection [HPD] using Direct NT System Call Implemenation, PIDB (Process ID Bruteforce) method, CSRSS Process Handle Enumeration and other methods...[read more]

Hidden Registry Detection: Reason for Hiding the Registry Entries, Rootkit techniques to hide, and Detecting Hidden Registry Entries Using Direct NT System Call Method and Directly Reading Hives Method...[read more]

Hidden Service Detection: Hidden Rootkit Services Detection Methods...Enumerating Processes with 'NtControlPipe', Hook Bypass Method through Mapped Image, Services Enumerating Child Processes of Services.exe, Enumerating Services Registry Key...[read more]

Syscall Handler Checker [SHC]: This tool simply verifies whether or not the system call handler system_call() has been patched to call a phony sys_call_table. If a phony sys_call_table appears to be in use, a tool like elfstat can be used for further analysis...[read more]

Firmware Rootkits: Firmware is a small static code that runs on devices ranging from consumer electronics to anything that controls heavy machinery...[read more]

Hypervisor Rootkits: This comes under both firmware and hardware rootkits. The reason being, hypervisor is a virtual environment that runs on the hardware, but basically it is a firmware. Hence, we have drawn the line and dropped this rootkit in the firmware category of rootkits...[read more]

Publications: In this section, we are planning to list all the papers that we have published so far that are rootkit related.

Backdoor Ultimate Defender: In this paper (Backdoor.Win32.UltimateDefender.gtz - Reversing) we analyze install.exe that presents the typical structure of an Medium Evoluted Malware, with basical Obfuscated-Dummy Code...[read more]

Socialize: You could socialize with us by many ways...[read more]

About: Learn about rootkit analytics here...[read more]

Contact us: How can you reach us...[read more]

Our Team: Read more about the rootkit analytics team...[read more]

dwtf v1.0: dwtf is a DLL copying engine ... [read more]

Exploring ADS: Alternate Data Stream (ADS) is the lesser known feature of Windows NTFS file system which...[read more]

Top Articles

Hidden Process Detection
Hidden Service Detection
Tools-Elfstat
Tools-KsiD
Hidden Registry Detection

Installations [from RootkitAnalytics.com]

ToolsCount
~~~~~~~~~~~~~~~~~~~
Elfstat2995
dwtf2194
KsiD1934
SHC1435

NOTE: Our tools are listed in many sites and torrents, which makes it hard for us to track all downloads. Hence, we are listing only the total installations from our website.

Socialize with EvilFingers

Tweets

Debugging Today is out! http://t.co/HE7HBDWE ▸ Top stories today via @yo9fah @evilfingers @atvelu @r00tbsd

@EvilFingers I guess Jerseys are WAY more important than APT and botnets....

RT @EvilFingers: Online Market for Pre-Owned Digital Music Hangs in the Balance: http://t.co/7cJRkMN9

RT @cedricpernet: RT @EvilFingers: Auto #SQLl Injector: This is an automatic SQL Injection tool called as #FatCat ... http://t.co/2bPCtB28 #pentest

RT @EvilFingers: Auto #SQLl Injector: This is an automatic SQL Injection tool called as #FatCat ... http://t.co/2bPCtB28 #pentest

RT @TheHackersNews: The ☛ The Hacker News™ Daily is out! http://t.co/Zl0Vhh5P ▸ Top stories today via @hvcco @evilfingers @securityaffairs @cudeso

The ☛ The Hacker News™ Daily is out! http://t.co/Zl0Vhh5P ▸ Top stories today via @hvcco @evilfingers @securityaffairs @cudeso

Read Top Stories @ http://t.co/lwec0g6a - top stories by DarkOperator, jeremiahg, EvilFingers

@EvilFingers OMG, 29 pages about nothing. And they are going to publish Phase 2! Please, save our brains :)

EvilFingers: Google, Facebook and Others Join to Write New Email-Authentication Spec Called DMARC: Google, Yahoo,... http://t.co/xBJGVcl8

EvilFingers: Scammers reveal features of brand new iPhone 5.. or do they?: A scam spreads on Tumblr, claiming that... http://t.co/NFPqFTtY

Read Top Stories @ http://t.co/lwec0g6a - top stories by EvilFingers, purescapism, ivanristic

UTC Cyber Security Daily is out! http://t.co/ROsC6SRT ▸ Top stories today via @evilfingers @_deewayne @digitalbond

Read Top Stories @ http://t.co/lwec0g6a - top stories by ioerror, ivanristic, EvilFingers

RT @0xida: #ff back ^.^ @ChadChoron @0xerror @EvilFingers @KoreSecure @group51 @RealBelahzur @rebelk0de @malc0de @nicolasbrulez @intel_chris @virusbtn