home >> tools >> elfstat

ElfStat

ElfStat is a tool designed for detecting any kernel level rootkit [or other malwares] that modifies the text segment of the kernel in memory -- this implies any malware that modifies the code of the running kernel. This tool has some nice kernel analysis features, which are good for security analysts who want to dissasemble the malware code and even patch it. I've included 'kmp' kernel memory patcher. This tool allows you to patch /dev/kmem which is generally more writable in FreeBSD than in Linux. The only real inconvenience with ElfStat is that it requires you have a copy of your uncompressed kernel image to use as a signature. In Linux this is created as vmlinux (not vmlinuz) and in FreeBSD it may be /boot/kernel/kernel. For complete instructions read the README file included with elfstat-version.tgz.

Download Elfstat

Integrity HASH:

elfstat-0.1.tgz
MD5:3903f20fc6525a4d0b9df7b4b3a09064
SHA-1:a51f5b65297991806908ee0d701b996cac56fa35
SHA-256:
f00fceb7d7f5d1a510735a1d6cad8ba20c1b28333c500adf465dae4be99eebc1

\.svn\all-wcprops
MD5:e433ba3cda2cd783d0c616b2f5f406d1
SHA-1:86aab8b1e63f80c1a1b35779f1f3c877e8856f72
SHA-256:
32e1fdca6ef4756f32184c8783330cba69acb4c6cd5a6a48e3712f4322480cd8

\.svn\entries
MD5:834a859f3a1ae10ac9f9956c04e938d7
SHA-1:6ee776d9f890a9c1cfe423df0be893dde78952dd
SHA-256:
b8eced7cea6625d758960c1c7e73644dc214b617bc87b556f96bf537174250c6

\.svn\format
MD5:7c5aba41f53293b712fd86d08ed5b36e
SHA-1:b6abd567fa79cbe0196d093a067271361dc6ca8b
SHA-256:
2e6d31a5983a91251bfae5aefa1c0a19d8ba3cf601d0e8a706b4cfa9661a6b8a

\.svn\text-base\elfstat-new.c.svn-base
MD5:f509954c54501442bf5f8430c76a5bb0
SHA-1:19f5f5525ad69f359b7c93c56b7bfe7650bf46f6
SHA-256:
76183b9784621bca29072a7078e4271255400090782b8c65777a397569f85ecc

\.svn\text-base\elfstat.c.svn-base
MD5:ca8fce889154eef41aa49936c132cbbf
SHA-1:6db5b9872742ba917c454492d67ecf86b1706646
SHA-256:
1a4df1e3430f6cf3629a6565c777fce9f58def44f8d095b5661a24202451fb5e

\.svn\text-base\kmp.c.svn-base
MD5:a09aec751e38d4956e006dcfd52909ce
SHA-1:43f739b7f865e35ede4558e9efcf8d31b501d4b2
SHA-256:
bc7256e042ff0604c3b6cd1d843bd53a56fbe30d17bdc6aa4a11aae42a744c59

\.svn\text-base\README.svn-base
MD5:52c18e11961cade29f08e76b49bd40cc
SHA-1:463e4cd16740417b4655b17467ff2277a48fa2f9
SHA-256:
f621b0bd358ea547a70a4678b677297d800cc10a30d7af4f8e79ec416454de13

\elfstat.c
MD5:b678d7aa5dbabafb10ceb692f037ce88
SHA-1:e2fda07d387ee959ee7482456da5633c8916692b
SHA-256:
18cbf0d72be1e0596d53f55e22877f30e65fbc663989ccdb28a6ae9f381edc82

\kmp.c
MD5:c5b643695ee81718ac45a4674fdfb31c
SHA-1:efbeea95ca95a07414950bed9e9e35f45c0862e2
SHA-256:
34d34442e381bc9a3b404481e3704038af137e6d76872cc09aefca5a283a6558

\README
MD5:db0200cc13155971174124f32dad442f
SHA-1:ee5d43ce803a572502c966151cb33104702fe99f
SHA-256:
0ea2651f18fa4a5b6ac7a71610a72e5d9df289ddd096382aeb0fe55f940bfca7

Click the following to download:

Download Elfstat

EvilFingers Arsenal




Socialize with RootkitAnalytics

Twitter Feed Blogspot

Links

Rootkits & Enterprise: Enterprise is a major victim to rootkits. What could rootkits do to them?[read more]

Rootkits & Home-users: Do home-users know the seriousness of rootkits? What should a home-user know about rootkits?[read more]

Rootkits & Information Warfare: What does the silent war of intelligence and national security, got to do with rootkit analysis?[read more]

Userland Rootkits: What should one know about userland rootkits?[read more]

Kernelland Rootkits: What should one know about kernelland rootkits?[read more]

ElfStat: ElfStat is a tool designed for detecting any kernel malware that modifies the text segment of the kernel in memory...[read more]

Syscall/Kernel function interception: This is a more stealth method of syscall hijacking without having to directly modify the syscall table; instead the first several bytes of the syscall are overwritten with a jump to the new code...[read more]

Syscall Interception: What should you know about Syscall interception by directly modifying the Syscall table?[read more]

KsiD [Kernel Symbol Interception Detection]: This tool is designed to detect kernel rootkits and kernel malware which hijack syscalls and kernel functions ...[read more]

IDT /dev/kmem rootkit method: This can be done using several methods including overwriting the first several bytes of the syscall with a jump to other code, or modifying the function pointers.[read more]

Hidden Process Detection: Hidden Process Detection [HPD] using Direct NT System Call Implemenation, PIDB (Process ID Bruteforce) method, CSRSS Process Handle Enumeration and other methods...[read more]

Hidden Registry Detection: Reason for Hiding the Registry Entries, Rootkit techniques to hide, and Detecting Hidden Registry Entries Using Direct NT System Call Method and Directly Reading Hives Method...[read more]

Hidden Service Detection: Hidden Rootkit Services Detection Methods...Enumerating Processes with 'NtControlPipe', Hook Bypass Method through Mapped Image, Services Enumerating Child Processes of Services.exe, Enumerating Services Registry Key...[read more]

Syscall Handler Checker [SHC]: This tool simply verifies whether or not the system call handler system_call() has been patched to call a phony sys_call_table. If a phony sys_call_table appears to be in use, a tool like elfstat can be used for further analysis...[read more]

Firmware Rootkits: Firmware is a small static code that runs on devices ranging from consumer electronics to anything that controls heavy machinery...[read more]

Hypervisor Rootkits: This comes under both firmware and hardware rootkits. The reason being, hypervisor is a virtual environment that runs on the hardware, but basically it is a firmware. Hence, we have drawn the line and dropped this rootkit in the firmware category of rootkits...[read more]

Publications: In this section, we are planning to list all the papers that we have published so far that are rootkit related.

Backdoor Ultimate Defender: In this paper (Backdoor.Win32.UltimateDefender.gtz - Reversing) we analyze install.exe that presents the typical structure of an Medium Evoluted Malware, with basical Obfuscated-Dummy Code...[read more]

Socialize: You could socialize with us by many ways...[read more]

About: Learn about rootkit analytics here...[read more]

Contact us: How can you reach us...[read more]

Our Team: Read more about the rootkit analytics team...[read more]

dwtf v1.0: dwtf is a DLL copying engine ... [read more]

Exploring ADS: Alternate Data Stream (ADS) is the lesser known feature of Windows NTFS file system which...[read more]

Installations [from RootkitAnalytics.com]

ToolsCount
~~~~~~~~~~~~~~~~~~~
Elfstat4200
dwtf3342
KsiD2883
SHC2159

NOTE: Our tools are listed in many sites and torrents, which makes it hard for us to track all downloads. Hence, we are listing only the total installations from our website.

Socialize with EvilFingers

Twitter Feed Blogspot LinkedIn Delicious Google

Tweets