[MRT-X] Understanding Windows, Rootkits, and Anti-Rootkits (ARKs)
Posted Mar 21, 2025 09:37 AM
![[Image: Ao15uxN.gif]](https://imgur.com/Ao15uxN.gif)
![[Image: h9AAT39.gif]](https://imgur.com/h9AAT39.gif)
🔹 Understanding Windows, Rootkits, and Anti-Rootkits (ARKs) 🔹
📌 Introduction 📌
This guide is designed to provide an understanding of how Windows interacts with rootkits, how rootkits operate, and how Anti-Rootkits (ARKs) detect and remove them.
This is not a jargon-heavy tutorial, but it does introduce key terms and concepts essential for malware analysis and rootkit detection.
🧠 Key Concepts & References 🧠
✔ Functions/Subroutines - The building blocks of executable programs.
✔ FindFirstFile Function - A Windows API function used for file enumeration.
🖥️ Windows & DLLs - How They Work 🖥️
Windows relies heavily on Dynamic Link Libraries (DLLs) to function. These DLLs contain functions that allow programs to interact with the system. Each new Windows version involves modifying, adding, or removing DLLs, leading to compatibility issues.
Programs use API functions like FindFirstFile to scan directories. However, malware and rootkits can modify these functions to exclude specific files from being detected.
For example, a rootkit might modify FindFirstFile to ignore files containing "TDSS", hiding its presence from normal file listings.
🔹 To counteract this, Anti-Rootkits (ARKs) compare system function patterns to known safe versions, detecting unauthorized modifications.
🕵️ Understanding Rootkits & Their Techniques 🕵️
Rootkits modify Windows' core functionality, particularly memory management and security rings:
✔ Ring 0 (Kernel Mode) → Where device drivers operate, giving complete system control.
✔ Ring 3 (User Mode) → Where standard applications run, with limited permissions.
If a Ring 3 process tries to modify Ring 0, it triggers an error like EXCEPTION_ACCESS_VIOLATION.
Rootkits bypass this security by injecting code into Ring 0, allowing them to:
✔ Modify core system functions.
✔ Hide malicious processes.
✔ Prevent security tools from detecting them.
📑 Rootkit Detection: GMER Logs 📑
GMER and other ARKs scan for rootkit modifications, flagging them as suspicious.
✔ Modified Interrupt Descriptor Table (IDT):
Code
INT 0x52 - ? - 865B5BF8✔ System Service Dispatch Table (SSDT) Hijack:
Code
SSDT \SystemRoot\System32\drivers\48a7ce85.sys ZwCreateEvent [0xBAA20CAD] <-- ROOTKIT !!!✔ Device Driver Hijacking:
Code
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE 81828CEE✔ Hidden Services:
Code
Service D:\WINDOWS\System32\DRIVERS\sysbus32.sys (*** hidden ***) [AUTO] sysbus32✔ Registry Modification:
Code
HKLM\SECURITY\Policy\Secrets\SAC* 22.5.2007 14:25 0 bytes Key name contains embedded nulls (*)✔ Alternate Data Stream (ADS) Abuse:
Code
ADS D:\WINDOWS\system32:lzx32.sys <-- ROOTKIT !!!✔ Hidden Processes and Modules:
Code
Process C:\WINDOWS\explorer.exe (*** hidden *** ) 3808 <-- ROOTKIT !!!🧩 How Rootkits Modify Memory Structures 🧩
Rootkits manipulate Windows' low-level memory structures, allowing them to persist on a system.
✔ Kernel Code Patching: (Injects malicious code into Windows kernel functions.)
Code
PAGE ntoskrnl.exe!ZwQueryKey + 201 8056F674 6 Bytes PUSH FC8152D4; RET✔ IAT/EAT Modifications: (Redirects function calls to malicious code.)
Code
.text C:\WINDOWS\explorer.exe[1136] ADVAPI32.dll!CryptDestroyKey 77DDA544 7 Bytes JMP 00D52B9A✔ Disk Sector Modifications: (Alters the Master Boot Record - MBR, making the system unbootable without malware intervention.)
🔹 Impact: These changes allow the rootkit to survive reboots, hide from security tools, and maintain persistence.
🛠️ Manually Removing Rootkits 🛠️
Removing a rootkit manually is complex but follows a structured process:
- Identify the rootkit's driver (using GMER or another ARK).
- Prevent the rootkit from loading (disabling auto-start in Safe Mode).
- Delete the infected driver (remove malicious system files).
- Clean up registry modifications (remove hidden services, startup keys).
- Use an ARK like GMER to verify system integrity.
GMER is one of the most trusted tools for rootkit detection. While other ARKs exist, GMER remains the most effective at detecting kernel-level rootkits.
📌 Additional Anti-Rootkit (ARK) Tools 📌
✔ GMER - Detects hidden processes, services, and SSDT hooks.
✔ TDSSKiller - Targets bootkits and kernel-level infections.
✔ Malwarebytes Anti-Rootkit - A specialized tool for detecting stealth malware.
✔ HitmanPro.Alert - Uses behavioral analysis for rootkit detection.
🔚 Conclusion 🔚
Rootkits are one of the most sophisticated threats in malware analysis. They operate at the deepest levels of Windows, often evading detection by traditional antivirus software.
✔ Use ARKs like GMER to scan for signs of rootkit infections.
✔ Monitor system functions to detect suspicious behavior.
✔ Be cautious with what you install, as many rootkits are bundled with malicious software.
If you have any questions or need help, feel free to ask! 🚀
