| |||||||||||||
DR rootkit released under the GPLDR rootkit released under the GPLPosted Sep 12, 2008 6:40 UTC (Fri) by zmi (guest, #4829)Parent article: DR rootkit released under the GPL
> But if you are a hidden process, you can see hidden resources
What if I already got a root kit on my system. Can I, by creating a hidden
(Log in to post comments)
DR rootkit released under the GPL Posted Sep 12, 2008 15:17 UTC (Fri) by cde (guest, #46554) [Link]
All rootkits can be detected when you know where to look (except perhaps hypervisor rootkits).
In this case the trick is to reload a new bare IDT with lidt (which can't be trapped with DR), and then proceed to clear all debug registers before checking for signs of the rootkit. I don't know of any ARK software that does this yet (switching the IDT is a bit dangerous, and has to be done for all processors).
DR rootkit released under the GPL Posted Dec 14, 2008 20:02 UTC (Sun) by trv (guest, #55399) [Link]
The IDT is not modified by this rootkit, so what's the use of loading a new idt?
|
|||||||||||||