A rootkit is a new kind of malware whose first objective is to hidde itself on the infected system by hooking kernel messages. That means that an administrator checking the status of the computer will be not able to detect files, connections, registry keys or services deployed by the rootkit.

Back to the year 2004, Windows Rootkits began to grow, one of the best examples is the hacker defender (hxdef) Rootkit. At that, time there were no valid solutions for detecting those malware, as antivirus and other security tools engines were not prepared to deal with those new techics.

Our previous rootkit detection engines were bassed on checking signatures and searching for differences in how the system works when a rootkit is running. Most of those tricks worked only because rootkits were not perfect, but rootkit developers began to fix those bugs. At that moment, we develop a new technique to detect rootkits. As there is no way to trust information returned by an infected system, we decide to do an online security forensic analysis to the disk with an external filesystem driver, gather as much information as we can and compare that information with the one returned by the system.

If there are data mismatch, means that an extern agent, probably a rootkit, is modifing the information. To develop such task we coded a FAT32 and NTFS filesystem driver and a binary registry analyzer to compare windows results with the ones that our tool recover from the disk, and we presented that tool, named Rkdetector, at the NoConName (NCN) 2004 edition, an spanishSecurity Congress.



Rkdetector was the first new generation rootkit detector tool, offering same features as the most known Sysinternals RootkitRevealer Software.

Rkdetector Features:

- Hidden File detection.

- Hidden registry keys detection.

- ADS (Alternate Data Streams) detection.

- Rootkit deletion, by wipping the used binary files and rebooting the system.

- Data recovery for both FAT32 and NTFS filesystem.

- Filesystem browser.





Rkdetector engine is free for personal usage, however if you want to deploy it for a security reviews you can buy a license at main rkdetector website and also get a console edition, that allows you check systems from a command line, or from an startup script.

For developers there is also for sale an SDK, whose examples will be available at sometime. Here is an example of the include files




Download Rkdetector v2.2 beta (Windows executable )