(anti-rootkit 工具測試) Hidden Process & Dynamic-Link Library Detection Test

显示全部楼层 · 发表于 2009-12-6 21:49:40

本帖最后由蝦米仔于 2009-12-6 21:51 编辑

在wilder 看到就發過來給大家看看

Hidden Process Detection Test
http://www.ntinternals.org/process_detection_test.php
the linked page presents the results in a matrix, along with author's methodology notes

methods tested:
- PspNotifyRoutine - RECALLING
- PsActiveProcessLinks - DKOM
- ObjectTable (HANDLE_TABLE) - DKOM
- CSRSS ObjectTable (HANDLE_TABLE) - ERASING
- PspCidTable (HANDLE_TABLE) - ERASING
- SessionProcessLinks - DKOM
- WorkingSetExpansionLinks - DKOM
- ObjectTypeList - DKOM
- CSR_PROCESS/CSR_THREAD - DKOM
- PID & IMAGE NAME - CHANGING
- OBJECT & OBJECT_TYPES - MANIPULATION
- THREAD OBJECT - MANIPULATION

products tested:
ARK2007 1.0
ATool 1.0021
Avast! Antirootkit 1.0.0.1
AVG Anti-Rootkit 1.1.0.42
Avira AntiRootkit Tool 1.1.0.1
AVZ 4.32
BitDefender Rootkit Uncover 1.0
CMC CodeWalker 0.2.4.500
CsrWalker 1.0.0.600
DarkSpy Anti-Rootkit 1.0.5
DeepMonitor 1.8
DiamondCS Deep System Explorer 1.0.406
Dr.Web DwShark 1.0.0.11140
ESET SysInspector 1.2.021.0
F-Secure BlackLight 2.2.1092.0
GMER 1.0.15.15227
Helios 1.1
Helios Lite 1.0
Hidden Finder 1.5.6.7
IceSword 1.2.2
Kernel Detective 1.3.0
KLISTER 0.4
KsBinSword 1.0.0.1
kX-Ray 1.0.0.98
Malware Defender 2.4.4
McAfee Rootkit Detective 1.1.0.1
NhsScan 0.9.4
NIAP Rootkit Detect Tools 1.02
Panda Anti-Rootkit 1.08.00
PScanner++ 1.8.3.0
Process Hunter 1.0
Process Master 1.1
Process Walker (EP_X0FF & MP_ART) 1.0.8
ProcessWalker Express 5.4.1000.10
RootKit Hook Analyzer 3.02
Rootkit Unhooker LE 3.8.LE.383.585.SR1
RootRepeal 1.3.5
Safe'n'Sec Rootkit Detector 1.0.0.2
SafetyCheck 1.7
SanityCheck 2.00
SnipeSword 1.0.2.2
Sophos Anti-Rootkit 1.5.0
SpyDLLRemover 2.5
Spyware Process Detector 3.20
SysProt AntiRootkit 1.0.1.0
SysReveal 1.0.0.7
System Eyes & Ears Monitor 4.5
Trend Micro RootkitBuster 2.80.1077 Beta
USEC Radix 1.0.0.9
Vba32 AntiRootkit 3.12.4.0
Wsyscheck 1.68.33
XueTr 0.30
Yas Anti RootKit 1.223

page presenting related testing & results:
Hidden Dynamic-Link Library Detection Test
http://www.ntinternals.org/dll_detection_test.php

methods tested:
- InLoadOrderModuleList - DKOM
- InMemoryOrderModuleList - DKOM
- InInitializationOrderModuleList - DKOM
- HashLinks - DKOM
- ProcessObject - MANIPULATION
- Vad - ERASING

products tested:
ArcaVir Process Manager 2010.0.0.6
ATool 1.0021
Dr.Web DwShark 1.0.0.11140
GMER 1.0.15.15163
HookExplorer 1.0
HookShark BETA 0.6
IceSword 1.22
KernelDetective 1.3.0
kX-Ray 1.0.0.98
MalwareDefender 2.4.3
NhsScan 0.9.5
ProcessWalker Express 5.4.1000.10
RkU 3.8.382.584
RootRepeal 1.3.5
SEEM 4.5
SpyDllRemover 2.5
Spyware Process Detector 3.20
SysInspector 1.2.021.0
SysReveal 1.0.0.7
VMMap 2.4
XueTr 0.29

website: http://www.ntinternals.org/index.php

显示全部楼层 · 发表于 2009-12-6 21:53:00

能找到隐藏文件的rootkit测试工具吗？

显示全部楼层 · 发表于 2009-12-6 21:54:27

谢谢分享呀

显示全部楼层 · 发表于 2009-12-6 22:08:14

这个在测试者征集ark测试时就注意到了
意义不大
进程部分漏了一些方法
模块枚举 XueTr0.30版配合进程内存查看增强可能能达到作者定的绿色标准新版还会继续修复bug

显示全部楼层 · 发表于 2009-12-6 22:09:15

　　这个能否翻译一下？实在看不懂，除了列举了一对ARK。

显示全部楼层 · 发表于 2009-12-8 21:30:28

什么都看不懂。。。。。。说一下测试的怎么样了啊？？

显示全部楼层 · 发表于 2009-12-8 21:48:58

- PspNotifyRoutine - RECALLING
- PsActiveProcessLinks - DKOM
- ObjectTable (HANDLE_TABLE) - DKOM
- CSRSS ObjectTable (HANDLE_TABLE) - ERASING
- PspCidTable (HANDLE_TABLE) - ERASING
- SessionProcessLinks - DKOM
- WorkingSetExpansionLinks - DKOM
- ObjectTypeList - DKOM
- CSR_PROCESS/CSR_THREAD - DKOM
- PID & IMAGE NAME - CHANGING
- OBJECT & OBJECT_TYPES - MANIPULATION
- THREAD OBJECT - MANIPULATION

米啥强度。

显示全部楼层 · 发表于 2009-12-16 10:03:48

我也看不懂！嘻嘻！

显示全部楼层 · 发表于 2009-12-16 10:06:03

火星测试。。无视掉

[资讯] (anti-rootkit 工具測試) Hidden Process & Dynamic-Link Library Detection Test