Rootkit(s)

Whitepapers Tools (Anti)Rootkits Web Books

This page contains extensive information about rootkits, specially for Linux and Windows. Although a few references could be related with user-mode rootkits, it is specially focused on kernel-mode rootkits, one of the more advanced and complex security threads today.

Whitepapers

Sony, Rootkits and Digital Rights Management Gone Too Far Mark Russinovich October, 2005

Researchers: Rootkits headed for BIOS Robert Lemos January, 2006

Linux

Analysis of the T0rn Rootkit Toby Miller November, 2000

Hacker Tools and their Signatures, Part Three: Rootkits Toby Miller August, 2001

Finding hidden kernel modules (the extreme way) madsys August, 2003

Linux kernel rootkits: protecting the system’s "Ring-Zero" Raul Siles May, 2004

Linux Kernel Backdoors And Their Detection (code) Joanna Rutkowska October, 2004

Detecting Rootkits And Kernel-level Compromises In Linux Mariusz Burdach November, 2004

The Implementation of Passive Covert Channels in the Linux Kernel (Presentation) Joanna Rutkowska December, 2004

hiding processes (understanding the linux scheduler) ubra August, 2005

Sebek 3: tracking the attackers, part one Raul Siles January, 2006

Sebek 3: tracking the attackers, part two Raul Siles February, 2006

Windows

Hidden Registry Keys? (RegHide) (RegDelNull) Mark Russinovich February, 1999

Concepts for the Stealth Windows Rootkit (The Chameleon Project) Joanna Rutkowska November, 2003

Detecting Windows Server Compromises Joanna Rutkowska November, 2003

Detecting Windows Server Compromises with Patchfinder 2 Joanna Rutkowska January, 2004

Strider GhostBuster: Why It’s A Bad Idea For Stealth Software To Hide Files MS Research July, 2004

Rootkits Detection on Windows Systems Joanna Rutkowska October, 2004

Inside the Native API Mark Russinovich November, 2004

Detecting Stealth Software with Strider GhostBuster MS Research February, 2005

Finding some non-exported kernel variables in Windows XP (source code) Edgar Barbosa (Opc0de) April, 2005

Thoughts about Cross-View based Rootkit Detection Joanna Rutkowska June, 2005

Shadow Walker: Raising The Bar For Windows Rootkit Detection Sherri Sparks, James Butler August, 2005

SVV: Defining the Roadmap for Malware Detection on Windows System Joanna Rutkowska September, 2005

Windows rootkits of 2005, part one James Butler, Sherri Sparks November, 2005

Windows rootkits of 2005, part two James Butler, Sherri Sparks November, 2005

Windows rootkits of 2005, part three James Butler, Sherri Sparks January, 2006

Patching Policy for x64-Based Systems (system call hooking) Microsoft December, 2005

Bypassing PatchGuard on Windows x64 skape & Skywing January, 2006

Rootkit Hunting vs. Compromise Detection (Videos) Joanna Rutkowska January, 2006

Tools

Linux

Samhain Samhain labs SAMHAIN file integrity/IDS - stealth mode

Windows

WinDbg Microsoft Debugging Tools for Windows 32-bit Version

Windows Symbols Microsoft Windows Symbol Packages

DDK Microsoft Microsoft Windows Driver Development Kit (DDK) (Windows Driver Kit Documentation) (Index)

KMDF Microsoft Kernel-Mode Driver Framework ( WDFv10.iso - Dir: W2K3DDK) (Architecture, Samples)

InstDriver.exe Hoglund's vault Installation/Deinstallation driver tool

DebugView Sysinternals Monitor debug kernel & Win-32 output (locally or remotelly)

LiveKd Sysinternals Run Kd and Windbg Microsoft kernel debuggers live

(Anti)Rootkits

Sebek Edward Balas Honeynet data-capture rootkit (documentation 2.x)

Linux

NUSHU Joanna Rutkowska TCP ISN based passive covert channel for Linux kernels

Uberlogger Rstack Kernel module for data capture and export (like Sebek)

[ Antirootkits ]

Unhide yjesus Forensic tool to find hidden processes and TCP/UDP ports

Windows

FU rootkit fuzen_op FU rootkit by Direct Kernel Object Manipulation. No hooking.

FUto Peter Silberman & C.H.A.O.S. FUto rootkit: advanced stealth technique (code)

[ Antirootkits ]

RootkitRevealer Sysinternals Advanced patent-pending root kit detection utility (Forum)

Strider Ghostbuster Microsoft Research Strider GhostBuster Rootkit Detection

F-Secure BlackLight F-Secure Rootkit Elimination Technology to detects hidden objects

IceSword pjf Rootkit Detector

KLISTER Joanna Rutkowska Rootkit hidden processes detector

Patchfinder2 Joanna Rutkowska Rootkit detector: Execution Path Analysis

FLISTER Joanna Rutkowska Rootkit hidden files detector

modGREPER Joanna Rutkowska Kernel memory module finder

SVV Joanna Rutkowska System Virginity Verifier: stealth malware checker

Web

invisiblethings.org Joanna Rutkowska: stealth technology

uninformed.org Technical outlet: Informative Information for the Uninformed

Linux

LWN.net Kernel Page Linux Weekly News (LWN) kernel articles index

Windows

rootkit.com The Windows rootkit web page

Microsoft WHDC WHDC: Resources for system designers, driver developers, and test engineers

Books

Linux

Linux Device Drivers (3rd Edition) (*) (2.6.10) (examples) J. Corbet, A. Rubini, G. Kroah-Hartman (O'Reilly) February 2005

API changes in the 2.6 kernel series (+2.6.10) Jonathan Corbet January, 2005

Linux Device Drivers (2nd Edition) (2.0 - 2.4) (examples) J. Corbet, A. Rubini (O'Reilly) June 2001

Understanding the Linux Kernel, 3rd Ed. D. P. Bovet, M. Cesati (O'Reilly) November 2005

Understanding the Linux Kernel, 1st Ed. (2nd Ed.) D. P. Bovet, M. Cesati (O'Reilly) Oct 2000 (Dec 2002)

Windows

Rootkits : Subverting the Windows Kernel G. Hoglund, J. Butler (Addison-Wesley) July 2005

Microsoft Windows Internals, 4th Ed. Mark E. Russinovich, David A. Solomon (Microsoft Press) December 2004

Sony, Rootkits and Digital Rights Management Gone Too Far	Mark Russinovich	October, 2005
Researchers: Rootkits headed for BIOS	Robert Lemos	January, 2006
Linux
Analysis of the T0rn Rootkit	Toby Miller	November, 2000
Hacker Tools and their Signatures, Part Three: Rootkits	Toby Miller	August, 2001
Finding hidden kernel modules (the extreme way)	madsys	August, 2003
Linux kernel rootkits: protecting the system’s "Ring-Zero"	Raul Siles	May, 2004
Linux Kernel Backdoors And Their Detection (code)	Joanna Rutkowska	October, 2004
Detecting Rootkits And Kernel-level Compromises In Linux	Mariusz Burdach	November, 2004
The Implementation of Passive Covert Channels in the Linux Kernel (Presentation)	Joanna Rutkowska	December, 2004
hiding processes (understanding the linux scheduler)	ubra	August, 2005
Sebek 3: tracking the attackers, part one	Raul Siles	January, 2006
Sebek 3: tracking the attackers, part two	Raul Siles	February, 2006
Windows
Hidden Registry Keys? (RegHide) (RegDelNull)	Mark Russinovich	February, 1999
Concepts for the Stealth Windows Rootkit (The Chameleon Project)	Joanna Rutkowska	November, 2003
Detecting Windows Server Compromises	Joanna Rutkowska	November, 2003
Detecting Windows Server Compromises with Patchfinder 2	Joanna Rutkowska	January, 2004
Strider GhostBuster: Why It’s A Bad Idea For Stealth Software To Hide Files	MS Research	July, 2004
Rootkits Detection on Windows Systems	Joanna Rutkowska	October, 2004
Inside the Native API	Mark Russinovich	November, 2004
Detecting Stealth Software with Strider GhostBuster	MS Research	February, 2005
Finding some non-exported kernel variables in Windows XP (source code)	Edgar Barbosa (Opc0de)	April, 2005
Thoughts about Cross-View based Rootkit Detection	Joanna Rutkowska	June, 2005
Shadow Walker: Raising The Bar For Windows Rootkit Detection	Sherri Sparks, James Butler	August, 2005
SVV: Defining the Roadmap for Malware Detection on Windows System	Joanna Rutkowska	September, 2005
Windows rootkits of 2005, part one	James Butler, Sherri Sparks	November, 2005
Windows rootkits of 2005, part two	James Butler, Sherri Sparks	November, 2005
Windows rootkits of 2005, part three	James Butler, Sherri Sparks	January, 2006
Patching Policy for x64-Based Systems (system call hooking)	Microsoft	December, 2005
Bypassing PatchGuard on Windows x64	skape & Skywing	January, 2006
Rootkit Hunting vs. Compromise Detection (Videos)	Joanna Rutkowska	January, 2006

Linux
Samhain	Samhain labs	SAMHAIN file integrity/IDS - stealth mode
Windows
WinDbg	Microsoft	Debugging Tools for Windows 32-bit Version
Windows Symbols	Microsoft	Windows Symbol Packages
DDK	Microsoft	Microsoft Windows Driver Development Kit (DDK) (Windows Driver Kit Documentation) (Index)
KMDF	Microsoft	Kernel-Mode Driver Framework ( WDFv10.iso - Dir: W2K3DDK) (Architecture, Samples)
InstDriver.exe	Hoglund's vault	Installation/Deinstallation driver tool
DebugView	Sysinternals	Monitor debug kernel & Win-32 output (locally or remotelly)
LiveKd	Sysinternals	Run Kd and Windbg Microsoft kernel debuggers live

Sebek	Edward Balas	Honeynet data-capture rootkit (documentation 2.x)
Linux
NUSHU	Joanna Rutkowska	TCP ISN based passive covert channel for Linux kernels
Uberlogger	Rstack	Kernel module for data capture and export (like Sebek)
	[ Antirootkits ]
Unhide	yjesus	Forensic tool to find hidden processes and TCP/UDP ports
Windows
FU rootkit	fuzen_op	FU rootkit by Direct Kernel Object Manipulation. No hooking.
FUto	Peter Silberman & C.H.A.O.S.	FUto rootkit: advanced stealth technique (code)
	[ Antirootkits ]
RootkitRevealer	Sysinternals	Advanced patent-pending root kit detection utility (Forum)
Strider Ghostbuster	Microsoft Research	Strider GhostBuster Rootkit Detection
F-Secure BlackLight	F-Secure	Rootkit Elimination Technology to detects hidden objects
IceSword	pjf	Rootkit Detector
KLISTER	Joanna Rutkowska	Rootkit hidden processes detector
Patchfinder2	Joanna Rutkowska	Rootkit detector: Execution Path Analysis
FLISTER	Joanna Rutkowska	Rootkit hidden files detector
modGREPER	Joanna Rutkowska	Kernel memory module finder
SVV	Joanna Rutkowska	System Virginity Verifier: stealth malware checker

invisiblethings.org	Joanna Rutkowska: stealth technology
uninformed.org	Technical outlet: Informative Information for the Uninformed
Linux
LWN.net Kernel Page	Linux Weekly News (LWN) kernel articles index
Windows
rootkit.com	The Windows rootkit web page
Microsoft WHDC	WHDC: Resources for system designers, driver developers, and test engineers

Linux
Linux Device Drivers (3rd Edition) (*) (2.6.10) (examples)	J. Corbet, A. Rubini, G. Kroah-Hartman (O'Reilly)	February 2005
API changes in the 2.6 kernel series (+2.6.10)	Jonathan Corbet	January, 2005
Linux Device Drivers (2nd Edition) (2.0 - 2.4) (examples)	J. Corbet, A. Rubini (O'Reilly)	June 2001
Understanding the Linux Kernel, 3rd Ed.	D. P. Bovet, M. Cesati (O'Reilly)	November 2005
Understanding the Linux Kernel, 1st Ed. (2nd Ed.)	D. P. Bovet, M. Cesati (O'Reilly)	Oct 2000 (Dec 2002)
Windows
Rootkits : Subverting the Windows Kernel	G. Hoglund, J. Butler (Addison-Wesley)	July 2005
Microsoft Windows Internals, 4th Ed.	Mark E. Russinovich, David A. Solomon (Microsoft Press)	December 2004