TABLE OF CONTENTS In this example, we will see how you can use Process Explorer to detect a rootkit that installs a malware service and a kernel driver. The rootkit is hxdef, which is a variant of Hacker Defender. Autoruns is able to spot the hxdef Registry autostart entries under Services for both the Hacker Defender service and the driver.
Ordinarily, Process Explorer and Autoruns would be unable to detect the hidden rootkit components in Hacker Defender. That is because Hacker Defender uses a kernel-mode driver, which makes the files and processes invisible to traditional system analysis tools.
To make the rootkit processes and files visible, even while the rootkit is running, we are going to use another powerful tool in conjunction with the Sysinternals tools, called AntiHookExec. Hacker Defender hides itself by hooking system data structures. AntiHookExec restores these hooks, so Process Explorer and Autoruns are presented with an uncompromised view of your computer.
AntiHookExec restores the system APIs that hxdef has hooked. This enables Process Explorer and Autoruns to see an uncloaked view of the hxdef processes, files, and Registry autostarts.
Here is a summary of the steps we will follow to use AntiHookExec.exe in combination with Autoruns and Process Explorer for detecting hidden rootkit components:
Download and install AntiHookExec.exe from www.security.org.sg/code/antihookexec.html.
Change the PATH environment variable to include the AntiHookExec directory.
Launch Autoruns and Process Explorer from the run line through AntiHookExec.
View Autoruns for...
