A sophisticated rootkit identification tool is called Rootkitrevealer. It runs on Windows Nt 4 and higher, and its expenditure lists anomalies between the registry and folder program Apis that could be caused by a user-mode or rootkit’s’s involvement.
Few prolonged rootkits, such as Afx, Vanquish, and Hackerdefender, are profitably detected by Rootkitrevealer. However, it is not intended to identify file – or registry-key-protected roots like Fu.
Rootkitrevealer compares the outcomes of a system inspect at the highest and lowest levels because lasting rootkits operate by altering Api outcome, causing procedure views using Interfaces to differ from actual views in store. The basic contents of a file system mass, or Registry beehive( the Registry’s’s on-disk store structure ), are at the highest grade and lowest level, respectively.
Advertisement
Therefore, Rootkitrevealer will notice a discrepancy between the information returned by the Windows Api and that seen in the raw scan of an Fat or Ntfs volume’s’s file system structures when using rootkits, whether in individual way or center mode, to eliminate their presence from directory listings.
https://www.microsoft.com/technet/sysinternals
