Hi David,
Everything Search is a great program, something that puts Microsoft to shame for not coming up with this themselves and causing its users to waste millions of hours waiting for the retarded Folder Search to find a file. I have donated to this program and encourage others to try and do the same.
Now for my question. If I correctly understand how the program works and how rootkits hide themselves, then Everything Search is an ideal tool to search for a rootkit by its name. One type its name into the search box and since Everything Search is not dependent on Microsoft directory access APIs, the hiding technique of the rootkits (i.e., via hooks installed by nefarious drivers), those files will be visible in plain view. Obviously, then if you go to Windows Explorer with the path, you wont see them, but you will know for sure they're there.
Is the above is indeed the case?
If it is, then I think it will be useful information to publish on the site - yet another virtue of this amazing program.
Thanks
Dror
EverythingSearch and rootkits
Re: EverythingSearch and rootkits
I was just going to post how awesome Everything is because of this very thing! This is absolutely true.
I've been removing trojans from a friend's computer and Everything was able to see a number of files hidden by a rootkit!
I was confused at first because clicking or right-clicking on them didn't do ANYTHING. It was like they didn't exist, yet Everything said they were there.
For the curious, the filenames were similar to the following.
C:\Windows\System32\ovfsth[insert random characters here]
C:\Windows\System32\drivers\ovfsth[insert random characters here]
Best program ever... (although, I'm ANXIOUSLY awaiting the items on his To-Do list that Ava Find has.)
I've been removing trojans from a friend's computer and Everything was able to see a number of files hidden by a rootkit!
I was confused at first because clicking or right-clicking on them didn't do ANYTHING. It was like they didn't exist, yet Everything said they were there.
For the curious, the filenames were similar to the following.
C:\Windows\System32\ovfsth[insert random characters here]
C:\Windows\System32\drivers\ovfsth[insert random characters here]
Best program ever... (although, I'm ANXIOUSLY awaiting the items on his To-Do list that Ava Find has.)
Re: EverythingSearch and rootkits
It doesn't find $MFT so either its not bypassing windows api or it doesn't catch everything. Its in no way reliable for detecting rootkits this way.
-
- Posts: 12
- Joined: Fri May 01, 2009 9:52 pm
Re: EverythingSearch and rootkits
@maniaxx:
Have you considered that it just chooses not to show $MFT -- this program uses $MFT to do its magic so it is likely that it is not showing it -- there is nothing useful you can directly do with it.
My point is that the rootkit habbit of using files and masking them out at the Windows API level is something that Everything Search sees right through. This is not a rootkit detection program but it is surely a useful tool for finding them if you have some idea on their location or naming.
/d
Have you considered that it just chooses not to show $MFT -- this program uses $MFT to do its magic so it is likely that it is not showing it -- there is nothing useful you can directly do with it.
My point is that the rootkit habbit of using files and masking them out at the Windows API level is something that Everything Search sees right through. This is not a rootkit detection program but it is surely a useful tool for finding them if you have some idea on their location or naming.
/d
Re: EverythingSearch and rootkits
hmm interesting.. never used a search application to find rootkits..
i mean first of all u've to know what u're looking for to be able to use the search.
what I do is to consult to the lovely dos prompt
just dir /a and attrib -s -h -r *.* /s /d
and use sysinternals process explorer autoruns and rootkit finder..
i mean first of all u've to know what u're looking for to be able to use the search.
what I do is to consult to the lovely dos prompt
just dir /a and attrib -s -h -r *.* /s /d
and use sysinternals process explorer autoruns and rootkit finder..