3
I know that rootkits operate as part of the kernel, driver or service running on the system, injecting themself into DLLs or installing as a legitimate applications.
If I were to scan the system with sigverif.exe, would the files injected with the rootkit have broken signatures?
Dean
Posted 2011-08-19T16:29:59.453
Reputation: 349
4
Unlikely. Most rootkits hide themselves so that any access with the standard Win32 APIs would display the original file (if it was patched) and ignore any extra files/services added by the rootkit.
Also, sigverif only verifies files it knows to be signed – any additional files would simply be ignored.
RootkitRevealer is a more reliable tool. Some really nasty rootkits are only visible when comparing an online and offline scans (for example, from Windows itself and from a Linux CD).
user1686
Posted 2011-08-19T16:29:59.453
Reputation: 283 655
How can you compare those 2? Is there a utility that does that? – Dean – 2011-08-19T16:40:09.197
@Dean: There should be, but I'm not aware of any :( – user1686 – 2011-08-19T16:42:49.260