RootRepeal - Rootkit Detector


A new rootkit detector - currently in beta.

Information

RootRepeal is a new rootkit detector currently in public beta.  It is designed with the following goals in mind:

  1. Easy to use - a user with little to no computer experience should be able to use it.
  2. Powerful - it should be able to detect all publicly available rootkits.
  3. Stable - it should work on as many different system configurations as possible, and, in the event of an incompatibility, not crash the host computer.
  4. Safe - it will not use any rootkit-like techniques (hooking, etc.) to protect itself.

Currently, RootRepeal includes the following features:

  1. Driver Scan - scans the system for kernel-mode drivers.  Displays all drivers currently loaded, and shows if a driver has been hidden, and whether the driver's file is visible on-disk.
  2. Files Scan - scans any fixed drive on the system for hidden, locked or falsified* files.
  3. Processes Scan - scans the system for processes.  Displays all processes currently running, and shows if a processes is hidden or locked.
  4. SSDT Scan - shows whether any of the functions in the System Service Descriptor Table (SSDT) are hooked.
  5. Stealth Objects Scan - attempts to determine if any rootkits are active by looking for typical symptoms.
  6. Hidden Services Scan - scans for hidden system services.
  7. Shadow SSDT Scan - counterpart to the SSDT Scan, but deals mostly with graphics and window-related functions.

* - falsified files are files which have their size mis-reported to the Windows API.  Some rootkits use this to hide data.

 

RootRepeal is currently in public beta.  Whereas every effort has been made to ensure compatibility with every system configuration on Windows 2000, XP, 2003 and Vista, it cannot be guaranteed.  There is always some risk when scanning for rootkits.  Before running RootRepeal, please make sure you have backups of all important data and have saved all open documents. 

 

Frequently Asked Questions

Question: What is a rootkit?
Answer: A rootkit is a set of tools or a program that is designed to hide activity on a computer (legitimate or otherwise).  A rootkit in itself is not malicious - many antivirus programs and some games (for example, nProtect GameGuard) use rootkit-like technology to hide or protect themselves.  RootRepeal does not target any specific product or malware, but simply identifies rootkit-like activity on a computer and leaves the decision of what is malware or not to the user.  For more information, please refer to the Wikipedia entry on rootkits here.

Question: How do I install/run RootRepeal?
Answer: Simply run RootRepeal.exe by double-clicking on it.  No installation is necessary.

Question: How do I uninstall RootRepeal?
Answer: Delete RootRepeal.exe and (optionally) settings.dat, and reboot.  RootRepeal is completely self-contained and no uninstallation is necessary.

Question: How do I know if I have a rootkit?
Answer: Run a system scan using the "Report" tab, and send the log to an expert for analysis.  Some good resources are the forums at Sysinternals here, and the GeeksToGo forums here.  If you are unsure if something is a rootkit, DO NOT DELETE IT!

Question: Does RootRepeal contain any malware/spyware/adware/other bad stuff?
Answer: Absolutely not!  However, some Antivirus products may flag RootRepeal as malware because it is packed (compressed).  See the VirusTotal link in the Download section for more information.

Question: What is the SSDT?  Why is it important?
Answer: The SSDT is a table that stores addresses of functions that are used by Windows.  Whenever a certain type of function is called, Windows looks in this table to find the address for it.  However, a lot of rootkits and some legitimate software hooks this table, redirecting these requests.  This type of hooking can be used to hide just about anything on Windows.

Question: What is a "system service"?
Answer: System service are a type of program that starts whenever Windows does.  Most rootkits are started as a system service.  Some rootkits attempt to hide these services so that a user cannot see them.

Question: What is the "Disk Access Level"?  Why is it important?
Answer: The disk access level controls how RootRepeal reads the disk to perform the Files and Hidden Services scan.  If you experience a crash or unpredictable results when using either of those scans, please change the Disk Access Level to another level in the options dialog.  The default level is recommended for most users.  If you suspect that you have the MBR rootkit, you may want to change the level to the lowest possible level and run another scan.


System Requirements

  • Microsoft® Windows 2008 Server; Windows Vista®; Windows XP Professional or Home Edition; Windows 2000 with Service Pack 4; Windows 2003 Server
    Note: Only x86 versions of Windows are supported.
  • 128MB of RAM.
  • 600KB of hard-drive space.

 

Download

The latest version of RootRepeal can always be downloaded from this site.

The current version is: Version 1.3.5
Download: RootRepeal.rar
MD5 (of the EXE): 880D7A26B7BB6B00A0709E75F149B83D
SHA-1 (of the EXE): 1943798277BBB1C396A980C58D077F5A57636932

VirusTotal Scan: http://www.virustotal.com/analisis/dd2d8492185ded564fdae8f5a1d85946123c346086763a238b0d74f1e2848259-1250214648

Because, as mentioned above, there is always an element of risk when scanning for rootkits, the author offers NO WARRANTY for RootRepeal.  USE AT YOUR OWN RISK!

The latest version of RootRepeal can always be found at the static links http://rootrepeal.googlepages.com/RootRepeal.rar, or http://rootrepeal.googlepages.com/RootRepeal.zip (see below for more mirrors, in case the bandwidth limits have been exceeded).

Note: This site has recently been exceeding bandwidth, so if any of the above download links are unavailable, please use one of the following:

http://ad13.geekstogo.com/RootRepeal.zip
http://ad13.geekstogo.com/RootRepeal.rar
http://rootrepeal.psikotick.com/RootRepeal.zip 
http://rootrepeal.psikotick.com/RootRepeal.rar 

Changelog

Version 1.3.5 (link)

 -Added: Bypassing of the latest TDSS variants.  See note below for v.1.3.3.
 -Added: RootRepeal now shows the version on the About page.
 -Fixed: Some general bug fixes.

Version 1.3.4 (link)

 -Fixed: Fixed multiple compatibility problems with Windows Vista SP2 and Windows Server 2008 SP2.

Version 1.3.3 (link)

 -Added: Bypassing of the newer TDSS variants.  Even if errors show on startup, RootRepeal should still run correctly.
 -Improved: Initialization should now be compatible with all versions of Windows up to Windows Vista SP2, and more configurations.
 -Improved: Reduced false positives in Stealth Code scan - check the options dialog for more detail.
 -Fixed: Bug in unhooking DbgPrint callbacks on Windows
 -Fixed: Initialization bug on Windows Vista SP2.
 -Fixed: Internal speed improvements.
 -Fixed: Signature verification should now work correctly.

Version 1.3.2 (link)

 -Added: Kernel-mode callbacks viewer and deleter.
 -Added: Shadow SSDT scan (with unhooking support).
 -Improved: Many bug fixes in the NTFS filesystem parser.
 -Improved: Startup - should be more compatible with additional configurations
 -Improved: Resource handling.
 -Improved: RootRepeal whitelists some files in the Stealth Objects scan, to reduce false positives.  You can control this in the Options dialog.
 -Fixed: Memory leak when verifying driver signatures.
 -Fixed: Multiple bugs in startup and the drivers scan.

Version 1.3.0 (link)

 -Added: Additional disk reading method.  Please read the FAQ, above, for more details.
 -Added: Experimental support for verifying the digital signatures of drivers in the drivers scan.
 -Added: Advanced options for file removal.  Please do NOT use these unless you know what they do!
 -Added: Tool to wipe/copy/delete any file.
 -Added: A tool to delete registry keys (and all subkeys/values) that have had the permissions or owner changed.  Note: This will not delete rootkit-protected registry keys.
 -Improved: Safe mode support.  RootRepeal now fully supports Safe mode.
 -Fixed: Major bugs in program initialization and files scan.

Version 1.2.3 (link)

 -Added: Stealth Objects scan (scans for hidden handles, threads, modules, kernel code and IRP handlers)
 -Added: Hidden Services scan.
 -Added: RootRepeal can now fix MBR modifications caused by the Mebroot trojan.
 -Improved: Initialization speed and compatibility.
 -Improved: Files scan speed.
 -Improved: Scan speed in the Drivers and Processes scan.
 -Fixed: Display names in the SSDT scan.
 -Fixed: Intermittant bug in the files scan.
 -Fixed: Bugs in handling some FAT32 directories.
 -Added crashdump reporting.  If RootRepeal crashes, it will generate two files: a crash dump text file, and possibly a RootRepeal.dmp file.  If you experience a crash, please send me those two files.

Version 1.1.2 (link)

 -Improved: Initialization speed.
 -Fixed: Bugs in handling certain types of directories on NTFS.
 -Fixed: "Could not find kernel file on disk" bug on initialization.
 -Fixed: Bugs in scanning for hidden ADSs on NTFS.

Version 1.1.1 (link)

 -Fixed: Bug in the files scan that causes a crash.

Version 1.1.0 (link)

 -Added: SSDT scan page.
 -Improved: Process scanning on Windows Server 2003 and Windows Vista.
 -Improved: Process scan internals on all versions of Windows.
 -Improved: Speed of the files scan.
 -Improved: Windows Vista SP0 and SP1 support.
 -Fixed: Bugs in the process scan.
 -Fixed: Various small bugs, user-interface bugs.
 -Fixed: Bypassing certain types of malware.
 -Fixed: Minor bug while using "Wipe File" on a directory.

Version 1.0.2 (link)

-Added: Showing whether a driver's file is hidden on-disk.
-Added: Saving settings to a file.
-Improved: "Report" tab - generating a condensed report.
-Fixed: Process scan on Windows 2003 Server SP1+
-Fixed: BSoD when starting files scan.
-Fixed: Crashes while scanning NTFS partitions.
-Fixed: Previously terminated processes showing as "hidden" in the processes scan.
-Fixed: Bypassing malware that attempts to prevent raw-disk scanning.
-Fixed: User-interface bugs.

Version 1.0.0 (link)

-Initial release.


Contact

If you have questions or concerns regarding RootRepeal, please feel free to contact me at RootRepealNOSPAM@gmail.com.  Remove the "NOSPAM" from the email address before sending.  Please note that if you wish to send me a log, I may not be able to respond immediately.

If you have experienced a crash of RootRepeal, please include the words "RootRepeal crash" in the subject line, and I will try to get back to you as quickly as possible.