– Visit our CopyBot Forum http://goonsquad.co – https://goonsquad.org/revelator-bento-viwer/ –
32 BIT WINDOWS
You are not allowed to view links. Register or Login to view.
md5sums:
installer d9c2e9a9d532c7c5e1e9215d0e805d45
viewer exe 442ba23a3f11b2f727894a6922ed1679
SLplugin 312d794e8fc6d40739e1a8e4bd748854
SLVoice 34d7d33ae404e0e64671e3d6594b9194
64 BIT WINDOWS
You are not allowed to view links. Register or Login to view.
md5sums:
installer e7c3b8fd27a0f3a7ebee264df7710f33
viewer exe f38c14f3fef662b04d80bfa3d38c4a84
SLplugin c987f718b571a9ba53d657976cae61fd
SLVoice 34d7d33ae404e0e64671e3d6594b9194
DOWNLOADS¶ Binary Releases and Source Snapshot¶ As a convenience, we publish here the most recent version of the binary releases (SDK with header files, libraries and command line applications) for the most common platforms, and the corresponding source snapshot. Version 1.6.0-639¶ Binaries for Windows 10 Binaries for macOS.
64 BIT LINUX
You are not allowed to view links. Register or Login to view.
md5sums:
archive 17153721c9aa783542684d92f32a2d36
binary b5b3b5085771e0e72141c5404ace0761md5sum SLp
SLPlugin 0dcf8019fa71bc39a83e609a7575d788
SLVoice 1ba2b04b672e8ffd365fb88275e23106
– GoonSquad “secondlife #copybot
Download SnadBoy's Revelation. Similar software. KRyLack Archive Password Recovery 3.70.69. Password Recovery. Buttercup 2.9.1. WiFi password revealer (finder) is a small freeware utility which will show you all your saved WiFi passwords. If you forgot or lost password to your wireless network - this tool is for you. It will work on Windows XP, Vista, Windows 7 and Windows 8 (both 32-bit and 64-bit).
-->By Mark Russinovich
Published: November 1, 2006
Download RootkitRevealer(231 KB)
Run now from Sysinternals Live.
Introduction
RootkitRevealer is an advanced rootkit detection utility. It runs onWindows XP (32-bit) and Windows Server 2003 (32-bit), and its outputlists Registry and file system API discrepancies that may indicate thepresence of a user-mode or kernel-mode rootkit. RootkitRevealersuccessfully detects many persistent rootkits including AFX, Vanquishand HackerDefender (note: RootkitRevealer is not intended to detectrootkits like Fu that don't attempt to hide their files or registrykeys). If you use it to identify the presence of a rootkit please let usknow!
The reason that there is no longer a command-line version is thatmalware authors have started targetting RootkitRevealer's scan by usingits executable name. We've therefore updated RootkitRevealer to executeits scan from a randomly named copy of itself that runs as a Windowsservice. This type of execution is not conducive to a command-lineinterface. Note that you can use command-line options to execute anautomatic scan with results logged to a file, which is the equivalent ofthe command-line version's behavior.
What is a Rootkit?
The term rootkit is used to describe the mechanisms and techniqueswhereby malware, including viruses, spyware, and trojans, attempt tohide their presence from spyware blockers, antivirus, and systemmanagement utilities. There are several rootkit classificationsdepending on whether the malware survives reboot and whether it executesin user mode or kernel mode.
Persistent Rootkits
A persistent rootkit is one associated with malware that activates eachtime the system boots. Because such malware contain code that must beexecuted automatically each system start or when a user logs in, theymust store code in a persistent store, such as the Registry or filesystem, and configure a method by which the code executes without userintervention.
Memory-Based Rootkits
Memory-based rootkits are malware that has no persistent code andtherefore does not survive a reboot.
User-mode Rootkits
There are many methods by which rootkits attempt to evade detection. Forexample, a user-mode rootkit might intercept all calls to the WindowsFindFirstFile/FindNextFile APIs, which are used by file systemexploration utilities, including Explorer and the command prompt, toenumerate the contents of file system directories. When an applicationperforms a directory listing that would otherwise return results thatcontain entries identifying the files associated with the rootkit, therootkit intercepts and modifies the output to remove the entries.
Revelator Viewer Download
The Windows native API serves as the interface between user-mode clientsand kernel-mode services and more sophisticated user-mode rootkitsintercept file system, Registry, and process enumeration functions ofthe Native API. This prevents their detection by scanners that comparethe results of a Windows API enumeration with that returned by a nativeAPI enumeration.
Kernel-mode Rootkits
Kernel-mode rootkits can be even more powerful since, not only can theyintercept the native API in kernel-mode, but they can also directlymanipulate kernel-mode data structures. A common technique for hidingthe presence of a malware process is to remove the process from thekernel's list of active processes. Since process management APIs rely onthe contents of the list, the malware process will not display inprocess management tools like Task Manager or Process Explorer.
How RootkitRevealer Works
Revelator Viewer Second Life Download
Since persistent rootkits work by changing API results so that a systemview using APIs differs from the actual view in storage, RootkitRevealercompares the results of a system scan at the highest level with that atthe lowest level. The highest level is the Windows API and the lowestlevel is the raw contents of a file system volume or Registry hive (ahive file is the Registry's on-disk storage format). Thus, rootkits,whether user mode or kernel mode, that manipulate the Windows API ornative API to remove their presence from a directory listing, forexample, will be seen by RootkitRevealer as a discrepancy between theinformation returned by the Windows API and that seen in the raw scan ofa FAT or NTFS volume's file system structures.
Can a Rootkit hide from RootkitRevealer
It is theoretically possible for a rootkit to hide from RootkitRevealer.Doing so would require intercepting RootkitRevealer's reads of Registryhive data or file system data and changing the contents of the data suchthat the rootkit's Registry data or files are not present. However, thiswould require a level of sophistication not seen in rootkits to date.Changes to the data would require both an intimate knowledge of theNTFS, FAT and Registry hive formats, plus the ability to change datastructures such that they hide the rootkit, but do not causeinconsistent or invalid structures or side-effect discrepancies thatwould be flagged by RootkitRevealer.
Is there a sure-fire way to know of a rootkit's presence
In general, not from within a running system. A kernel-mode rootkit cancontrol any aspect of a system's behavior so information returned by anyAPI, including the raw reads of Registry hive and file system dataperformed by RootkitRevealer, can be compromised. While comparing anon-line scan of a system and an off-line scan from a secure environmentsuch as a boot into an CD-based operating system installation is morereliable, rootkits can target such tools to evade detection by eventhem.
The bottom line is that there will never be a universal rootkit scanner,but the most powerful scanners will be on-line/off-line comparisonscanners that integrate with antivirus.
Using RootkitRevealer
RootkitRevealer requires that the account from which its run hasassigned to it the Backup files and directories, Load drivers andPerform volume maintenance tasks (on Windows XP and higher) privileges.The Administrators group is assigned these privileges by default. Inorder to minimize false positives run RootkitRevealer on an idle system.
For best results exit all applications and keep the system otherwiseidle during the RootkitRevealer scanning process.
If you have questions or problems please visit the SysinternalsRootkitRevealer Forum.
Manual Scanning
To scan a system launch it on the system and press the Scan button.RootkitRevealer scans the system reporting its actions in a status areaat the bottom of its window and noting discrepancies in the output list.The options you can configure:
- Hide NTFS Metadata Files: this option is on by default and hasRootkitRevealer not show standard NTFS metadata files, which arehidden from the Windows API.
- Scan Registry: this option is on by default. Deselecting it hasRootkitRevealer not perform a Registry scan.
Launching an Automatic Scan
RootkitRevealer supports several options for auto-scanning systems:
Usage: rootkitrevealer [-a [-c] [-m] [-r] outputfile]
Parameter | Description |
---|---|
-a | Automatically scan and exit when done. |
-c | Format output as CSV. |
-m | Show NTFS metadata files. |
-r | Don't scan the Registry. |
Note that the file output location must be on a local volume.
If you specify the -c option it does not report progress anddiscrepancies are printed in CSV format for easy import into a database.You can perform scans of remote systems by executing it with theSysinternals PsExec utility using a command-line like the following:
psexec remote -c rootkitrevealer.exe -ac:windowssystem32rootkit.log
Interpreting the Output
This is a screenshot of RootkitRevealer detecting the presence of thepopular HackerDefender rootkit. The Registry key discrepancies show that the Registry keysstoring HackerDefender's device driver and service settings are notvisible to the Windows API, but are present in the raw scan of theRegistry hive data. Similarly, the HackerDefender-associated files arenot visible to Windows API directory scans, but are present in the scanof the raw file system data.
You should examine all discrepancies and determine the likelihood thatthey indicate the presence of a rootkit. Unfortunately, there is nodefinitive way to determine, based on the output, if a rootkit ispresent, but you should examine all reported discrepancies to ensurethat they are explainable. If you determine that you have a rootkitinstalled, search the web for removal instructions. If you are unsure asto how to remove a rootkit you should reformat the system's hard diskand reinstall Windows.
In addition to the information below on possible RootkitRevealerdiscrepancies, the RootkitRevealer Forum at Sysinternals discussesdetected rootkits and specific false-positives.
Hidden from Windows API
These discrepancies are the ones exhibited by most rootkits; however, ifyou haven't checked the Hide NTFS metadata files you should expect tosee a number of such entries on any NTFS volume, since NTFS hides itsmetada files, such as $MFT and $Secure, from the Windows API. Themetadata files present on NTFS volumes vary by version of NTFS and theNTFS features that have been enabled on the volume. There are alsoantivirus products, such as Kaspersky Antivirus, that use rootkittechniques to hide data they store in NTFS alternate data streams. Ifyou are running such a virus scanner you'll see a Hidden from WindowsAPI discrepancy for an alternate data stream on every NTFS file.RootkitRevealer does not support output filters because rootkits cantake advantage of any filtering. Finally, if a file is deleted during ascan you may also see this discrepancy.
This is a list of NTFS metadata files defined as of Windows Server 2003:
- $AttrDef
- $BadClus
- $BadClus:$Bad
- $BitMap
- $Boot
- $LogFile
- $Mft
- $MftMirr
- $Secure
- $UpCase
- $Volume
- $Extend
- $Extend$Reparse
- $Extend$ObjId
- $Extend$UsnJrnl
- $Extend$UsnJrnl:$Max
- $Extend$Quota
Access is Denied.
RootkitRevealer should never report this discrepancy since it usesmechanisms that allow it to access any file, directory, or registry keyon a system.
Visible in Windows API, directory index, but not in MFT.
Visible in Windows API, but not in MFT or directory index.
Visible in Windows API, MFT, but not in directory index.
Visible in directory index, but not Windows API or MFT.
A file system scan consists of three components: the Windows API, theNTFS Master File Table (MFT), and the NTFS on-disk directory indexstructures. These discrepancies indicate that a file appears in only oneor two of the scans. A common reason is that a file is either created ordeleted during the scans. This is an example of RootkitRevealer'sdiscrepancy report for a file created during the scanning:
C:newfile.txt
3/1/2005 5:26 PM
8 bytes
Visible in Windows API, but not in MFT or directory index.
Windows API length not consistent with raw hive data.
Rootkits can attempt to hide themselves by misrepresenting the size of aRegistry value so that its contents aren't visible to the Windows API.You should examine any such discrepancy, though it may also appear as aresult of Registry values that change during a scan.
Type mismatch between Windows API and raw hive data.
Registry values have a type, such as DWORD and REG_SZ, and thisdiscrepancy notes that the type of a value as reported through theWindows API differs from that of the raw hive data. A rootkit can maskits data by storing it as a REG_BINARY value, for example, and makingthe Windows API believe it to be a REG_SZ value; if it stores a 0 atthe start of the data the Windows API will not be able to accesssubsequent data.
Key name contains embedded nulls.
The Windows API treats key names as null-terminated strings, whereas thekernel treats them as counted strings. Thus, it is possible to createRegistry keys that are visible to the operating system, yet onlypartially visible to Registry tools like Regedit. TheReghide sample codeat Sysinternals demonstrates this technique, which is used by bothmalware and rootkits to hide Registry data. Use the SysinternalsRegDelNullutility to delete keys with embedded nulls.
Revelator Viewer Second Life Download
Data mismatch between Windows API and raw hive data.
This discrepancy will occur if a Registry value is updated while theRegistry scan is in progress. Values that change frequently includetimestamps such as the Microsoft SQL Server uptime value, shown below,and virus scanner 'last scan' values. You should investigate anyreported value to ensure that its a valid application or system Registryvalue.
HKLMSOFTWAREMicrosoftMicrosoft SQLServerRECOVERYMANAGERMSSQLServeruptime_time_utc
3/1/2005 4:33 PM
8 bytes
Rootkit Resources
The following Web sites and books are sources of more information onrootkits:
Sony, Rootkits and Digital Rights Management Gone TooFar
Read Mark's blog entry on his discovery and analysis of a Sony rootkiton one of his computers.
Unearthing Rootkits
Mark's June Windows IT Pro Magazine article provides an overview ofrootkit technologies and how RootkitRevealer works.
Rootkits: Subverting the WindowsKernel
This book by Greg Hoglund and Jamie Butler is the most comprehensivetreatment of rootkits available.
www.phrack.org
This site stores the archive of Phrack, a cracker-oriented magazinewhere developers discuss flaws in security-related products, rootkittechniques, and other malware tricks.
The Art of Computer Virus Research andDefense,by Peter Szor
Malware: Fighting MaliciousCode,by Ed Skoudis and Lenny Zeltser
Windows Internals, 4th Edition, by Mark Russinovich and Dave Solomon(the book doesn't talk about rootkits, but understanding the Windowsarchitecture is helpful to understanding rootkits).
Bento Copybot Viewer Revelator Download
Download RootkitRevealer(231 KB)
Revelator Viewer Download
Run now from Sysinternals Live.