A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #1669  by Brookit
 Mon Jul 26, 2010 6:08 pm
ARKit is an open-source rootkit detection library for Microsoft Windows. ARKit has two components:

1. ARKitLib - A Win32/C++ static library that exposes various methods to scan system and detect rootkits
2. ARKitDrv - A device driver that actually implements methods to scan and detect rootkits

Currently, ARKit has following features:

1. Process scanning – Detect all running processes (hidden and visible)
2. DLL scanning – Detect DLLs loaded in a process
3. Driver scanning – Detect all loaded drivers (hidden and visible)
4. SSDT hook detection
5. Sysenter hook detection
6. Kernel inline hook detection

ARKit works on 32-bit flavors of Windows 2000, XP, 2003 and Vista. It has not been tested on Windows 2008 and Windows 7 yet.
 #1671  by EP_X0FF
 Tue Jul 27, 2010 1:22 am
Copy-pasted methods from author of SysProt inspired by old Hoglunds book.
I can't find a source code to acknowledge this, but from ...
Summary of detection techniques in ARKit¶

Process detection methods:

* PID brute force
* TID brute force

Driver detection methods:

* PsLoadedModuleList traversing
* \Driver\ directory traversing in Object Manager
* \Device\ directory traversing in Object Manager
... I believe it is.

It is useless even against 3 years old demo rootkits and completely useless against malware rootkits.
 #1690  by EP_X0FF
 Fri Jul 30, 2010 3:33 am
Not really impressive scope of beginners methods. Practical usefulness of these methods around zero.

Simple PEB unlinking eliminates dll detection (wtf he coded it in driver nobody knows, perhaps he likes blue screens).
Scanning of object directory is primitive and incomplete. What about brute-forcing by PID/TID, well this is LOL method.

This project can detect something < 2007. As open-source even KsBinSword is better.