A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #1918  by __Genius__
 Fri Aug 13, 2010 8:28 am
Hi :)
Thunder is the name of a hidden process detector .
The background idea for increasing the power of this detector is great but for now, this is the first part & in fact it's a proof of concept based on ring3 .
For now, it has just few methods for detecting hidden processes so I do not expect to detect commercial or advanced Rootkits like rkdemo actually built by EP_X0FF or phide_ex by PE386 .
Well, this detector is more aimed for rootkits that will hide it's process whether with DKOM or setting hook on Service Dispatch Table (SSDT) .
I've also tried it against Futo & detected it Successfully .

This project is under development & in-progress .
I hope I can increase the power of detection as much as I can .

regardless of incompletely of this project (& of course it will in progress & will update as soon for detecting more rootkits) I want to give a big appreciate to the following people :

Alex, for nice ideas, testing , helpful guidances for long time , Alex always helps other people without any afraid .
EP_X0FF, Intelligence points that others may not aware of & helpful advices as always .
Eric_71,my new friend at this forum for solving some of problems related to some wrong implementations & some bug fixes .

Hope you like it :)

any Comments are welcome .
You do not have the required permissions to view the files attached to this post.
 #1919  by EP_X0FF
 Fri Aug 13, 2010 8:40 am
Hello,

Some test results and question.

Tested with HxDef. Detected well. Just PID nothing else.
However it shows few inexistent process as hidden every time I trying to scan.

Themida - what's the point? Nobody not interested in reversing such stuff.

Regards.
 #1920  by __Genius__
 Fri Aug 13, 2010 8:49 am
Hi EP,
Tested with HxDef. Detected well. Just PID nothing else.
Good point, routine for showing the actual process image name is commented already in source code (partial) , I will release this bug fix as soon .
However it shows few inexistent process as hidden every time I trying to scan.
Could you please insert an image & a dump from your running processes with RKu ? I didn't encounter with this at all while tests .
Themida - what's the point? Nobody not interested in reversing such stuff.
It's just for some testing stuff, while encrypting & protecting this with Themida, themida crashed in multiple times, I don't know why . however the attachment is the actual binary .
You do not have the required permissions to view the files attached to this post.
 #1921  by EP_X0FF
 Fri Aug 13, 2010 8:53 am
Better get rid of Themida, use UPX/ASPack or PeCompact.
RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
0x81FC8A00 [4] System
0x817FD818 [212] C:\Program Files\Prevx\prevx.exe (Prevx, Prevx 3.0)
0x81CFEB30 [360] C:\WINDOWS\system32\smss.exe (Корпорация Майкрософт, Диспетчер сеанса Windows NT)
0x81F73BB0 [416] C:\WINDOWS\system32\csrss.exe (Microsoft Corporation, Client Server Runtime Process)
0x81E39608 [440] C:\WINDOWS\system32\winlogon.exe (Корпорация Майкрософт, Программа входа в систему Windows NT)
0x81D86DA0 [484] C:\WINDOWS\system32\services.exe (Корпорация Майкрософт, Приложение служб и контроллеров)
0x81D83DA0 [496] C:\WINDOWS\system32\lsass.exe (Microsoft Corporation, LSA Shell (Export Version))
0x81D8C430 [664] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x81DA3BE8 [744] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x81E77DA0 [784] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x81DFA468 [844] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x81D598E0 [860] C:\WINDOWS\system32\wuauclt.exe (Microsoft Corporation, Автоматическое обновление)
0x81D6B7C8 [924] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x81D88030 [1084] C:\WINDOWS\explorer.exe (Корпорация Майкрософт, Проводник)
0x81D72938 [1196] C:\WINDOWS\system32\spoolsv.exe (Microsoft Corporation, Spooler SubSystem App)
0x81E8B440 [1276] C:\Program Files\Virtual Machine Additions\vmsrvc.exe (Microsoft Corporation, Virtual Machine Services)
0x81DBDDA0 [1292] C:\Program Files\Prevx\prevx.exe (Prevx, Prevx 3.0)
0x81D09890 [1348] C:\Program Files\FireBird\FireBird_1_5\bin\fbserver.exe (The Firebird Project, Firebird SQL Server)
0x81DD1BE8 [1520] C:\Program Files\Virtual Machine Additions\vpcmap.exe (Microsoft Corporation, Virtual Machine Folder Sharing Service)
0x81C41BC0 [1552] C:\Program Files\Virtual Machine Additions\vmusrvc.exe (Microsoft Corporation, Virtual Machine User Services)
0x81D62608 [1560] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation, CTF Loader)
0x81C2EDA0 [1852] C:\WINDOWS\system32\alg.exe (Microsoft Corporation, Application Layer Gateway Service)
0x81EF2278 [2152] C:\Documents and Settings\HappyUser\Рабочий стол\RKUnhookerLE.EXE (UG North, RKULE, SR2 Normandy)
Thunder - Integrated ring3 hidden process detector
Author : __Genius__
| Forbidden Edge Networks | й Red Cell labs | (August 2010) |

Thunder is now scanning your system for detecting possible rootkit activity
Be patient till Thunder finished the scanning & shows the result ...

|>>>ROOTKIT<<<|
Hidden Process Id : 116
---

|>>>ROOTKIT<<<|
Hidden Process Id : 1052
---

|>>>ROOTKIT<<<|
Hidden Process Id : 116
---

|>>>ROOTKIT<<<|
Hidden Process Id : 1052
---

|>>>ROOTKIT<<<|
Hidden Process Id : 1052
---

|>>>ROOTKIT<<<|
Hidden Process Id : 1052
---

|>>>ROOTKIT<<<|
Hidden Process Id : 1052
---

|>>>ROOTKIT<<<|
Hidden Process Id : 1052
---

|>>>ROOTKIT<<<|
Hidden Process Id : 1052
---

|>>>ROOTKIT<<<|
Hidden Process Id : 1060
---

|>>>ROOTKIT<<<|
Hidden Process Id : 1052
---

|>>>ROOTKIT<<<|
Hidden Process Id : 1052
---

|>>>ROOTKIT<<<|
Hidden Process Id : 1052
---

|>>>ROOTKIT<<<|
Hidden Process Id : 1052
---

|>>>ROOTKIT<<<|
Hidden Process Id : 1052
---

|>>>ROOTKIT<<<|
Hidden Process Id : 1052
---

|>>>ROOTKIT<<<|
Hidden Process Id : 1052
---

|>>>ROOTKIT<<<|
Hidden Process Id : 1060
---

|>>>ROOTKIT<<<|
Hidden Process Id : 1424
---

|>>>ROOTKIT<<<|
Hidden Process Id : 1424
---

|>>>ROOTKIT<<<|
Hidden Process Id : 1052
---

|>>>ROOTKIT<<<|
Hidden Process Id : 1052
---

|>>>ROOTKIT<<<|
Hidden Process Id : 1052
---

|>>>ROOTKIT<<<|
Hidden Process Id : 1052
---

|>>>ROOTKIT<<<|
Hidden Process Id : 1052
---

|>>>ROOTKIT<<<|
Hidden Process Id : 1052
---

|>>>ROOTKIT<<<|
Hidden Process Id : 1052
---

|>>>ROOTKIT<<<|
Hidden Process Id : 1052
---

|>>>ROOTKIT<<<|
Hidden Process Id : 1052
---

|>>>ROOTKIT<<<|
Hidden Process Id : 1572
---

|>>>ROOTKIT<<<|
Hidden Process Id : 1052
---

|>>>ROOTKIT<<<|
Hidden Process Id : 1052
---

|>>>ROOTKIT<<<|
Hidden Process Id : 1572
---

|>>>ROOTKIT<<<|
Hidden Process Id : 1052
---
 #1922  by __Genius__
 Fri Aug 13, 2010 9:01 am
You're right, however I don't know what's the reason of maybe such false-positive result, but I'm trying to catch it .

result from a clean system :
Thunder - Integrated ring3 hidden process detector
Author : __Genius__
| Forbidden Edge Networks | © Red Cell labs | (August 2010) |

Thunder is now scanning your system for detecting possible rootkit activity
Be patient till Thunder finished the scanning & shows the result ...

Nothing found !
 #1926  by Alex
 Fri Aug 13, 2010 11:40 am
When I ran Thunder first time with Invisible Process 1.0 it detected one hidden process - the right one. But when I started/killed other processes and ran Thunder it showed PID's of non existing processes. I think it is good to check if obtained PID is valid (NtOpenProcess) and if so, try to use it to check virtual memory address space of tested process - for example trying to obtain image name from PEB. But if PID is invalid (phide_ex) you can try to inject some code into target process using known shared sections (USER and GDI stuff for example) and then suspend and resume tested thread with new context. Because I don't wont to spoil your play with detecting processes I will not try to enumerate all possible methods how to solve problem of your detector ;)

Waiting for fixed version,
Alex