A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #16631  by rinn
 Thu Nov 15, 2012 3:11 pm
Hi.

Inspired by this article from Frank Boldewin

Hunting rootkits with Windbg
http://www.reconstructer.org/papers/Hun ... Windbg.pdf

Useful windbg scripts

KDAR

http://kdar.codeplex.com/

How to install

1. download archive
2. unzip it to C:\kdar or any other directory
3. set environment variable KDAR_PATH=C:\kdar or the path you specified

How to use

1. start windbg, if it not installed download it from http://www.microsoft.com/whdc/devtools/ ... fault.mspx or get it from latest WDK/Visual Studio.
2. in debugger command line type $$><C:\kdar\kdar.dcmd (or the path you specified)

SysecLabs scripts

http://www.laboskopia.com/download/Syse ... Script.zip

Installation and usage are pretty the same. Examples of usage inside Frank's article.

Another excellent article from Frank's is about Volatility, check it out.

http://reconstructer.org/papers/Hunting ... 20v2.0.pdf

List isn't impressive, but please feel free to add something.


Best Regards,
-rin