Rootkit Detection and Removal

Understanding Rootkit Types

TypeLevelPersistenceDetection Difficulty
User-modeApplication/API hooksRegistry/Startup filesEasy
Kernel-modeSystem drivers/SSDTSystem driversHard
FirmwareBIOS/UEFIFlash memoryVery Hard
HypervisorVirtualization layerBelow OSExtremely Hard
BootkitMBR/VBRBoot sectorHard

Detection Tools

GMER

Download: gmer.net
Features:
- SSDT hook detection
- Hidden process detection
- Hidden service detection
- Hidden file detection
- Hidden registry key detection

Usage:
1. Run as Administrator
2. Click "Scan"
3. Review red-highlighted items
4. Export log for analysis

RKill

Download: bleepingcomputer.com/download/rkill/
Purpose: Terminates malicious processes before scanning

Usage:
1. Download renamed version (iexplore.exe)
2. Run as Administrator
3. Do not reboot immediately
4. Run full antivirus scan after

TDSSKiller

Download: support.kaspersky.com/5350
Targets: TDSS, TDL4, Alureon, Cidox, Sinowal

Usage:
1. Run as Administrator
2. Accept license agreement
3. Click "Start scan"
4. Select action for detected objects:
   - Cure (recommended first)
   - Skip (if false positive suspected)
   - Delete (if cure fails)

Malwarebytes Anti-Rootkit

Download: malwarebytes.com/antirootkit
Features:
- Signature-based detection
- Heuristic analysis
- DDA (Direct Disk Access) scanning

Usage:
1. Install and update
2. Run "Threat Scan"
3. Enable "Scan for rootkits" in settings
4. Quarantine detected items
5. Reboot if prompted

Sophos Virus Removal Tool

Download: sophos.com/en-us/products/free-tools/virus-removal-tool.aspx
Features:
- Rootkit detection
- Memory scanning
- Boot sector scanning

Command line:
SAV32CLI -REMOVE -P=C:\Logs\SophosScan.log

Memory Forensics

Volatility Framework

Download: volatilityfoundation.org
Requirements: Python 2.7/3.x

Basic commands:
volatility -f memory.dmp imageinfo
volatility -f memory.dmp pslist
volatility -f memory.dmp psscan
volatility -f memory.dmp dlllist
volatility -f memory.dmp malfind
volatility -f memory.dmp svcscan
volatility -f memory.dmp driverirp
volatility -f memory.dmp ssdt
volatility -f memory.dmp idt
volatility -f memory.dmp gdt

WinDbg Analysis

Install: Windows SDK
Command: windbg -z memory.dmp

Common commands:
!analyze -v
!process 0 0
!drivers
!devobj
!irpfind

Cross-View Analysis

Process Comparison

# API-based process list
tasklist /v > api_processes.txt

# Raw memory process list (requires tools)
# Compare with GMER/Volatility output

# PowerShell process details
Get-Process | Select-Object Name, Id, Path, Company | Export-Csv processes.csv

Driver Verification

# List loaded drivers
driverquery /v > drivers.txt

# Check driver signatures
Get-AuthenticodeSignature -FilePath C:\Windows\System32\drivers\*.sys

# Verify with System File Checker
sfc /scannow

Firmware Verification

UEFI/BIOS Check

# Check Secure Boot status
Confirm-SecureBootUEFI

# Check UEFI variables
Get-ItemProperty -Path HKLM:\HARDWARE\DESCRIPTION\System\BIOS

# Check boot configuration
bcdedit /enum

MBR Analysis

# Dump MBR
dd if=\\.\PhysicalDrive0 of=mbr.bin bs=512 count=1

# Analyze with hex editor or:
file mbr.bin

Removal Procedures

Standard Removal Steps

1. Boot into Safe Mode with Networking
   - Shift + Restart → Troubleshoot → Startup Settings → Safe Mode

2. Disable System Restore (prevents reinfection)
   - System Properties → System Protection → Configure → Disable

3. Run RKill to stop malicious processes

4. Run TDSSKiller for bootkit detection

5. Run GMER for kernel-mode detection

6. Run Malwarebytes full scan

7. Check scheduled tasks
   - taskschd.msc → Review all tasks for suspicious entries

8. Check services
   - services.msc → Review for unknown services

9. Verify hosts file
   - notepad C:\Windows\System32\drivers\etc\hosts

10. Check DNS settings
    - ipconfig /all → Verify DNS servers

Advanced: Offline Scanning

1. Create Windows PE boot USB
   - Use Windows ADK or Rufus with WinPE

2. Boot from USB

3. Run scans from clean environment:
   - Mount infected drive as secondary
   - Scan with portable antivirus
   - Check for rootkits in offline registry

4. Clean MBR if infected:
   - bootrec /fixmbr
   - bootrec /fixboot
   - bootrec /scanos
   - bootrec /rebuildbcd

Nuclear Option: Complete Eradication

Secure Erase and Rebuild

1. Boot from Windows installation media

2. Open Command Prompt (Shift+F10)

3. Diskpart commands:
   diskpart
   list disk
   select disk 0
   clean all
   exit

4. Reflash UEFI firmware:
   - Download latest firmware from manufacturer
   - Use USB flashback or DOS flash utility
   - Clear CMOS after flash

5. Reinstall Windows from verified media

6. Restore data from clean backups only
   - Do not restore executables
   - Scan all documents before opening

Post-Removal Verification

System Integrity Checks

# System File Checker
sfc /scannow

# Deployment Image Servicing
DISM /Online /Cleanup-Image /CheckHealth
DISM /Online /Cleanup-Image /ScanHealth
DISM /Online /Cleanup-Image /RestoreHealth

# Check for residual drivers
driverquery /v | findstr /i "unknown"

# Verify network stack
netsh winsock reset
netsh int ip reset
ipconfig /flushdns

Monitoring Setup

# Enable boot logging
bcdedit /set bootlog yes

# Check for persistent WMI subscriptions
Get-WmiObject -Class __EventFilter -Namespace root\subscription
Get-WmiObject -Class __EventConsumer -Namespace root\subscription
Get-WmiObject -Class __FilterToConsumerBinding -Namespace root\subscription

Prevention

MeasureImplementation
Secure BootUEFI settings → Secure Boot: Enabled
TPM 2.0Verify in tpm.msc
Virtualization-based SecurityEnable in Windows Security
Credential GuardGroup Policy or MDM
Application ControlWindows Defender Application Control
Driver Signing Enforcementbcdedit /set nointegritychecks off

Leave a Reply

Your email address will not be published. Required fields are marked *