New Anti-Rootkit Tool: Packed Driver Detector [Beta, Testers Needed!]

We've just released the beta version of a new tool called Packed Driver Detector.

Download: http://www.misec.net/products/PDD.exe (No installation required - simply run file)



What does this thing do?

Drivers are system files that are used in kernel mode to execute system code. Rootkits use a driver (.sys) file to subvert the Windows kernel and hide their presence in the system. Recent rootkits have begun packing and/or encrypting their driver files to make them harder to detect.

This tool identifies packed driver files. On an uninfected system there should be no packed driver files. Use this tool to identify any packed driver files on your system.

How can I help?

This is the first beta release of Packed Driver Identifier. If you want to help out testing it, download and run it to scan your system. If the tool identifies any packed drivers, don't panic. This is the first release of the tool and the identified files are very likely legitimate. Please email the detected driver files to support@misec.net along with your scan log. We will analyze the files for you and tell you if they really are something to worry about.

It would be very helpful if you could post your scan report even if no packed drivers are identified. This is to help verify that the tool is actually not reporting any packed files on clean systems.

 

i just try it and this is the results:

Scanning C:\WINDOWS\system32\drivers\
No packed driver files were detected (270 files scanned).
what is this mean?

 

That means that the tool scanned 270 driver files on your system and didn't find any packed ones. This is a good thing since a packed driver would very likely be a rootkit. Regular driver file authors would not encrypt or compress their drivers.

 

Results. Probably the 64 bit protection (which in fact looks like a rootkit behavior itself)

 

thanks for the value info,nice app.thats good to know that my H.I.P.S and Sandboxes programs are really doing their job.no antivirus here for long time

 

What Windows/Service Pack version is this on?

 

I just tried it, not sure if the error means anything:


Scanning C:\WINDOWS\system32\drivers\
Error: This is not a PE format
Error: Unable to get read access to C:\WINDOWS\system32\drivers\sptd.sys
No packed driver files were detected (223 files scanned).

 

The first error means PDD tried to scan a file that was not a regular driver file. This is a harmless message - I will add code to show which file this happens on.

The second message means sptd.sys could not be accessed. sptd.sys is the driver for Daemon Tools - I'm guessing Daemon Tools takes additional steps to make sure its driver file cannot be read. This is good information; I will make sure this can be worked around so that all driver files are read.

 

Windows Vista 64 bit Sp1.
I see PDD.exe Buffer Overflows (QueryNameInformationFile) in procmon for each called driver.

 

Ah, it's 64-bit, that's why you are getting that error. I'd have to say that this utility won't work on 64-bit for now then. Also explains why the program only found 7 driver files - those would be the 32-bit drivers.

 

Ah okay good to know. I will try it asap in 32 bit. (Btw probably windows 64 bit protection could block forensic research for rootkits if rootkits bypass patchguard or nameinfo redirection that could prevent official or beta tools to scan for patched 64 bit regions (vista botch?))

 

There is now also a dedicated web page on our site for this utility. The latest version will always be available here:

http://www.misec.net/products/pdd/

 

are you the maker of trojan hunter?

 

And here is the utility in action detecting the TDSServ rootkit that is used by Antivirus XP 2008:

 

Yes, that's right

 

cool and welcome to wilders

 

Someone just emailed the file ctdvda2k.sys which is detected as packed. This is a Creative DVD driver that contains a large block of compressed data. So there are some legitimate driver files out there that contains this kind of data.

This file could easily be filtered out though since it is digitally signed by Creative Technology Ltd. If anyone else has any files that are being detected, please do email them to support@misec.net

 

Just downloaded and ran the program. I am running XP SP2. results:
Scanning C:\WINDOWS\system32\drivers\
No packed driver files were detected (360 files scanned).
Will this be included as a utility in TrojanHunter?

 

It all depends on how much users requested it. I don't think it would be helpful for most home users as you'd have to be pretty tech savvy to interpret the results. Perhaps it should just be made available as a stand-alone tool - I'm not sure yet.

 

Code:

Scanning C:\WINDOWS\system32\drivers\
No packed driver files were detected (207 files scanned).

No problems.

 

Windows 2000

Scanning C:\WINDOWS\system32\drivers\
No packed driver files were detected (222 files scanned).

 

Can always use another tool. Thanks for making it available to test.

 

Windows XP SP2

Scanning C:\WINDOWS\system32\drivers\
Error: Unable to get read access to C:\WINDOWS\system32\drivers\sptd.sys
No packed driver files were detected (203 files scanned).

 

Vista SP1 (32-bit)

spsys.sys seems to be a Vista RTM driver for making kernel stops as part of their latest WGA program.

 

Correct - it's a legitimate file used to protect Vista against piracy. And they have huge blobs of binary data in there. If the day had 36 hours I would analyze it just to find out what it does...