Hunting rootkits / Windows NT "native" file/regist

Discuss and announce Total Commander plugins, addons and other useful tools here, both their usage and their development.

Moderators: Stefan2, white, sheep, Hacker

Post Reply
CCRDude
Junior Member
Junior Member
Posts: 26
Joined: 2007-10-01, 10:51 UTC

Hunting rootkits / Windows NT "native" file/regist

Post by *CCRDude » 2008-01-30, 19:59 UTC

Here are two new plugins for NT/2000/XP/2003/Vista users, that allow browsing the file system and the registry through NT native methods.

Useful mostly to hunt down rootkit files (and registry entries), for rootkits that hide themselves from the Win32 subsystem, but not the native WinNT underneath.

More details in the thread on the originating forum linked to above :)

icfu
Power Member
Power Member
Posts: 6052
Joined: 2003-09-10, 18:33 UTC

Post by *icfu » 2008-01-30, 20:36 UTC

We might create an installer to automate this
You don't need an installer, just create two archives and add pluginst.inf file in each of them:

Code: Select all

[plugininstall]
description=Windows NT Native mode plugin for the file system
descriptiondeu=Windows-NT-Nativmodus-Plugin für das Dateisystem
type=wfx
file=NTFiles.wfx
defaultdir=NTFiles

Code: Select all

[plugininstall]
description=Windows NT Native mode plugin for the registry
descriptiondeu=Windows-NT-Nativmodus-Plugin für die Registry
type=wfx
file=NTRegistry.wfx
defaultdir=NTRegistry
Icfu
This account is for sale

User avatar
byblo
Senior Member
Senior Member
Posts: 215
Joined: 2005-02-20, 21:13 UTC

Post by *byblo » 2008-02-01, 06:44 UTC

Very interesting. Does it kill a process if needed, before deleting the file ?

Post Reply