Hunting rootkits / Windows NT "native" file/regist

Discuss and announce Total Commander plugins, addons and other useful tools here, both their usage and their development.

Moderators: white, Hacker, petermad, Stefan2

Post Reply
CCRDude
Junior Member
Junior Member
Posts: 26
Joined: 2007-10-01, 10:51 UTC

Hunting rootkits / Windows NT "native" file/regist

Post by *CCRDude »

Here are two new plugins for NT/2000/XP/2003/Vista users, that allow browsing the file system and the registry through NT native methods.

Useful mostly to hunt down rootkit files (and registry entries), for rootkits that hide themselves from the Win32 subsystem, but not the native WinNT underneath.

More details in the thread on the originating forum linked to above :)
icfu
Power Member
Power Member
Posts: 6052
Joined: 2003-09-10, 18:33 UTC

Post by *icfu »

We might create an installer to automate this
You don't need an installer, just create two archives and add pluginst.inf file in each of them:

Code: Select all

[plugininstall]
description=Windows NT Native mode plugin for the file system
descriptiondeu=Windows-NT-Nativmodus-Plugin für das Dateisystem
type=wfx
file=NTFiles.wfx
defaultdir=NTFiles

Code: Select all

[plugininstall]
description=Windows NT Native mode plugin for the registry
descriptiondeu=Windows-NT-Nativmodus-Plugin für die Registry
type=wfx
file=NTRegistry.wfx
defaultdir=NTRegistry
Icfu
This account is for sale
User avatar
byblo
Senior Member
Senior Member
Posts: 270
Joined: 2005-02-20, 21:13 UTC
Contact:

Post by *byblo »

Very interesting. Does it kill a process if needed, before deleting the file ?
User avatar
DrShark
Power Member
Power Member
Posts: 1872
Joined: 2006-11-03, 22:26 UTC
Location: Kyiv, 68/262
Contact:

Re: Hunting rootkits / Windows NT "native" file/registry

Post by *DrShark »

Plugins (download by archive link from this post) were created for Vista as newest OS, but can work on newer Windows, though it seems can crash TC on installation.
At least here on Windows 7 32-bit in TC which is using dark mode when installing the plugin NTFiles.wfx manually using Total Commander "File system plugins" dialog, following crash happened:

Code: Select all

---------------------------
Total Commander 10.00Я6
---------------------------
Access violation at address 060B8284. Read of address 060B8284.
Access violation at address 060B8284. Read of address 060B8284
Windows 7 SP1 HomePremium 6.1 (Build 7601), base: 00400000

Please report this error to the Author, with a description
of what you were doing when this error occurred!

Windows exception: C0000005
Stack trace:
060B8284
0042FBCD  0042FC68  0048FCC1  004436E8  0045076A  004435B1
00444C1E  004434E7  0044596A  004455B6  >0042A392  00444B54
0042A392  00444AAA  0042A392  00444C1E  004455B6  0042A392
00444B54  0042A392  0042FBCD  0042FC68  00444AAA  0042A392
00444AAA  0042A392  004435B1  004455B6  0042A392  00444B54
0042A392  00444AAA  0042A392  004435B1  004455B6  0042A392
00444B54  0042A392  00444AAA  0042A392  0043441C  0043441C
004333DC  0043416E  004435B1  004455B6  0042A392  00444B54
0042A392  0042FBCD  0042FC68  
Raw:
0042FBCD  0042FC68  004033FC  00402379  0048FCC1  00444B54
0042A392  00444AAA  0042A392  0044592F  0042CF25  0044608E
004435B1  00445885  0042C38D  00444C1E  004455B6  004455D9
0044608E  00402E76  0044592F  00450B90  00444B54  0042A392
0042A392  00444AAA  0042A392  004436E8  00450666  0045076A
004435B1  00445885  0044592F  004505D9  00444C1E  004434E7
0044596A  00445D0E  004435B1  00445885  00444C1E  004455B6
0042A392  00444B54  0042A392  00444AAA  
Press Ctrl+C to copy this report!
Continue execution?
---------------------------
Да   Нет   
---------------------------
When installed, after accessing the plugin in Network Neighborhood it works fine without crashes there.
Donate for Ukraine to help stop Russian invasion!
Ukraine's National Bank special bank account:
UA843000010000000047330992708
Post Reply