Here are two new plugins for NT/2000/XP/2003/Vista users, that allow browsing the file system and the registry through NT native methods.
Useful mostly to hunt down rootkit files (and registry entries), for rootkits that hide themselves from the Win32 subsystem, but not the native WinNT underneath.
More details in the thread on the originating forum linked to above
Hunting rootkits / Windows NT "native" file/regist
Moderators: white, Hacker, petermad, Stefan2
You don't need an installer, just create two archives and add pluginst.inf file in each of them:We might create an installer to automate this
Code: Select all
[plugininstall]
description=Windows NT Native mode plugin for the file system
descriptiondeu=Windows-NT-Nativmodus-Plugin für das Dateisystem
type=wfx
file=NTFiles.wfx
defaultdir=NTFiles
Code: Select all
[plugininstall]
description=Windows NT Native mode plugin for the registry
descriptiondeu=Windows-NT-Nativmodus-Plugin für die Registry
type=wfx
file=NTRegistry.wfx
defaultdir=NTRegistry
This account is for sale
Re: Hunting rootkits / Windows NT "native" file/registry
Plugins (download by archive link from this post) were created for Vista as newest OS, but can work on newer Windows, though it seems can crash TC on installation.
At least here on Windows 7 32-bit in TC which is using dark mode when installing the plugin NTFiles.wfx manually using Total Commander "File system plugins" dialog, following crash happened:
When installed, after accessing the plugin in Network Neighborhood it works fine without crashes there.
At least here on Windows 7 32-bit in TC which is using dark mode when installing the plugin NTFiles.wfx manually using Total Commander "File system plugins" dialog, following crash happened:
Code: Select all
---------------------------
Total Commander 10.00Я6
---------------------------
Access violation at address 060B8284. Read of address 060B8284.
Access violation at address 060B8284. Read of address 060B8284
Windows 7 SP1 HomePremium 6.1 (Build 7601), base: 00400000
Please report this error to the Author, with a description
of what you were doing when this error occurred!
Windows exception: C0000005
Stack trace:
060B8284
0042FBCD 0042FC68 0048FCC1 004436E8 0045076A 004435B1
00444C1E 004434E7 0044596A 004455B6 >0042A392 00444B54
0042A392 00444AAA 0042A392 00444C1E 004455B6 0042A392
00444B54 0042A392 0042FBCD 0042FC68 00444AAA 0042A392
00444AAA 0042A392 004435B1 004455B6 0042A392 00444B54
0042A392 00444AAA 0042A392 004435B1 004455B6 0042A392
00444B54 0042A392 00444AAA 0042A392 0043441C 0043441C
004333DC 0043416E 004435B1 004455B6 0042A392 00444B54
0042A392 0042FBCD 0042FC68
Raw:
0042FBCD 0042FC68 004033FC 00402379 0048FCC1 00444B54
0042A392 00444AAA 0042A392 0044592F 0042CF25 0044608E
004435B1 00445885 0042C38D 00444C1E 004455B6 004455D9
0044608E 00402E76 0044592F 00450B90 00444B54 0042A392
0042A392 00444AAA 0042A392 004436E8 00450666 0045076A
004435B1 00445885 0044592F 004505D9 00444C1E 004434E7
0044596A 00445D0E 004435B1 00445885 00444C1E 004455B6
0042A392 00444B54 0042A392 00444AAA
Press Ctrl+C to copy this report!
Continue execution?
---------------------------
Да Нет
---------------------------
Donate for Ukraine to help stop Russian invasion!
Ukraine's National Bank special bank account:
UA843000010000000047330992708
Ukraine's National Bank special bank account:
UA843000010000000047330992708