CodeWalker is an AntiRootkit tool, which can:
+ Detect hidden processes
+ Detect hidden drivers
+ Detect hidden files (support NTFS only)
+ Detect hooks in both kernel mode and usermode.
+ Works on Windows English 2000/XP/2003/Vista/2008.
The tool is currently in beta stage and is looking for people for testing it. It’s been already tested it with some popular rootkits samples. If there’s BSOD (of cos, you can never write a bug free proggie), it would be very appreciated of you to upload minidumps to help the author correct the tool. Thanks in advance.
In this beta version, the main improves to other ark is heavily put in hidden driver object (System Modules tab) and code hooking detection.
For hidden driver detection, you can test it with some pretty well hidden driver PoC such as phide_ex and many builds of Rustock.B variants. Although you have to use the “Hardcore Scan” method to detect them.
For code hooking detection, the engine walks all the branches of scanned module i.e any execution path of it to detect modification (btw, that’s why it’s called it CodeWalker). It can detect code hooking very well especially with rootkits that place abnormal hooks, although there’re false-positive detections.
- Size: 1.42 MB
- Download Here