A sophisticated rootkit monitoring tool is called Rootkitrevealer. It runs on Windows Nt 4 and higher, and its output lists anomalies between the registry and submit network Apis that could be caused by a user-mode or rootkit.
Many lasting rootkits, such as Afx, Vanquish, and Hackerdefender, are successfully detected by Rootkitrevealer. However, it is not intended to identify file – or registry-key-protected version of Fu.
Rootkitrevealer compares the outcomes of a program inspect from highest to lowest grade because persistent rootkits operate by altering Api results, causing system views using Apis to differ from actual views in storage. The Registry’s’s on-disk depot template, or swarm file, is the lowest grade, followed by the Windows Api and the primary contents of a file system volume.
Therefore, Rootkitrevealer may notice a discrepancy between the information returned by the Windows Api and that seen in the raw check of an Fat or Ntfs volume’s’s file system structures when using rootkits, whether in person way or core mode, to take away their presence from directory listings, for example.
- Windows version of Rootkitrevealer 1.71
- Nt Windows
- Windows Xp,
- Using Skylights 2000
- most recent revision:
- 30th of July 2023, Friday
- Microsoft Internals