Rootkit Detection Software Codewalker - gHacks Tech News

Rootkit Detection Software Codewalker

Most computer users may have heard about rootkits for the first time when the Sony BMG rootkit scandal exploded in the news.

Sony BMG back then added rootkit-like behavior to select commercial music CDs. These installed resident software on Windows machines they were inserted in that shared most characteristics with rootkits.

Side note: World of Warcraft Hackers used the Sony rootkit for hacks.

Rootkits are still not considered a huge threat by many. It is more likely to get infected by a computer virus or trojan than by a rootkit, but rootkits are inherently more dangerous because of how they have been designed.

One core trait of rootkits is that they elude detection by normal security software, or the user running the system.

Codewalker

rootkit detection codewalker

Codewalker is a rootkit detection software that has been developed by members of the Sysinternals forum.

The current version that has been released today is 0.24b which clearly outlines that the software program is a work in progress. It is a portable software that can be run from local drives or removable devices.

The security program suggests to run a deep scan of the computer system upon startup which takes a few minutes to complete. It is possible to skip the deep scan which will leads directly to the main program interface.

The main interface uses tabs to display various information including system processes, hidden code, kernelmode and usermode hacks which get populated when the system is scanned.

The connected disk drives are displayed on the right side with the option to select some or all of them for a scan. The same scan that was suggested upon program start will then be performed. The results are shown in the various tabs after the scan has finished.

The developer explains his program:

For hidden driver detection, you can test it with some pretty well hidden driver PoC such as phide_ex and many builds of Rustock.B variants. Although you have to use the "Hardcore Scan" method to detect them.

For code hooking detection, the engine walks all the branches of scanned module i.e any execution path of it to detect modification (btw, that's why i call it CodeWalker). IMHO, It can detect code hooking very well especially with rootkits that place abnormal hooks like Rustock.C (FF25 & FF15 - jmp/call dword ptr [abc]) tho there're still some problems with false-positive hooks/modifications.

Codewalker is a viable alternative to already available rootkit detection programs like Gmer or AVG Anti-Rootkit. It is probably be best used in conjunction with these tools.

Update: Please note that CodeWalker has not been updated since 2008. While it may run fine on all recent versions of Windows, it won't be as effective anymore as in the past because of that.

Summary
software image
Author Rating
1star1star1star1stargray
no rating based on 0 votes
Software Name
Codewalker
Operating System
Windows
Software Category
Security
Landing Page

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:

Comments

  1. Jack said on April 29, 2009 at 1:33 pm
    Reply

    AVG Anti Rootkit free is no longer available, so this might be a valuable replacement.

  2. Paulus said on April 29, 2009 at 5:16 pm
    Reply
  3. Jeannie said on May 3, 2009 at 9:48 pm
    Reply

    avg still good here
    i download and it find bugs

    http://www.brothersoft.com/avg-anti-rootkit-free-60621.html

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.