EverythingSearch and rootkits

General discussion related to "Everything".
Post Reply
drorharari
Posts: 12
Joined: Fri May 01, 2009 9:52 pm

EverythingSearch and rootkits

Post by drorharari »

Hi David,

Everything Search is a great program, something that puts Microsoft to shame for not coming up with this themselves and causing its users to waste millions of hours waiting for the retarded Folder Search to find a file. I have donated to this program and encourage others to try and do the same.

Now for my question. If I correctly understand how the program works and how rootkits hide themselves, then Everything Search is an ideal tool to search for a rootkit by its name. One type its name into the search box and since Everything Search is not dependent on Microsoft directory access APIs, the hiding technique of the rootkits (i.e., via hooks installed by nefarious drivers), those files will be visible in plain view. Obviously, then if you go to Windows Explorer with the path, you wont see them, but you will know for sure they're there.

Is the above is indeed the case?

If it is, then I think it will be useful information to publish on the site - yet another virtue of this amazing program.

Thanks

Dror
deepdvd
Posts: 33
Joined: Mon Mar 23, 2009 6:35 pm

Re: EverythingSearch and rootkits

Post by deepdvd »

I was just going to post how awesome Everything is because of this very thing! This is absolutely true.

I've been removing trojans from a friend's computer and Everything was able to see a number of files hidden by a rootkit!

I was confused at first because clicking or right-clicking on them didn't do ANYTHING. It was like they didn't exist, yet Everything said they were there.

For the curious, the filenames were similar to the following.

C:\Windows\System32\ovfsth[insert random characters here]
C:\Windows\System32\drivers\ovfsth[insert random characters here]

Best program ever... (although, I'm ANXIOUSLY awaiting the items on his To-Do list that Ava Find has.)
Maniaxx
Posts: 2
Joined: Wed May 13, 2009 1:02 pm

Re: EverythingSearch and rootkits

Post by Maniaxx »

It doesn't find $MFT so either its not bypassing windows api or it doesn't catch everything. Its in no way reliable for detecting rootkits this way.
drorharari
Posts: 12
Joined: Fri May 01, 2009 9:52 pm

Re: EverythingSearch and rootkits

Post by drorharari »

@maniaxx:
Have you considered that it just chooses not to show $MFT -- this program uses $MFT to do its magic so it is likely that it is not showing it -- there is nothing useful you can directly do with it.

My point is that the rootkit habbit of using files and masking them out at the Windows API level is something that Everything Search sees right through. This is not a rootkit detection program but it is surely a useful tool for finding them if you have some idea on their location or naming.

/d
XtremeMaC
Posts: 9
Joined: Fri Jul 03, 2009 11:28 pm

Re: EverythingSearch and rootkits

Post by XtremeMaC »

hmm interesting.. never used a search application to find rootkits..
i mean first of all u've to know what u're looking for to be able to use the search.
what I do is to consult to the lovely dos prompt :)
just dir /a and attrib -s -h -r *.* /s /d
and use sysinternals process explorer autoruns and rootkit finder..
Post Reply