How good are programs like UnHackMe at detecting rootkits? I ask because there is a cost associated to using them.

Also, what about using trick like these:
http://www.security.org.sg/code/

Do they work? Do you know of any free software that implements them?

it would be tricky to beat:

Win2K/XP SDT Restore 0.2 (Proof-Of-Concept)
Win32 Kernel Rootkits modify the behaviour of the system by Kernel Native API hooking. This technique is typically implemented by modifying the ServiceTable entries in the Service Descriptor Table (SDT). This allows kernel rootkits to hide files, processes, and to prevent process termination. This proof-of-concept tool demonstrates the possibility of defeating such rootkits by removing Kernel Native APIs hooks and restoring the SDT back to its original state.

+

ApiHookCheck Version 1.01 (API Hook Check)
API hooking is a useful technique that can be used to monitor API calls used by Win32 programs. This allows understanding of the programs' functionalities based on the APIs that are called and their input parameters. However, API hooking is also used by rootkits and other malicious code to modify the behaviour of certain APIs to hide files, network ports, processes and services. This tool can help to detect the presence of system-wide API hooks that are implemented based on import/export table modifications and insertion of JMP instructions at the start of the real API.

when used together...

but this doesnt cover interrupt hooks which is used by Fu:

FU
short description:

The FU rootkit can hide processes, elevate process privileges, fake out the Windows Event Viewer so that forensics is impossible, and even hide device drivers (NEW!) All this without any hooking.

long description:

The FU rootkit can hide processes, elevate process privileges, fake out the Windows Event Viewer so that forensics is impossible, and even hide device drivers (NEW!). (Look, Mom, no hands!) It does all this by Direct Kernel Object Manipulation ™; no hooking! This project has been evolving other time. It was originally conceived as a proof-of-concept. FU is a play on words from the UNIX program "su" used to elevate privilege.

However, if instead you use Vice and Klister:

VICE
short description:

VICE - Catch hookers!

VICE is a tool to find hookers!

long description:

VICE is a tool to find hooks.
Features include:
1. Looks for people hooking IAT's.
2. Looks for people hooking functions in-line aka detouring.
3. Looks for hooks in the System Call Table. Thanks to Tan perhaps it will fix the table in the future.
4. Looks for detour hooks in the System Call Table functions themselves.
5. Looks for people hooking IRP_MJ table in drivers. This is configurable by driver.ini.

project leader:

fuzen_op

homepage:


changelog:


download:

http://www.rootkit.com/vault/fuzen_op/vice.zip

klister
short description:

klister is a simple set of utilities for Windows 2000, designed to read the internal kernel data structures, in order to get reliable information about the system state (like list of all processes, including those "hidden" by rootkits, even by 'fu').

long description:

klister is a simple set of utilities for Windows 2000, designed to read the internal kernel data structures, in order to get reliable information about the system state (including list of all processes, including those "hidden" by some rootkits).

klister consists of a kernel module and some exemplary userland programs which communicate with the kernel module in order to display some internal kernel data structures. The most interesting ones are thread lists which are used by kernel dispatcher (scheduler) code. When reading such internal list we can be (almost;)) sure that we're getting list of all threads in the system (including those which belong to hidden process) and it also means that we can create complete list of ALL PROCESSESS in the system.


project leader:

joanna

homepage:


changelog:


download:

http://www.rootkit.com/vault/joanna/klister-0.4.zip



I think you will be just fine...

Moral of story...to beat rootkits ask the experts.

I've been using klister, flister and vice for some time now. made some bat files that scan automaticly after startup and before shutdown and logs the results to a file. It's a cheap and easy way to detect rootkits (as long as you remember to check the logs on time, lol)

I used to have something similar on my linux, but can't remember the name (help!). Since I don't have any linux running at this time I can't find it . sounded somethink like rkdetect or so..