PcTek9
Well-Known Member
- Reaction score
- 85
- Location
- Mobile, AL
Rootkits are indeed vicious critters. 
But there is very little written about how to use tools to remove them, so I am going to show a little something about all the stuff in IceSword.
Ice Sword when you start it has a file menu at the top, like most programs.
MAIN MENU:
File:Setting: Don't display deleting state process. <- this if unchecked shows process that are being deleted in red. (for example you close a program.)
File Setting: Keep on top <- this just keeps the app on top of all other applications
File:Setting:Forbid all process/thread creating. This feature is useful if you need to stop a multithreaded virus, trojan, worm, or rootkit. Just write down all the processes associated with the malware, then select file, setting, forbid all process/thread creating, this will allow you to kill the processes, without allowing the system to restart them. I use that feature when I have to destroy a malware that has many threads running simultaneously to protect itself. i.e., you kill one, and another one starts, etc. You can also press and hold the <ctrl> key while clicking processes to kill several at the same time in icesword. If the trojan is using a "magic chain" technique, where there are 5 processes all watching out for each other, it's a great way to stop it.
File:Setting: Disable Cooperator - This feature allows the cooperator functions from ishelp to collaborate with low level file work.
File:Reboot&Monitor - does just what it says, allows you to reboot the system and monitor all processes and threads starting up.
File:Create Process Rule - This feature allows you to create rules for processes. For example if I don't want process named 'trojan' to create a child process called 'erase mydocuments' then I could create that rule in here. I can specify the child process by name, specify the pathfilename, the source process ID range, and the parent process ID range. I have the option to create several rules, and even view or delete rules.
File:Create Thread Rule - This feature allows you to create rules for threads. You are allowed to permit or forbid a thread from starting, and Identify a Process ID range, Source Process Rule, and Source thread rule using name, pid, or tid. You are allowed to add,view, and delete thread rules.
File:System Tray - Sends the program to the system tray.
File:Exit - Exits the program.
Dump:GDT/IDT - This dumps a list of the GDT and IDT. The GDT or global descriptor table lists the addresses of all code segments in the system. The IDT or interupt descriptor table lists the interrupt service routines. The intel chips do not have a kernel mode implemented on the actual cpu, like the motorola 68000 cpu's do. For example the motorola 68000 actually has a cpu flag that indicates if it is running in kernel mode on the cpu. Kernel mode on x86 is implemented in the software, it's sort of divided into rings. Ring 3 = user mode, and ring 0 = "software implemented" kernel mode. All this means is that windows prevents user mode software from calling or executing kernel mode code directly. If however that does happen then the system throughs a general protection fault, and you get a blue screen. The way it works is that an ISR being selected from the IDT must first check with the GDT to make sure it has the authority to execute code in the ring level it wants or else switch to the correct ring level if authority is present. To accomplish this level of protection each ring has it's own stack, and instructions and pointer states are merrily saved while the cpu executes ring x requests (which also had it's last states saved).
Dump:LOG - This feature just dumps the current list you are looking at, for example if you have processes listed, then it dumps it to a file you choose in text format.
Plugin: - This allows you to select or install a plugin to use in Icesword.
(a) the filereg plugin for icesword when installed correctly, allows you to access all of the disk for read/write operations while bypassing some Windows system components, like ntfs.sys, fastfat.sys and Windows NT Configuration Manager, and of course, rootkits.
The filereg plugin (.icp) when loaded looks like a "console window" or "dos prompt". It allows you execute special commands and directly edit the disk and registry from a console window. The commands are: ads, cd, copy, copys, dir, dirs, exit, flush, list, mount, pwd, regcd, regdelkey, regdelvalue, regdelvalues, regdir, regmount, regpwd, regunmount, regvalue, regwrite, save, search, unmount, unsave. For example: i could search the registry for a key from 'dos' and replace it or delete it or edit it then save the registry and reboot the system, all outside of windows using an uninfected by rootkits clean sandbox. Note: if you have trouble running filereg.icp with 1.22 try 1.12.
view:toolbar - This just shows or hides the toolbar.
view:statusbar - This just shows or hides the statusbar.
view:hide signed items - This just hides all items that have been digitally signed. (and are therefore considered safe)
view:init state - This checks the init state of the system, by scanning memory, modules, and the registry.
help:about - about icesword.
IceSword has a menu on the left consisting of 'functions', 'registry editor', and 'file explorer'. A lot of people probably think they don't need the registry editor and file explorer. But you do...
Here is a list of IceSword Functions: They have (active) or (informational) after them to indicate if you can "do" anything to whatever is listed.
PROCESS (ACTIVE)- right click allows you to refresh process list, terminate a process, get thread information about a selected process, get module information on the selected process, read & write memory in the selected process (yes disassemble), and find modules.
note: if you click thread information to display the threads of
a process you can refresh/terminate/kill(force) a thread.
if you click module information, you can refresh, unload,
or force unload a module (kill).
The process function shows hidden processes in RED.
PORT (INFORMATIONAL) - This function displays what is going in and out of your machine over the internet. It shows a list of all active ports. It lists their Protocol / local & foreign address / current state (e.g. listening, closed, waiting...) / their process id number / and the pathname to the file that opened that port. If you see for example, a file called c:\windows\system\keylogger99.exe is that is transporting tcp information over port 23852 then you would realize that is a 'keylogger' stealing keystrokes, and you would find that file and delete it. It would also show up in the processes list, if it's hidden it would show up red in the processes list, but what if it's not hidden? what if it's not named keylogger99.exe. See the problem? So you need to understand that if you see a program like c:\windows\svchost.exe and it is using local port 52893 to send tcp or udp traffic to a foreign address of 234.123.99.165 (that is a random address...), that you have a keylogger disguised as svchost.exe This is not the same as netstat-an, b/c that does not show the name and path of the program that is opening the port, so this is a lot more useful.
KERNEL MODULE (INFORMATIONAL)- This area shows kernel modules, or modules that make up the kernel, such as ntoskrnl.exe, hal.dll, usbport.sys, atapi.sys, etc. But... very good rootkits can hide themselves disguised as a kernel module. It's a long list to go through, but if you see anything strange in this 'informational' list, then google it and see what it is...
STARTUP (INFORMATIONAL) - This is all programs starting up from the startup folder, and several startup locations in the registry, like hkeylocalmachine/.../microsoft/windows/software/run,runonce, etc, and some other interesting locations. Note: you can remove start up items using the built in registry editor of IceSword or the FileExplorer to delete them.
WIN32 SERVICES (ACTIVE) - These are all the services you see if you go into the control panel and click services.... HOWEVER... IceSword can show 'hidden' services in red, that dont show in control panels administrative tools, some of which may point quite clearly to a rootkit. You can start/stop/pause/resume a service and you can change the way services start such as auto/manual/or disabled.
SPI (INFORMATIONAL) - The Winsock (S)ervice (P)rovider (I)nterface. Basically, this is a software mechanism to support replaceable components, in this particular case, winsock transports. Sometimes spyware will insert their own transport into the LSP (layered service protocol stack) to spy on a user, or divert their traffic to sites they own. This is also the way in which child protection filters work to sort out improper materials regardless of whatever browser or internet chat program is used on the system. I recommend using something like lspfix, or the xpwinsock fix program if you see something strange here.
BHO (ACTIVE) - IceSword gives you the ability to delete these browser helper objects. Basically they do things to 'help' browsers, like if you open a pdf in i.e. a bho created by adobe will open adobe reader, so you can see the pdf inside the browser. But some bho's are not good, as a general rule of thumb you can delete anything suspicious from here without a hitch.
SSDT (ACTIVE) - This is a syscall table where you can get the address of a function with an index. It's the (S)system (S)ervice (D)escriptor (T)able. Red means it's hidden. Options are refresh the list and 'restore' hidden services to visible. Once you restore it to visible you can track it's components and delete them.
MESSAGE HOOKS (INFORMATIONAL) - Message hooks are really just a technique where a message passed in windows is allowed to be monitored by a third party application, process, thread, etc.
The hooks that can be used for invisibly recording keystrokes are wh_keyboard, wh_getmessage, wh_msgfilter, wh_keyboard_LL, and wh_journalrecord. So if you see a program hooked into one of these windows messages, and you dont recognize the program, it may be a keylogger, or a keylogging component of a rootkit. You can use the built in 'force delete' under the FILE area of icesword to kill the associated process, and delete the file, just google first, to make sure it's not a legitimate windows system file component. The columns listed for message hooks are the handle, type, function, process path, pid, and tid. Example:
0x00100fd wh_keyboard_ll 0x006ef c:\programfiles\ultravnc\vncviewer.exe 1460 2180
LOG PROCESS/THREAD CREATION (INFORMATIONAL) - Shows all processes & threads created, with date time/stamp, pid, tid, and the creator (parent proces) of the child process or thread.
LOG PROCESS TERMINATION - Same as above, but monitors process termination.
ADVANCED SCAN - Use this cautiously, or your machine could reboot. This scans module hooks. You can do a general scan, module scan, and restore from here.
REGISTRY EDITOR - DELETE / EDIT KEYS, this registry editor is much more powerful than the one in microsoft windows, as it can open registry keys that use 'invisible' characters, or many subkeys to prevent regedit from opening them to remove the entries.
FILE Explorer- DELETE/REFRESH/COPY TO/FORCE DELETE, this file browser should be used instead of windows explorer, b/c it has special abilities that prevent the protection schemes many trojans, and rootkits have built in, including special encryption techniques, and special hidden files. It can also be used to move trojans and rootkits to a usb stick without worry of infecting the system, as it provides immunity to them.
But there is very little written about how to use tools to remove them, so I am going to show a little something about all the stuff in IceSword.Ice Sword when you start it has a file menu at the top, like most programs.
MAIN MENU:
File:Setting: Don't display deleting state process. <- this if unchecked shows process that are being deleted in red. (for example you close a program.)
File Setting: Keep on top <- this just keeps the app on top of all other applications
File:Setting:Forbid all process/thread creating. This feature is useful if you need to stop a multithreaded virus, trojan, worm, or rootkit. Just write down all the processes associated with the malware, then select file, setting, forbid all process/thread creating, this will allow you to kill the processes, without allowing the system to restart them. I use that feature when I have to destroy a malware that has many threads running simultaneously to protect itself. i.e., you kill one, and another one starts, etc. You can also press and hold the <ctrl> key while clicking processes to kill several at the same time in icesword. If the trojan is using a "magic chain" technique, where there are 5 processes all watching out for each other, it's a great way to stop it.
File:Setting: Disable Cooperator - This feature allows the cooperator functions from ishelp to collaborate with low level file work.
File:Reboot&Monitor - does just what it says, allows you to reboot the system and monitor all processes and threads starting up.
File:Create Process Rule - This feature allows you to create rules for processes. For example if I don't want process named 'trojan' to create a child process called 'erase mydocuments' then I could create that rule in here. I can specify the child process by name, specify the pathfilename, the source process ID range, and the parent process ID range. I have the option to create several rules, and even view or delete rules.
File:Create Thread Rule - This feature allows you to create rules for threads. You are allowed to permit or forbid a thread from starting, and Identify a Process ID range, Source Process Rule, and Source thread rule using name, pid, or tid. You are allowed to add,view, and delete thread rules.
File:System Tray - Sends the program to the system tray.
File:Exit - Exits the program.
Dump:GDT/IDT - This dumps a list of the GDT and IDT. The GDT or global descriptor table lists the addresses of all code segments in the system. The IDT or interupt descriptor table lists the interrupt service routines. The intel chips do not have a kernel mode implemented on the actual cpu, like the motorola 68000 cpu's do. For example the motorola 68000 actually has a cpu flag that indicates if it is running in kernel mode on the cpu. Kernel mode on x86 is implemented in the software, it's sort of divided into rings. Ring 3 = user mode, and ring 0 = "software implemented" kernel mode. All this means is that windows prevents user mode software from calling or executing kernel mode code directly. If however that does happen then the system throughs a general protection fault, and you get a blue screen. The way it works is that an ISR being selected from the IDT must first check with the GDT to make sure it has the authority to execute code in the ring level it wants or else switch to the correct ring level if authority is present. To accomplish this level of protection each ring has it's own stack, and instructions and pointer states are merrily saved while the cpu executes ring x requests (which also had it's last states saved).
Dump:LOG - This feature just dumps the current list you are looking at, for example if you have processes listed, then it dumps it to a file you choose in text format.
Plugin: - This allows you to select or install a plugin to use in Icesword.
(a) the filereg plugin for icesword when installed correctly, allows you to access all of the disk for read/write operations while bypassing some Windows system components, like ntfs.sys, fastfat.sys and Windows NT Configuration Manager, and of course, rootkits.
The filereg plugin (.icp) when loaded looks like a "console window" or "dos prompt". It allows you execute special commands and directly edit the disk and registry from a console window. The commands are: ads, cd, copy, copys, dir, dirs, exit, flush, list, mount, pwd, regcd, regdelkey, regdelvalue, regdelvalues, regdir, regmount, regpwd, regunmount, regvalue, regwrite, save, search, unmount, unsave. For example: i could search the registry for a key from 'dos' and replace it or delete it or edit it then save the registry and reboot the system, all outside of windows using an uninfected by rootkits clean sandbox. Note: if you have trouble running filereg.icp with 1.22 try 1.12.
view:toolbar - This just shows or hides the toolbar.
view:statusbar - This just shows or hides the statusbar.
view:hide signed items - This just hides all items that have been digitally signed. (and are therefore considered safe)
view:init state - This checks the init state of the system, by scanning memory, modules, and the registry.
help:about - about icesword.
IceSword has a menu on the left consisting of 'functions', 'registry editor', and 'file explorer'. A lot of people probably think they don't need the registry editor and file explorer. But you do...
Here is a list of IceSword Functions: They have (active) or (informational) after them to indicate if you can "do" anything to whatever is listed.
PROCESS (ACTIVE)- right click allows you to refresh process list, terminate a process, get thread information about a selected process, get module information on the selected process, read & write memory in the selected process (yes disassemble), and find modules.
note: if you click thread information to display the threads of
a process you can refresh/terminate/kill(force) a thread.
if you click module information, you can refresh, unload,
or force unload a module (kill).
The process function shows hidden processes in RED.
PORT (INFORMATIONAL) - This function displays what is going in and out of your machine over the internet. It shows a list of all active ports. It lists their Protocol / local & foreign address / current state (e.g. listening, closed, waiting...) / their process id number / and the pathname to the file that opened that port. If you see for example, a file called c:\windows\system\keylogger99.exe is that is transporting tcp information over port 23852 then you would realize that is a 'keylogger' stealing keystrokes, and you would find that file and delete it. It would also show up in the processes list, if it's hidden it would show up red in the processes list, but what if it's not hidden? what if it's not named keylogger99.exe. See the problem? So you need to understand that if you see a program like c:\windows\svchost.exe and it is using local port 52893 to send tcp or udp traffic to a foreign address of 234.123.99.165 (that is a random address...), that you have a keylogger disguised as svchost.exe This is not the same as netstat-an, b/c that does not show the name and path of the program that is opening the port, so this is a lot more useful.
KERNEL MODULE (INFORMATIONAL)- This area shows kernel modules, or modules that make up the kernel, such as ntoskrnl.exe, hal.dll, usbport.sys, atapi.sys, etc. But... very good rootkits can hide themselves disguised as a kernel module. It's a long list to go through, but if you see anything strange in this 'informational' list, then google it and see what it is...
STARTUP (INFORMATIONAL) - This is all programs starting up from the startup folder, and several startup locations in the registry, like hkeylocalmachine/.../microsoft/windows/software/run,runonce, etc, and some other interesting locations. Note: you can remove start up items using the built in registry editor of IceSword or the FileExplorer to delete them.
WIN32 SERVICES (ACTIVE) - These are all the services you see if you go into the control panel and click services.... HOWEVER... IceSword can show 'hidden' services in red, that dont show in control panels administrative tools, some of which may point quite clearly to a rootkit. You can start/stop/pause/resume a service and you can change the way services start such as auto/manual/or disabled.
SPI (INFORMATIONAL) - The Winsock (S)ervice (P)rovider (I)nterface. Basically, this is a software mechanism to support replaceable components, in this particular case, winsock transports. Sometimes spyware will insert their own transport into the LSP (layered service protocol stack) to spy on a user, or divert their traffic to sites they own. This is also the way in which child protection filters work to sort out improper materials regardless of whatever browser or internet chat program is used on the system. I recommend using something like lspfix, or the xpwinsock fix program if you see something strange here.
BHO (ACTIVE) - IceSword gives you the ability to delete these browser helper objects. Basically they do things to 'help' browsers, like if you open a pdf in i.e. a bho created by adobe will open adobe reader, so you can see the pdf inside the browser. But some bho's are not good, as a general rule of thumb you can delete anything suspicious from here without a hitch.
SSDT (ACTIVE) - This is a syscall table where you can get the address of a function with an index. It's the (S)system (S)ervice (D)escriptor (T)able. Red means it's hidden. Options are refresh the list and 'restore' hidden services to visible. Once you restore it to visible you can track it's components and delete them.
MESSAGE HOOKS (INFORMATIONAL) - Message hooks are really just a technique where a message passed in windows is allowed to be monitored by a third party application, process, thread, etc.
The hooks that can be used for invisibly recording keystrokes are wh_keyboard, wh_getmessage, wh_msgfilter, wh_keyboard_LL, and wh_journalrecord. So if you see a program hooked into one of these windows messages, and you dont recognize the program, it may be a keylogger, or a keylogging component of a rootkit. You can use the built in 'force delete' under the FILE area of icesword to kill the associated process, and delete the file, just google first, to make sure it's not a legitimate windows system file component. The columns listed for message hooks are the handle, type, function, process path, pid, and tid. Example:
0x00100fd wh_keyboard_ll 0x006ef c:\programfiles\ultravnc\vncviewer.exe 1460 2180
LOG PROCESS/THREAD CREATION (INFORMATIONAL) - Shows all processes & threads created, with date time/stamp, pid, tid, and the creator (parent proces) of the child process or thread.
LOG PROCESS TERMINATION - Same as above, but monitors process termination.
ADVANCED SCAN - Use this cautiously, or your machine could reboot. This scans module hooks. You can do a general scan, module scan, and restore from here.
REGISTRY EDITOR - DELETE / EDIT KEYS, this registry editor is much more powerful than the one in microsoft windows, as it can open registry keys that use 'invisible' characters, or many subkeys to prevent regedit from opening them to remove the entries.
FILE Explorer- DELETE/REFRESH/COPY TO/FORCE DELETE, this file browser should be used instead of windows explorer, b/c it has special abilities that prevent the protection schemes many trojans, and rootkits have built in, including special encryption techniques, and special hidden files. It can also be used to move trojans and rootkits to a usb stick without worry of infecting the system, as it provides immunity to them.
