Re: Rootkit discovery tools

[Graham Toal <gtoal () UTPA EDU>]

> Our requirement is to build a "toolkit" for our technicians 
> to be able scan and detect on each server in our environment.

The biggest problem you may have will be that *all* rootkit
detectors almost by definition have to be stand-alone booting.

This doesn't scale too well to an enterprise, if you have to
implement it by someone going machine to machine.

My suggestion then would be to come up with a bootstrap mechanism
(such as a netboot) which first booted the rootkit detector, which
would run on every boot, which when finished would then invoke
the 'normal' bootstrap for the operating system itself, whichever
one that happened to be.

I'm none too clear on how one might do this, but I'd guess that
maybe netbooting for the first bootstrap might be involved..


Graham
PS Rootkitrevealer is the only one I know of that is even likely
to work from within windows itself, if we can't come up with a
clever chained bootstrap trick.