Use Prol to detect hidden processes and prevent Rootkit

Strictly speaking, Rootkit is a means, mechanism, or technology that aims to hide malicious programs (including viruses, spyware, Trojan horses, etc.) from detection by security tools and system management tools.

Rootkit can hide itself deeply, or even hide itself in the system kernel running, making it more difficult to detect it. Because it runs in the kernel, it can adjust the functions and parameters used by all applications in the system. For example, Rootkit can modify the functions of anti-virus software, Anti-Spyware software, and anti-Rootkit program. Some advanced Rootkit can modify the anti-rootkit or rootkit detector so that it cannot block rootkit. Does this mean that the users will be put to work? None. The fight between Rootkit and the anti-Rootkit tool is a long relationship between Rootkit and the anti-Rootkit tool. Any technology may still work today and may fail tomorrow.

An inherent malicious behavior of any Rootkit is to hide itself or the affected process. The consequence of hiding a process is that even a legitimate System Utility cannot list information about the processes being executed in the system. The inherent danger of hiding a process is that the security defense system (the operation of this system is based on this assumption that the system is running according to the set rules) cannot see the inserted process, this gives the system administrator the illusion that the system is running securely.

The Development Trend of any attack tool is to hide the intrusion process. The danger of hiding a process is very high, because it represents that some malicious code runs on your system, but you do not know, the resulting consequences can be imagined. Many Trojan horses, viruses, spyware, and rootkit writers use the same technology to hide themselves and keep themselves on their computers for a long time, the common anti-virus software and anti-virus mechanisms are helpless because they cannot deal with hidden processes. Therefore, finding the rootkit to hide itself is the first step to defend against the rootkit threat. If you want real security, it is essential to defend against hidden processes. There are few tools on the market that can detect hidden processes, and most of them still need to be "Silver". What do we rely on?

I recommend a free and good tool: Procl. Through this command line tool, we can use different methods to detect hidden processes. In fact, it can detect hidden processes in two levels in the operating system (called ring-3 and ring-0) using different methods. One is the user mode method, and the other is the kernel mode method.

Its usage is also relatively simple. Generally, it is executed in the Windows command line:

Procl [Option]

The options can be displayed on the left in the following situations. The options are described on the right.

-M discard module information

-H: discard handle information

-T discard thread Information

-Md5: Process Calculation MD5 hash)

-Cmd: displays the command line parameters of a process.

-K: how to disable kernel level

-U: how to disable the user level

-? /-H display help information

For example:

ProcL.exe-M-H-T-cmd

ProcL.exe-M-H-T-cmd-md5

ProcL.exe-M-cmd

When readers read this article, some advanced html "target = _ blank> Rootkit and Rootkit detection technologies are still happening and developing. Security is endless, and it is our duty to face challenges.