Detection Example: DSE vs Agony Rootkit
Description: Agony is a kernel-level rootkit written by author 'Intox'. It offers the capability of hiding processes, network ports, files, registry items, and services.
Detection: Detection of Agony is trivial with Deep System Explorer. Even when used to hide its own process that process can still be seen in DSE's Process List tool, and its driver (agony.sys) can be seen in DSE's Driver List tool.
Agony is controlled via commandline parameters. For example, "-p calc.exe" will hide the calc.exe process:
The first thing we can see using DSE is a Code Modification which points directly to the agony.sys driver:
At this stage it's probably going to be quite obvious to the user that the driver is a rootkit, but lets see what else we can see:
Hmm, an SSDT hook! We can clearly see that NtQuerySystemInformation has been hooked. This is a function that can be used to enumerate processes, and Agony has hooked it to hide processes.
In this case we used it to hide the calc.exe process, but we have no problems seeing that process in DSE's Process List tool, and we can also clearly see it in the Hidden Process tool:
Copyright © 2008, Diamond Computer Systems Pty. Ltd. All rights reserved.