Detection Example: DSE vs Fu Rootkit
Description: Fu is a kernel-mode rootkit written by author 'fuzen_op', with a user-mode front end (fu.exe) for communicating with its driver (msdirectx.sys).
It has two main features - the ability to hide processes, and the ability to hide drivers.
Detection: Because fu.exe is a front end for the driver we can just run fu.exe directly without having to use instdrv.exe to install the driver first. We used version 2.0 of fu.
You can see its options in the following screenshot:
The command "fu -phd 252" hides the process with an ID of 252, which in this case is c:\fu\calc.exe (a copy of the \Windows\system32\calc.exe program that comes with Windows).
The process c:\fu\calc.exe is no longer visible to process listing programs, but Deep System Explorer has no problems seeing it in vibrant detail:
It can also be seen simply by going to DSE's Process List tool, where we can see that it's listed as a hidden process:
Likewise its hidden threads can be seen (although in this case calc.exe only has one thread):
Fu also allows you to hide drivers by using the "-phd" command with fu.exe, but DSE can still see it:
Copyright © 2008, Diamond Computer Systems Pty. Ltd. All rights reserved.