Detection Example: DSE vs Vanquish User-mode Rootkit
Description: Vanquish is a rootkit written by author 'XShadow'. Vanquish is purely a user-mode rootkit, so it does not use any kernel-mode drivers.
Instead, Vanquish injects its own DLL into other processes, and modifies the entrypoint code at the start of various important exported API functions (such as file and process related functions) so that the code jumps to a hooking function inside the injected Vanquish DLL.
Detection: By using the Code Modifications scanner we can easily see exactly what Vanquish is doing:
Vanquish relies on a couple of registry items, but it hides those by hooking various registry-related API functions (as seen above in Code Modifications):
Vanquish also tries to hide its service (as we saw above in Code Modifications where EnumServiceStatusA & EnumServiceStatusW have been hooked. Here we can see the result of that hook - a hidden service:
Copyright © 2008, Diamond Computer Systems Pty. Ltd. All rights reserved.