Jump to content

Recommended Posts

Option A: When enabled by the user, this thing will try to keep track of everything that loads when the computer boots, including enabling the Windows boot log if it isn't already. Whenever something of note changes, it will tell the user. Besides being a general troubleshooting tool, it will also help the user spot rootkits more easily if they're not already found by the anti-rootkit engine.

 

Option B: Alternatively, a Native API version of the Anti-Rootkit scanner could be built, which wouldn't even require initialization of NTDLL. However due to the fact that the Native API is mostly undocumented and isn't meant for non-Microsoft use, so the chances that something will change that breaks it are not the lowest.

 

I'd only suggest Option B for awesomeness points, otherwise go with Option A.

Share this post


Link to post
Share on other sites

Malwarebytes basically already has these capabilities, at least for some of its business products in its Flight Recorder and Ransomware Rollback components.  More info is available here and you can check the documentation on the support site for more details.

Share this post


Link to post
Share on other sites

Even a Native API application along the lines of Chkdsk, the Windows Memory Diagnostic, the Windows Boot Manager, or the bugcheck (bluescreen of death) program? o.o

I actually stand by what I said about a Native API implementation of Malwarebytes being awesome, even if there's no practical reason for it to exist. If I worked at the company, I'd try making it myself just to impress people~

Actually, I think the Breach Remediation program is already a Command Line application, so it wouldn't be that hard to imagine porting it to the Native API despite all the manyears of coding that it would require.

Share this post


Link to post
Share on other sites

I don't know if it would even be possible.  Microsoft has some pretty strict restrictions regarding what AV/AM vendors can and can't do during the early boot process.  Basically they determined that a lot of the early load methods of the past were too useful to the bad guys for taking control of infected systems and so they locked everyone out of it including AV/AM vendors; at least that's my understanding of it.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.