资 源 简 介
Introduction
ARKit
is an open-source rootkit detection library for Microsoft Windows. ARKit has two components:
* ARKitLib.lib - A Win32/C++ static library that exposes various methods to scan system and detect rootkits
* ARKitDrv.sys - A device driver that actually implements methods to scan and detect rootkits
Features
Currently, ARKit library has following features:
* Process scanning – Detect all running processes (hidden and visible)
* DLL scanning – Detect DLLs loaded in a process
* Driver scanning – Detect all loaded drivers (hidden and visible)
* SSDT hook detection and restoration
* Sysenter hook detection
* Kernel inline hook detection and restoration
Supported Operating Systems
ARKit works on 32-bit flavors of Windows 2000, XP, 2003 and Vista. It has not been tested on Windows 2008 and Windows 7 yet.
Summary of detection techniques in ARKit
Process detection methods:
PID brute force (PsLo