Tuesday, April 20, 2010

Windbg and malware

From the presentation of Mark Russinovich on malware cleaning, he pointed out a very nice way to clear possible kernel patches ( malware with rootkit behavior ) that are hijacking the system.

From the help file,

The !chkimg extension detects corruption in the images of executable files by comparing them to the copy on a symbol store or other file repository.

Using the command in the debugger with the following form we can observe the patches, or mismatched areas according to the symbols:
lkd> !chkimg -d nt
and clearing the patches from the system can be done easily with the following command:
lkd> !chkimg -f nt

More to come

No comments:

Post a Comment