From the presentation of Mark Russinovich on malware cleaning, he pointed out a very nice way to clear possible kernel patches ( malware with rootkit behavior ) that are hijacking the system.
From the help file,
The !chkimg extension detects corruption in the images of executable files by comparing them to the copy on a symbol store or other file repository.
Using the command in the debugger with the following form we can observe the patches, or mismatched areas according to the symbols:
lkd> !chkimg -d nt
and clearing the patches from the system can be done easily with the following command:
lkd> !chkimg -f nt
More to come
No comments:
Post a Comment