Rootkit is basically used to explain the mechanisms and techniques whereby malware, including viruses, spyware, and trojans, which attempt to hide their presence from spyware blockers, antivirus, and system management utilities. A rootkit is a program or, more often, a collection of software tools that gives a threat actor remote access to and control over a computer or other system.
Rootkits are a particular insidious form of malware because they load before an operating system boots and can hide from ordinary. The term rootkit is a connection of the two words “root” and “kit.” Rootkit Revealer is an advanced rootkit detection utility. It runs on windows XP and Windows NT 4 and higher and its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit.
Rootkit Revealer successfully detects many persistent rootkits including AFX, Vanquish and Hacker Defender (note: Rootkit Revealer is not intended to detect rootkits like Fu that don’t attempt to hide their files or registry keys). Rootkit Revealer is a proprietary freeware tool for rootkit detection on Microsoft Windows by Bryce Cogswell and Mark Russinovich. It runs on Windows XP and Windows Server 2003. Rootkit Revealer is an advanced rootkit detection utility. Rootkit Revealer have two types of mode. This program will search for user-mode or kernel-mode rootkits and list any API discrepancies that are found.
Since persistent rootkits work by changing API results so that a system view using APIs differs from the actual view in storage, Rootkit Revealer compares the results of a system scan at the highest level with that at the lowest level. The highest level is the Windows API and the lowest level is the raw contents of a file system volume or Registry hive (a hive file is the Registry’s on-disk storage format). Rootkit Revealer supports several options for auto-scanning systems. Rootkit Revealer has two types of scanning option Hide NTFS Metadata files and Scan registry.
Thus, rootkits, whether user mode or kernel mode, that manipulate the Windows API or native API to remove their presence from a directory listing, for example, will be seen by Rootkit Revealer as a discrepancy between the information returned by the Windows API and that seen in the raw scan of a FAT or NTFS volume’s file system structures.