My favorites | Sign in
Project Home Downloads Wiki Issues Source
Summary   People
Project Information
Members
Featured
Downloads
Links

Introduction

ARKit is an open-source rootkit detection library for Microsoft Windows. ARKit has two components:

  • ARKitLib.lib - A Win32/C++ static library that exposes various methods to scan system and detect rootkits
  • ARKitDrv.sys - A device driver that actually implements methods to scan and detect rootkits

Features

Currently, ARKit library has following features:

  • Process scanning – Detect all running processes (hidden and visible)
  • DLL scanning – Detect DLLs loaded in a process
  • Driver scanning – Detect all loaded drivers (hidden and visible)
  • SSDT hook detection and restoration
  • Sysenter hook detection
  • Kernel inline hook detection and restoration

Supported Operating Systems

ARKit works on 32-bit flavors of Windows 2000, XP, 2003 and Vista. It has not been tested on Windows 2008 and Windows 7 yet.

Summary of detection techniques in ARKit

Process detection methods:

  • PID brute force (PsLookupProcessByProcessId)
  • TID brute force (PsLookupThreadByThreadId)
  • Handle table traversing (NtQuerySystemInformation)

DLL detection methods:

  • InMemoryOrderModuleList traversal in process' PEB
  • VAD tree walking

Process termination methods:

  • NtTerminateProcess/ZwTerminateProcess
  • NtTerminateThread/ZwTerminateThread for all threads of a process

Driver detection methods:

  • PsLoadedModuleList traversing
  • \Driver\ directory traversing in Object Manager
  • \Device\ directory traversing in Object Manager

Source Code

  • ARKitLib.lib: ARKitLib directory in Source section
  • ARKitDrv.sys: ARKitDrv directory in Source section
  • ARKitTester.exe: ARKitTester directory in Source section. An executable is available in Downloads section

Use SVN tools such as TortoiseSVN to checkout/download source code.

Using ARKit

Using ARKit library is quite simple:

  • Include ARKitLib.h and ARKitDefines.h header files in your application source
  • Link to ARKitLib.lib and Psapi.lib
  • Instantiate an object of ARKitLib class and use various member functions to gather system data
  • While running your application, make sure that ARKitDrv.sys driver is in the same directory where application is present

Take a look at ARKitTester, an example application that shows how to make use of ARKit.

Todo list

  • Methods to disable drivers
  • Boot sector rootkit detection

Note

  • Windows DDK or WDK is needed to compile and build ARKitDrv.sys. You can get it here.
  • ARKitLib.lib component uses few Psapi APIs. So, applications using ARKitLib.lib should link with Psapi.lib
  • ARKit uses open-source XDE disassembling engine. More information about XDE can be found here.
Powered by Google Project Hosting