From Collaborative RCE Tool Library

Jump to: navigation, search

System Virginity Verifier

Tool name: System Virginity Verifier
Rating: 0.0 (0 votes)
Author: Joanna Rutkowska                        
Website: http://www.invisiblethings.org/code.html
Current version: 2.3
Last updated: February 27, 2005
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Joanna Rutswoka provides on her site (invisiblethings.org) interesting papers and tools about rootkits since a few years and is a well known contributors on the official rootkit web site.

SYSTEM VIRGINITY VERIFIER or SVV is very interesting because it checks the system for malicious hooking and also checks the integrity of code section modules directly in memory.

After the verification, SVV notifies the user with five level of infection or seriousness:


-level 0: 100% Virgin (not expected to ocuur in the wild);
-level 1: Seems ok;
-level 2: Innocent hooking detected;
-level 3: Very suspected but may be a false positive;
-level 4: compromised.

The final verdict uses a color codification from blue to deepred.
Resource: the SVV powerpoint presentation (available at invisiblethings.org).

It's important to note that many softwares can interfere with the verdict: antivirus such as Kaspersky, desktop intrusion systems which operate at a low level like AntiHook, ProcessGuard and so on.

SVV in action:

After rebooting the PC in the diagnose mode, SVV gives its first verdict:


Microsoft Windows XP [version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:WINDOWSsystem32>svv check /m
module ntoskrnl.exe [0x804d7000 - 0x806ebf80]: 0x804db4f0 [RtlPrefetchMemoryNonTemporal()+0] 1 byte(s): exclusion filter: single byte modification
file :c3
memory :90
verdict = 1

0x804dc032 18 byte(s): exclusion filter: KeFlushCurrentTb()
file :d8 0f 22 d8 c3 0f 20 e0 25 7f ff ff ff 0f 22 e0 0d 80
memory :e0 25 7f ff ff ff 0f 22 e0 0d 80 00 00 00 0f 22 e0 c3
verdict = 1

0x804dc04a 1 byte(s): exclusion filter: single byte modification
file :c3
memory :00
verdict = 1

0x804df16a 1 byte(s): exclusion filter: single byte modification
file :05
memory :06
verdict = 1

module ntoskrnl.exe: end of details

SYSTEM INFECTION LEVEL: 1
0 - BLUE
--> 1 - GREEN
2 - YELLOW
3 - ORANGE
4 - RED
5 - DEEPRED

Nothing suspected was detected.

Level 1/Green: this a good news for a beginning.

Now let's hook some windows APIs and let's see the new verdict:

Microsoft Windows XP [version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:WINDOWSsystem32>svv check /m
ntoskrnl.exe (804d7000 - 806ebf80)... module ntoskrnl.exe [0x804d7000 - 0x806ebf80]:
0x804db4f0 [RtlPrefetchMemoryNonTemporal()+0] 1 byte(s): exclusion filter: single byte modification
file :c3
memory :90
verdict = 1

0x804dc032 18 byte(s): exclusion filter: KeFlushCurrentTb()
file :d8 0f 22 d8 c3 0f 20 e0 25 7f ff ff ff 0f 22 e0 0d 80
memory :e0 25 7f ff ff ff 0f 22 e0 0d 80 00 00 00 0f 22 e0 c3
verdict = 1

0x804dc04a 1 byte(s): exclusion filter: single byte modification
file :c3
memory :00
verdict = 1


0x804df16a 1 byte(s): exclusion filter: single byte modification
file :05
memory :06
verdict = 1


0x804e72c4 [ExAllocatePoolWithQuotaTag()+0] 6 byte(s): JMPing code (jmp to: 0xbab1dbfc)
address 0xbab1dbfc is inside TRACE.SYS module [0xbab1a000-0xbab26000]
target module path: ??C:DOCUMENTS AND SETTINGSMICHELMES DOCUMENTSKAPIMON
2TRACE.SYS
file :8b ff 55 8b ec 51
memory :ff 25 fc db b1 ba
verdict = 2

0x804eb321 [ExAllocatePoolWithTagPriority()+0] 6 byte(s): JMPing code (jmp to: 0xbab1dba4)
address 0xbab1dba4 is inside TRACE.SYS module [0xbab1a000-0xbab26000]
target module path: ??C:DOCUMENTS AND SETTINGSMICHELMES DOCUMENTSKAPIMON
2TRACE.SYS
file :8b ff 55 8b ec 53
memory :ff 25 a4 db b1 ba
verdict = 2

module ntoskrnl.exe: end of details

SYSTEM INFECTION LEVEL: 2
0 - BLUE
1 - GREEN
--> 2 - YELLOW
3 - ORANGE
4 - RED
5 - DEEPRED

Nothing suspected was detected.
Related URLs: No related URLs have been submitted for this tool yet


Screenshot:
Screenshot of System Virginity Verifier


RSS feed Feed containing all updates for this tool.

You are welcome to add your own useful notes about this tool, for others to see!

Retrieved from "http://www.woodmann.com/collaborative/tools/index.php/System_Virginity_Verifier"


If you find that any information for the tool above is missing, outdated or incorrect, please edit it!
(please also edit it if you think it fits well in some additional category, since this can also be controlled)

Views
Category Navigation Tree
RCE Tools
   Categorized by Target Type  (176)
   Categorized by Tool Type  (983)
   Anti Anti Test Tools  (15)
   Anti Debug Test Tools  (2)
   Anti Hook Test Tools  (12)
   Kernel Hook Detection Tools  (9)
   Usermode Hook Detection Tools  (2)
   VM Detection Test Tools  (1)
   Assemblers  (15)
   Code Coverage Tools  (12)
   Code Injection Tools  (32)
   Code Ripping Tools  (2)
   Crypto Tools  (5)
   Data Extraction Tools  (19)
   Debuggers  (42)
   Decompilers  (20)
   Deobfuscation Tools  (12)
   Dependency Analyzer Tools  (5)
   Diff Tools  (29)
   Disassemblers  (45)
   Dongle Analysis Tools  (24)
   Exe Analyzers  (31)
   Firefox Extensions  (1)
   GUI Manipulation Tools  (16)
   Hardware Reversing Tools  (24)
   Hex Editors  (12)
   IDA Signature Creation Tools  (5)
   Kernel Tools  (13)
   Kernel Hook Detection Tools  (9)
   Memory Data Tracing Tools  (6)
   Memory Patchers  (3)
   Memory Search Tools  (7)
   Monitoring Tools  (110)
   API Monitoring Tools  (17)
   Active Directory Monitoring Tools  (1)
   Bus Monitoring Tools  (5)
   Debug Output Monitoring Tools  (1)
   Disk Monitoring Tools  (2)
   Driver & IRP Monitoring Tools  (1)
   Exception Monitoring Tools  (4)
   File Monitoring Tools  (4)
   Hook Detection Tools  (12)
   Kernel Hook Detection Tools  (9)
   Usermode Hook Detection Tools  (2)
   Install Monitoring Tools  (3)
   Kernel Filter Monitoring Tools  (1)
   Memory Data Tracing Tools  (6)
   Named Pipe Monitoring Tools  (1)
   Network Monitoring Tools  (7)
   Parallel Comm Monitoring Tools  (2)
   Process Monitoring Tools  (5)
   Registry Monitoring Tools  (6)
   Serial Comm Monitoring Tools  (1)
   SysCall Monitoring Tools  (5)
   Thread Monitoring Tools  (2)
   Tracers  (17)
   USB Monitoring Tools  (3)
   Window Monitoring Tools  (3)
   Network Tools  (15)
   PE Executable Editors  (79)
   Packers  (16)
   Patch Packaging Tools  (7)
   Profiler Tools  (10)
   Programming Libraries  (32)
   Regular Expression Tools  (3)
   Resource Editors  (12)
   Reverse Engineering Frameworks  (7)
   Source Code Tools  (11)
   String Finders  (5)
   Symbol Tools  (11)
   System Information Extraction Tools  (7)
   Technical PoC Tools  (7)
   Test and Sandbox Environments  (16)
   Tool Extensions  (137)
   Tool Hiding Tools  (5)
   Tool Signatures  (22)
   Tracers  (17)
   Unpacking Tools  (59)
   Needs New Category  (2)