ARKit is an open-source rootkit detection library for Microsoft Windows. ARKit has two components:
ARKitLib.lib - A Win32/C++ static library that exposes various methods to scan system and detect rootkits
ARKitDrv.sys - A device driver that actually implements methods to scan and detect rootkits
Features
Currently, ARKit library has following features:
Process scanning – Detect all running processes (hidden and visible)
DLL scanning – Detect DLLs loaded in a process
Driver scanning – Detect all loaded drivers (hidden and visible)
SSDT hook detection and restoration
Sysenter hook detection
Kernel inline hook detection and restoration
Supported Operating Systems
ARKit works on 32-bit flavors of Windows 2000, XP, 2003 and Vista. It has not been tested on Windows 2008 and Windows 7 yet.
Summary of detection techniques in ARKit
Process detection methods:
PID brute force (PsLookupProcessByProcessId)
TID brute force (PsLookupThreadByThreadId)
Handle table traversing (NtQuerySystemInformation)
DLL detection methods:
InMemoryOrderModuleList traversal in process' PEB
VAD tree walking
Process termination methods:
NtTerminateProcess/ZwTerminateProcess
NtTerminateThread/ZwTerminateThread for all threads of a process
Driver detection methods:
PsLoadedModuleList traversing
\Driver\ directory traversing in Object Manager
\Device\ directory traversing in Object Manager
