Hidden File System Reader , Hidden File System Reader tool for TDSS, Cidox,ZeroAccess, etc.


Этой утилитой кто-нибудь пользуется? что она умеет делать?
Боюсь Santy ты будешь первопроходцем :)
Прошел по ссылке, только на Скачать нажал и восьмерка повесилась :)
Правильно заданный вопрос - это уже половина ответа
Это наверное, Матросова утилита. вроде как против tdss заточена. скрытые файловые системы ищет.

° ESET Hidden File System Reader °

° beta (Sep 20 2012 13:07:27) °

° Copyright © 1992-2012 ESET, spol. s r.o. All rights reserved. °

° HfsReader.exe [params] [export_path] °
° Params: °
° /help or /?    - print help message °
° /no-output     - no output to command line °
° /no-export     - do not export files from file system(s) °
° /export-txt    - export file list from file system(s) to text file °
° /mbr     - make mbr dump °
° /vbr     - make active drive vbr dump °
° /dump=<o>,<s>  - make hard drive dump °
° <o> - offset from beginning or "end" °
° <s> - size °
° Examples: °
°    /dump=515,1024 °
°    /dump=end,4096 °
Изменено: santy - 08.10.2012 18:03:09
Hidden File System Reader tool

Implementing hidden storage makes forensic analysis more difficult since:

   Malicious files are not stored in the file system (difficult to extract)
   Hidden storage cannot be decrypted without malware analysis
   Typical forensic tools do not work out of the box

To tackle the problem of retrieving the contents of the hidden storage areas one needs to perform malware analysis and reconstruct algorithms used to handle the data stored inside it. In the course of our research into complex threats we have developed a tool intended to recover the contents of hidden storage used by such complex threats as:

   TDL3 and modifications
   TDL4 and modifications
   Sirefef (ZeroAccess)
   Goblin (XPAJ)
   Flame (dump decrypted resource section)

The tool is very useful in incident response and threat analysis and monitoring. It is able to dump the malware’s hidden storage, as well as to dump any desired range of sectors of the hard drive. In the next figure a screenshot of the tool’s output is presented:

Читают тему (гостей: 1)