-
Notifications
You must be signed in to change notification settings - Fork 1
Features
Nong Hoang Tu edited this page Oct 2, 2024
·
3 revisions
rkcheck provides the tool name rkscanmal that can:
- Scan files
- Scan process's memory
- Find user-land rootkit's library using function's address comparison
Developed as "as effective as possible" in mind, rkscanmal engine has features:
- Support both Yara signatures (either cleartext or compiled rules) and ClamAV signatures.
- Collect various information of a running process (from ProcFS) so scan a process is not limited to string scan, but can perform more heuristic detection like reverse shell, thread masquerading or self delete malware
Feature table
| Feature | Engine |
|---|---|
| File parser, unpack, decompression | LibClamAV |
| File scan | LibClamAV, LibYara |
| Memory Scan | LibClamAV (fully support Clam's signatures), LibYara |
| Heuristic process check | LibYara |
| Rule syntax, False positives, False negatives | Yara's CI |
| User-land rootkit detection | Custom |