RootkitRevealer

If you're worried about hidden malware on your Windows system, RootkitRevealer is one of those tools that can really help you spot the sneaky stuff. It works on Windows NT 4 and later versions, digging deep to find inconsistencies in both the Registry and file system that might point to a rootkit infection whether it's operating in user mode or kernel mode.

This utility is particularly good at catching persistent rootkits like AFX, Vanquish, and HackerDefender. But it's worth noting that it won't catch every type of rootkit out there. For example, if a rootkit like Fu doesn’t even try to hide its files or registry entries, RootkitRevealer might not flag it because it’s specifically designed to catch the ones that are actively concealing themselves.

So how does it work? Basically, many rootkits manipulate system APIs to make themselves invisible to normal scans. RootkitRevealer fights back by comparing two different views of your system: the "official" one given by Windows APIs, and the raw, low level data straight from your file system or Registry hive files. Any mismatch between these two views is a red flag.

Whether a rootkit is messing with user level APIs or operating at the kernel level, if it’s trying to hide its tracks like removing itself from a directory listing RootkitRevealer will likely catch the discrepancy. It does this by scanning FAT or NTFS structures directly, giving you a clearer picture of what’s really on your machine.