an incident response script for checking for kernel driver rootkits.

check_rootkit.ps1

# Default Check (where KDU writes by default)
write-host -ForegroundColor green "Checking Default Location"
$discoveries=@()
gi "HKLM:\" | % {
    $parent = $_.PSpath
    (gp $_.PSpath).PsObject.Properties | % {
        if($_.Value[0] -eq 77 -and $_.Value[1] -eq 90 -and $_.Value.length -gt 100){
            write-host -ForegroundColor red "Discovered a potential driver rootkit embedded in registry: "
            write-host -ForegroundColor red "$parent$($_.Name)"
            $discoveries += "$parent$($_.Name)"
        }
    }
} 

# Deep Recursive Check (in case an attacker modified it)
write-host -ForegroundColor green "Checking Recursively... this can take a while so go grab a coffee..."
gci "HKLM:\SOFTWARE\Microsoft\" -Recurse -ea ignore | % {
    gi $_.PSpath -ea ignore | % {
        $parent = $_.PSpath
        write-host -ForegroundColor gray "Currently inside $parent"
        (gp $_.PSpath).PsObject.Properties | % {
            if($_.TypeNameOfValue -eq "System.Byte[]"){
                if($_.Value[0] -eq 77 -and $_.Value[1] -eq 90 -and $_.Value.length -gt 100){
                    write-host -ForegroundColor red "Discovered a potential driver rootkit embedded in registry: "
                    write-host -ForegroundColor red "$parent\$($_.Name)"
                    $discoveries += "$parent\$($_.Name)"
                }
            }
        }
    } 
}

# Reporting
write-host -ForegroundColor yellow "COMPLETED"
if($discoveries -eq @()) {
    write-host -foregroundcolor green "NO ROOTKITS DISCOVERED."
} else {
    write-host -foregrouncolor red "Please check the following registry keys for possible PE data such as .exe or .sys."
    write-host -ForegroundColor red $discoveries
}