I finished checking the RAM with Volatility and… I found nothing. Nada.
It’s a lot of fustration. There must be something just there, but my findings are certainly limited by my skills.
I attach here some of the main outputs of Volatility. As far as I can tell:
- no evidence of injection or kernel hooking
- no suspicious process
- no suspicious driver
- no suspicious registry entry
- etc.
Based on my observations, I first tried to narrow my investigations (drivers and hooks) but as I could not find anything, I ended dumping most of Volatility outputs in hope to see something unusual. I also compared them with a fresh Windows XP SP3 install. I extracted keyboard related drivers (keyboard.sys, kbdclass.sys, i8042prt.sys), hashed them, scanned them: there were native. I am less sure on how to deal with the software certificate system, but I did checked all Microsoft and root certificates in the bank along with their signature with a clean system: nothing wrong.
Dear reader, any help or tip is welcomed! Am I missing something obvious? Could it be possibly not a rootkit but some kind of corruption? If so, how to detect it?
Just drop me an e-mail if you want to have a look on the dump itself.
Volatility outputs: