I know that rootkits operate as part of the kernel, driver or service running on the system, injecting themself into DLLs or installing as a legitimate applications.
If I were to scan the system with sigverif.exe, would the files injected with the rootkit have broken signatures?
Unlikely. Most rootkits hide themselves so that any access with the standard Win32 APIs would display the original file (if it was patched) and ignore any extra files/services added by the rootkit.
Also, sigverif only verifies files it knows to be signed – any additional files would simply be ignored.
RootkitRevealer is a more reliable tool. Some really nasty rootkits are only visible when comparing an online and offline scans (for example, from Windows itself and from a Linux CD).
