Tuluka is an advanced portable antirootkit application that can quickly check your system for hidden objects and other potential signs of stealthy malware.

The program has a straightforward tabbed interface that makes it generally simple to use. You can just click a tab like Processes, Drivers or Devices to see what Tuluka might have discovered, or click Full Report > Generate Report to view everything in a single window.

You do have to be careful how you interpret Tuluka's scans, though. On our test system, for instance, it highlighted several drivers as "suspicious". But this was only because they had IRP hooks, which wasn't surprising at all. So you'll need to carefully evaluate every highlighted object to see how suspicious it really is.

Fortunately there is plenty of help on offer, with the program able to detect SSDT, IDT and SYSTENTER hooks, suspect GDT descriptors, and hidden processes, drivers, devices and other objects. It can disassemble interrupt handlers, services, the start routines of system threads, and so on. And if you spot a dubious process then you can dump it to disk for further analysis, or terminate it immediately.

While the simple interface means all this functionality is very easy to access, there are no other concessions to beginners here. So if you're not sure what an IRP is, or why you should care about system hooks, then Tuluka probably isn't for you: there's no help file, and it's assumed that you already have a good low-level knowledge of how Windows works.