From Collaborative RCE Tool Library

Jump to: navigation, search

Kernel Tools


Tool name: Kernel Detective
Rating: 5.0 (3 votes)
Author: GamingMaster -AT4RE                        
Website: http://www.at4re.com
Current version: 1.4.1
Last updated: December 10, 2010
Direct D/L link: Locally archived copy
License type: Free
Description: Kernel Detective is a free tool that help you detect, analyze, manually modify and fix some Windows NT kernel modifications. Kernel Detective gives you the access to the kernel directly so it's not oriented for newbies. Changing essential kernel-mode objects without enough knowledge will lead you to only one result ... BSoD !

Supported NT versions :
XP/Vista/Server 2008/SEVEN


Kernel Detective gives you the ability to :
1- Detect Hidden Processes.
3- Detect Hidden Threads.
2- Detect Hidden DLLs.
3- Detect Hidden Handles.
4- Detect Hidden Driver.
5- Detect Hooked SSDT.
6- Detect Hooked Shadow SSDT.
7- Detect Hooked IDT.
8- Detect Kernel-mode code modifications and hooks.
9- Disassemble (Read/Write) Kernel-mode/User-mode memory.
10- Monitor debug output on your system.


Enumerate running processes and print important values like Process Id, Parent Process Id, ImageBase, EntryPoint, VirtualSize, PEB block address and EPROCESS block address. Special undocumented detection algorithms were implemented to detect hidden processes.

Detect hidden and suspicious threads in system and allow user to forcely terminate them .

Enumerate a specific running process Dynamic-Link Libraries and show every Dll ImageBase, EntryPoint, Size and Path. You can also inject or free specific module.

Enumerate a specific running process opened handles, show every handle's object name and address and give you the ability to close the handle.

Enumerate loaded kernel-mode drivers and show every driver ImageBase, EntryPoint, Size, Name and Path. Undocumented detection algorithms were implemented to detect hidden drivers.

Scan the system service table (SSDT) and show every service function address and the real function address, detection algorithm improved to bypass KeServiceDescriptorTable EAT/IAT hooks.You can restore single service function address or restore the whole table.

Scan the shadow system service table (Shadow SSDT) and show every shadow service function address and the real function address. You can restore single shadow service function address or restore the whole table

Scan the interrupts table (IDT) and show every interrupt handler offset, selector, type, Attributes and real handler offset. This is applied to every processor in a multi-processors machines.

Scan the important system kernel modules, detect the modifications in it's body and analyze it. For now it can detect and restore inline code modifications, EAT and IAT hooks. I'm looking for more other types of hooks next releases of Kernel Detective.

A nice disassembler rely on OllyDbg disasm engine, thanks Oleh Yuschuk for publishing your nice disasm engine .With it you can disassemble, assemble and hex edit virtual memory of a specific process or even the kernel space memory. Kernel Detective use it's own Read/Write routines from kernel-mode and doesn't rely on any windows API. That make Kernel Detective able to R/W processes VM even if NtReadProcessMemory/NtWriteProcessMemory is hooked, also bypass the hooks on other kernel-mode important routines like KeStackAttachProcess and KeAttachProcess.

Show the messages sent by drivers to the kernel debugger just like Dbgview by Mark Russinovich. It's doing this by hooking interrupt 0x2d wich is responsible for outputing debug messages. Hooking interrupts may cause problems on some machines so DebugView is turned off by default, to turn it on you must run Kernel Detective with "-debugv" parameter.
Also listed in: Hook Detection Tools, Kernel Hook Detection Tools, Malware Analysis Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Memoryze
Rating: 4.0 (1 vote)
Author: Mandiant                        
Website: http://www.mandiant.com/software/memoryze.htm
Current version:
Last updated:
Direct D/L link: N/A
License type: Free
Description: MANDIANT Memoryze is free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images, and on live systems can include the paging file in its analysis.

MANDIANT Memoryze can:

* image the full range of system memory (not reliant on API calls).
* image a process’ entire address space to disk. This includes a process’ loaded DLLs, EXEs, heaps, and stacks.
* image a specified driver or all drivers loaded in memory to disk.
* enumerate all running processes (including those hidden by rootkits). For each process, Memoryze can:
o report all open handles in a process (for example, all files, registry keys, etc.).
o list the virtual address space of a given process including:
+ displaying all loaded DLLs.
+ displaying all allocated portions of the heap and execution stack.
o list all network sockets that the process has open, including any hidden by rootkits.
o output all strings in memory on a per process basis.
* identify all drivers loaded in memory, including those hidden by rootkits.
* report device and driver layering, which can be used to intercept network packets, keystrokes and file activity.
* identify all loaded kernel modules by walking a linked list.
* identify hooks (often used by rootkits) in the System Call Table, the Interrupt Descriptor Tables (IDTs), and driver function tables (IRP tables).

MANDIANT Memoryze can perform all these functions on live system memory or memory image files – whether they were acquired by Memoryze or other memory acquisition tools.
Also listed in: Kernel Hook Detection Tools, Memory Dumpers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Native NT Toolkit
Rating: 4.0 (1 vote)
Author: Alex Ionescu                        
Website: http://code.google.com/p/native-nt-toolkit/
Current version:
Last updated: January 26, 2008
Direct D/L link: http://native-nt-toolkit.googlecode.com/svn/trunk/ndk/
License type: Free / Open Source
Description: Includes the entire Native Development Kit (NDK), a set of headers for building native applications for Windows NT4 all the way to Windows Server 2008.

Includes the Native Development Library (NDL), a wrapper library designed to simply development of native applications, especially console input and output.

Also includes some sample source code, such as the Native Command Line (NCLI), a command prompt clone written with the NDK and NDL to showcase some functionality of the toolkit, as well as to provide a way to boot Windows without any GUI or subsystems loaded and still be able to interact with the system.

For more info, see also:
http://www.woodmann.com/forum/showthread.php?t=11256
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: DeviceTree
Rating: 0.0 (0 votes)
Author: Mark Cariddi                        
Website: http://www.osronline.com/article.cfm?article=97
Current version: 2.19
Last updated: September 15, 2006
Direct D/L link: Locally archived copy
License type: Free
Description: The greatest utility every written by master toolsmith and driver expert Mark Cariddi. This utility has two views: (a) one view that will show you the entire PnP enumeration tree of device objects, including relationships among objects and all the device's reported PnP characteristics, and (b) a second view that shows you the device objects created, sorted by driver name. There is nothing like this utility available anywhere else.

It will also find hidden devices/drivers, like e.g. related to rootkits!
Also listed in: System Information Extraction Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Filter Monitor
Rating: 0.0 (0 votes)
Author: Daniel Pistelli                        
Website: http://ntcore.com/filtermon.php
Current version: 1.1.0
Last updated: October 20, 2009
Direct D/L link: Locally archived copy
License type: Free
Description: This utility can list kernel mode filters and also unregister them. Monitored filters are, for instance, registry filters, create process and thread notifications. FilterMon comes both for x64 and x86 and it should work on all Windows systems from Vista RTM to Windows 7 RTM. However, I only tested it on Windows 7 RTM on x64 and I can't guarantee that it will work on future versions of Windows as it relies heavily on system internals.

As you probably all know the Service Descriptor Table has been a playground on x86 for all sorts of things: rootkits, anti-viruses, system monitors etc. On x64 modifying the Service Descriptor Table is no longer possible, at least not without subverting the Patch Guard technology.

Thus, programs have now to rely on the filtering/notification technologies provided by Microsoft. And that's why I wrote this little utility which monitors some key filters.

Since I haven't signed the driver of my utility, you have to press F8 at boot time and then select the "Disable Driver Signature Enforcement" option. If you have a multiple boot screen like myself, then you can take your time. Otherwise you have to press F8 frenetically to not miss right moment.
Also listed in: Kernel Filter Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: GMER
Rating: 0.0 (0 votes)
Author: Przemyslaw Gmerek                        
Website: http://www.gmer.net
Current version: 1.0.15.15087
Last updated: September 15, 2009
Direct D/L link: http://www.gmer.net/gmer.zip
License type: Free
Description: GMER is an application that detects and removes rootkits .

It scans for:
* Hidden processes
* Hidden threads
* Hidden modules
* Hidden services
* Hidden files
* Hidden Alternate Data Streams
* Hidden registry keys
* Drivers hooking SSDT
* Drivers hooking IDT
* Drivers hooking IRP calls
* Inline hooks


GMER also allows to monitor the following system functions:
* Processes creating
* Drivers loading
* Libraries loading
* File functions
* Registry entries
* TCP/IP connections

GMER runs on Windows NT/W2K/XP/VISTA
Also listed in: Kernel Hook Detection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: MemMAP
Rating: 0.0 (0 votes)
Author: a_d_13                        
Website: http://www.kernelmode.info/forum/viewtopic.php?f=11&t=383
Current version: 0.1.2
Last updated: October 9, 2010
Direct D/L link: Locally archived copy
License type: Free
Description: MemMAP is a tool inspired by j00ru's KernelMAP. I've written my own version with a couple more interesting features. A list follows:

* More memory types included (kernel thread stacks and GDI objects)
* Ability to visualize the memory of a user-mode process
* Help dialog with description of memory types
* Refresh feature

When run without arguments, it will display a map of kernel memory. You can visualize a process by running "memmap -p <process id>". To refresh, press F5. To show help, press F1.

The framed area is organized such that the top-left corner is address 0x80000000, and the bottom right corner is 0xFFFFF000 (or, for user-mode processes, 0x00000000 - 0x7FFFF000). Each pixel represents one page of memory (4096 bytes).
Also listed in: System Information Extraction Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: RAIDE
Rating: 0.0 (0 votes)
Author: petersilberman                        
Website: http://www.rootkit.com/project.php?id=33
Current version: Beta 1
Last updated: August 6, 2006
Direct D/L link: Locally archived copy
License type: Free
Description: RAIDE stands for Rootkit Analysis Identification Elimination. RAIDE is a rootkit detection/removal tool. RAIDE offers unique features like process dumping/firewall identification etc.
Also listed in: Kernel Hook Detection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Rootkit Unhooker
Rating: 0.0 (0 votes)
Author: EP_X0FF / DiabloNova                        
Website: http://www.rootkit.com/newsread.php?newsid=902
Current version: 3.8.342.554
Last updated: Sep 21, 2008
Direct D/L link: Locally archived copy
License type: Free
Description: Rootkit Unhooker LE (RkU) is an advanced rootkit detection/removal utility, designed specially for advanced users and IT professionals. It runs under 32bit Windows 2000, Windows XP, Windows 2003 Server and Windows Vista.

The project was discontinued when it was bought up by Microsoft in November 2007.

Project continued by DiabloNova.
Last announcement:
http://www.rootkit.com/blog.php?newsid=912
Direct D/L:
http://www.rootkit.com/vault/DiabloNova/RkU3.8.342.554.rar
Also listed in: Kernel Hook Detection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: SDT Cleaner
Rating: 0.0 (0 votes)
Author: Nahuel C. Riva                        
Website: http://oss.coresecurity.com/projects/sdtcleaner.html
Current version: 1.0
Last updated:
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: SDT Cleaner is a tool that intends to clean the SSDT (system service descriptor table) from hooks.

* The SDT Cleaner allows you to clean hooks installed by Anti-Virus and Firewalls.
* This little tool (in this first release) tries to collect info from your current kernel and then switches to kernel land and if there are any hooks in SSDT, this tool will replace them with the original entries.
Also listed in: Kernel Hook Detection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: SSDT Revealer
Rating: 0.0 (0 votes)
Author: ZaiRoN                        
Website: http://zairon.wordpress.com/2007/03/20/tool-system-service-descriptor-table-revealer/
Current version: 1.0
Last updated: March 20, 2007
Direct D/L link: Locally archived copy
License type: Free
Description: This is little tool I’ve coded some times ago. The name says it all, it reveals System Service Dispatch Table showing possible hooks over one or more functions. It was born as a part of a more complex tool, which is still unfinished.. SSDT revealer is nothing special but could come in handy.

The program has been developed under Win-XP. It should run on other OSs but I really don’t know. Again, it’s a personal program and I didn’t spend nights and nights trying to find one or more bug, when a bug occours I fix it. If you find a bug or something else, please, don’t hesitate to contact me.
Also listed in: Kernel Hook Detection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Security Research and Development Framework
Rating: 0.0 (0 votes)
Author: Amr Thabet                        
Website: http://blog.amrthabet.co.cc
Current version: v 1.00
Last updated: November 25, 2012
Direct D/L link: http://code.google.com/p/srdf
License type: GPL v.2
Description: Do you see writing a security tool in windows is hard?
Do you have a great idea but you can’t implement it?
Do you have a good malware analysis tool and you don’t need it to become a plugin in OllyDbg or IDA Pro?
So, Security Research and Development Framework is for you.


Abstract:

This is a free open source Development Framework created to support writing security tools and malware analysis tools. And to convert the security researches and ideas from the theoretical approach to the practical implementation.

This development framework created mainly to support the malware field to create malware analysis tools and anti-virus tools easily without reinventing the wheel and inspire the innovative minds to write their researches on this field and implement them using SRDF.

Introduction:

In the last several years, the malware black market grows widely. The statistics shows that the number of new viruses increased from 300,000 viruses to millions and millions nowadays.

The complexity of malware attacks also increased from small amateur viruses to stuxnet, duqu and flame.

The malware field is searching for new technologies and researches, searching for united community can withstand against these attacks. And that’s why SRDF

The SRDF is not and will not be developed by one person or a team. It will be developed by a big community tries to share their knowledge and tools inside this Framework

SRDF still not finished … and it will not be finished as it’s a community based framework developed by the contributors. We just begin the idea.

The SRDF is divided into 2 parts: User-Mode and Kernel-Mode. And we will describe each one in the next section.

The Features:

Before talking about SRDF Design and structure, I want to give you what you will gain from SRDF and what it could add to your project.

In User-Mode part, SRDF gives you many helpful tools … and they are:

· Assembler and Disassembler
· x86 Emulator
· Debugger
· PE Analyzer
· Process Analyzer (Loaded DLLs, Memory Maps … etc)
· MD5, SSDeep and Wildlist Scanner (YARA)
· API Hooker and Process Injection
· Backend Database, XML Serializer
· And many more

In the Kernel-Mode part, it tries to make it easy to write your own filter device driver (not with WDF and callbacks) and gives an easy, object oriented (as much as we can) development framework with these features:

· Object-oriented and easy to use development framework
· Easy IRP dispatching mechanism
· SSDT Hooker
· Layered Devices Filtering
· TDI Firewall
· File and Registry Manager
· Kernel Mode easy to use internet sockets
· Filesystem Filter

Still the Kernel-Mode in progress and many features will be added in the near future.

Source Code: http://code.google.com/p/srdf
Facebook Page: http://www.facebook.com/SecDevelop

JOIN US ... just mail me at: amr.thabet[at]student.alx.edu.eg
Also listed in: Assembler IDE Tools, Assemblers, Automated Unpackers, Debugger Libraries, Debuggers, Disassembler Libraries, Disassemblers, Driver & IRP Monitoring Tools, Exe Analyzers, Kernel Filter Monitoring Tools, Low-level Development Libraries, Malware Analysis Tools, Programming Libraries, Reverse Engineering Frameworks, X64 Disassembler Libraries, X86 Disassembler Libraries, X86 Emulators
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: System Virginity Verifier
Rating: 0.0 (0 votes)
Author: Joanna Rutkowska                        
Website: http://www.invisiblethings.org/code.html
Current version: 2.3
Last updated: February 27, 2005
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Joanna Rutswoka provides on her site (invisiblethings.org) interesting papers and tools about rootkits since a few years and is a well known contributors on the official rootkit web site.

SYSTEM VIRGINITY VERIFIER or SVV is very interesting because it checks the system for malicious hooking and also checks the integrity of code section modules directly in memory.

After the verification, SVV notifies the user with five level of infection or seriousness:


-level 0: 100% Virgin (not expected to ocuur in the wild);
-level 1: Seems ok;
-level 2: Innocent hooking detected;
-level 3: Very suspected but may be a false positive;
-level 4: compromised.

The final verdict uses a color codification from blue to deepred.
Resource: the SVV powerpoint presentation (available at invisiblethings.org).

It's important to note that many softwares can interfere with the verdict: antivirus such as Kaspersky, desktop intrusion systems which operate at a low level like AntiHook, ProcessGuard and so on.

SVV in action:

After rebooting the PC in the diagnose mode, SVV gives its first verdict:


Microsoft Windows XP [version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:WINDOWSsystem32>svv check /m
module ntoskrnl.exe [0x804d7000 - 0x806ebf80]: 0x804db4f0 [RtlPrefetchMemoryNonTemporal()+0] 1 byte(s): exclusion filter: single byte modification
file  :c3
memory :90
verdict = 1

0x804dc032 18 byte(s): exclusion filter: KeFlushCurrentTb()
file  :d8 0f 22 d8 c3 0f 20 e0 25 7f ff ff ff 0f 22 e0 0d 80
memory :e0 25 7f ff ff ff 0f 22 e0 0d 80 00 00 00 0f 22 e0 c3
verdict = 1

0x804dc04a 1 byte(s): exclusion filter: single byte modification
file  :c3
memory :00
verdict = 1

0x804df16a 1 byte(s): exclusion filter: single byte modification
file  :05
memory :06
verdict = 1

module ntoskrnl.exe: end of details

SYSTEM INFECTION LEVEL: 1
0 - BLUE
--> 1 - GREEN
2 - YELLOW
3 - ORANGE
4 - RED
5 - DEEPRED

Nothing suspected was detected.

Level 1/Green: this a good news for a beginning.

Now let's hook some windows APIs and let's see the new verdict:

Microsoft Windows XP [version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:WINDOWSsystem32>svv check /m
ntoskrnl.exe (804d7000 - 806ebf80)... module ntoskrnl.exe [0x804d7000 - 0x806ebf80]:
0x804db4f0 [RtlPrefetchMemoryNonTemporal()+0] 1 byte(s): exclusion filter: single byte modification
file  :c3
memory :90
verdict = 1

0x804dc032 18 byte(s): exclusion filter: KeFlushCurrentTb()
file  :d8 0f 22 d8 c3 0f 20 e0 25 7f ff ff ff 0f 22 e0 0d 80
memory :e0 25 7f ff ff ff 0f 22 e0 0d 80 00 00 00 0f 22 e0 c3
verdict = 1

0x804dc04a 1 byte(s): exclusion filter: single byte modification
file  :c3
memory :00
verdict = 1


0x804df16a 1 byte(s): exclusion filter: single byte modification
file  :05
memory :06
verdict = 1


0x804e72c4 [ExAllocatePoolWithQuotaTag()+0] 6 byte(s): JMPing code (jmp to: 0xbab1dbfc)
address 0xbab1dbfc is inside TRACE.SYS module [0xbab1a000-0xbab26000]
target module path: ??C:DOCUMENTS AND SETTINGSMICHELMES DOCUMENTSKAPIMON
2TRACE.SYS
file  :8b ff 55 8b ec 51
memory :ff 25 fc db b1 ba
verdict = 2

0x804eb321 [ExAllocatePoolWithTagPriority()+0] 6 byte(s): JMPing code (jmp to: 0xbab1dba4)
address 0xbab1dba4 is inside TRACE.SYS module [0xbab1a000-0xbab26000]
target module path: ??C:DOCUMENTS AND SETTINGSMICHELMES DOCUMENTSKAPIMON
2TRACE.SYS
file  :8b ff 55 8b ec 53
memory :ff 25 a4 db b1 ba
verdict = 2

module ntoskrnl.exe: end of details

SYSTEM INFECTION LEVEL: 2
0 - BLUE
1 - GREEN
--> 2 - YELLOW
3 - ORANGE
4 - RED
5 - DEEPRED

Nothing suspected was detected.
Also listed in: Kernel Hook Detection Tools, Usermode Hook Detection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)


RSS feed Feed containing all updates and additions for this category.

RSS feed Feed containing all updates and additions for this category, including sub-categories.


Subcategories

There is one subcategory to this category.





Views
Category Navigation Tree
   Needs New Category  (3)