Tool Updated: Kernel Detective

Mon, 07 Dec 2009 01:58:35 GMT

Listed in categories: Hook Detection Tools, Kernel Hook Detection Tools, Kernel Tools, Malware Analysis Tools

Most recent version:
1.3.1

Most recent release date:
December 06, 2009

Description:
Kernel Detective is a free tool that help you detect, analyze, manually modify and fix some Windows NT kernel modifications. Kernel Detective gives you the access to the kernel directly so it's not oriented for newbies. Changing essential kernel-mode objects without enough knowledge will lead you to only one result ... BSoD !

Supported NT versions :
XP/Vista/SEVEN

Kernel Detective gives you the ability to :
1- Detect Hidden Processes.
3- Detect Hidden Threads.
2- Detect Hidden DLLs.
3- Detect Hidden Handles.
4- Detect Hidden Driver.
5- Detect Hooked SSDT.
6- Detect Hooked Shadow SSDT.
7- Detect Hooked IDT.
8- Detect Kernel-mode code modifications and hooks.
9- Disassemble (Read/Write) Kernel-mode/User-mode memory.
10- Monitor debug output on your system.

Enumerate running processes and print important values like Process Id, Parent Process Id, ImageBase, EntryPoint, VirtualSize, PEB block address and EPROCESS block address. Special undocumented detection algorithms were implemented to detect hidden processes.

Detect hidden and suspicious threads in system and allow user to forcely terminate them .

Enumerate a specific running process Dynamic-Link Libraries and show every Dll ImageBase, EntryPoint, Size and Path. You can also inject or free specific module.

Enumerate a specific running process opened handles, show every handle's object name and address and give you the ability to close the handle.

Enumerate loaded kernel-mode drivers and show every driver ImageBase, EntryPoint, Size, Name and Path. Undocumented detection algorithms were implemented to detect hidden drivers.

Scan the system service table (SSDT) and show every service function address and the real function address, detection algorithm improved to bypass KeServiceDescriptorTable EAT/IAT hooks.You can restore single service function address or restore the whole table.

Scan the shadow system service table (Shadow SSDT) and show every shadow service function address and the real function address. You can restore single shadow service function address or restore the whole table

Scan the interrupts table (IDT) and show every interrupt handler offset, selector, type, Attributes and real handler offset. This is applied to every processor in a multi-processors machines.

Scan the important system kernel modules, detect the modifications in it's body and analyze it. For now it can detect and restore inline code modifications, EAT and IAT hooks. I'm looking for more other types of hooks next releases of Kernel Detective.

A nice disassembler rely on OllyDbg disasm engine, thanks Oleh Yuschuk for publishing your nice disasm engine .With it you can disassemble, assemble and hex edit virtual memory of a specific process or even the kernel space memory. Kernel Detective use it's own Read/Write routines from kernel-mode and doesn't rely on any windows API. That make Kernel Detective able to R/W processes VM even if NtReadProcessMemory/NtWriteProcessMemory is hooked, also bypass the hooks on other kernel-mode important routines like KeStackAttachProcess and KeAttachProcess.

Show the messages sent by drivers to the kernel debugger just like Dbgview by Mark Russinovich. It's doing this by hooking interrupt 0x2d wich is responsible for outputing debug messages. Hooking interrupts may cause problems on some machines so DebugView is turned off by default, to turn it on you must run Kernel Detective with "-debugv" parameter.

Tool Updated: DeviceTree

Wed, 11 Feb 2009 17:30:54 GMT

Listed in categories: Kernel Tools, System Information Extraction Tools

Most recent version:
2.19

Most recent release date:
September 15, 2006

Description:
The greatest utility every written by master toolsmith and driver expert Mark Cariddi. This utility has two views: (a) one view that will show you the entire PnP enumeration tree of device objects, including relationships among objects and all the device's reported PnP characteristics, and (b) a second view that shows you the device objects created, sorted by driver name. There is nothing like this utility available anywhere else.

It will also find hidden devices/drivers, like e.g. related to rootkits!

Tool Added: Native NT Toolkit

Sat, 26 Jan 2008 10:22:46 GMT

Listed in categories: Kernel Tools

Most recent version:

Most recent release date:
January 26, 2008

Description:
Includes the entire Native Development Kit (NDK), a set of headers for building native applications for Windows NT4 all the way to Windows Server 2008.

Includes the Native Development Library (NDL), a wrapper library designed to simply development of native applications, especially console input and output.

Also includes some sample source code, such as the Native Command Line (NCLI), a command prompt clone written with the NDK and NDL to showcase some functionality of the toolkit, as well as to provide a way to boot Windows without any GUI or subsystems loaded and still be able to interact with the system.

For more info, see also:
http://www.woodmann.com/forum/showthread.php?t=11256

Collaborative RCE Tool Library - Kernel Tools

Tool Updated: Kernel Detective

Tool Updated: DeviceTree

Tool Added: Native NT Toolkit