Kernel Detective is a free tool that help you detect, analyze, manually modify and fix some Windows NT kernel modifications. Kernel Detective gives you the access to the kernel directly so it's not oriented for newbies. Changing essential kernel-mode objects without enough knowledge will lead you to only one result, BSOD !!

Supported NT versions : XP(sp1-sp2-sp3) - Vista Ultimate build 6000


With Kernel Detective you can:

Enumerate running processes and print important values like Process Id, Parent Process Id, ImageBase, EntryPoint, VirtualSize, PEB block address and EPROCESS block address. Kernel Detective also has special scan methods for detecting hidden processes

Enumerate a specific running processe Dynamic-Link Libraries. Also show every Dll ImageBase, EntryPoint, Size and Path .

Enumerate loaded kernel-mode drivers and show every driver ImageBase, EntryPoint, Size, Name and Path. Also it has special methods for detecting hidden drivers.

Scan the system service table (SSDT) and show every service function address and the real function address. You can restore single service function address or restore the whole table.

Scan the shadow system service table (Shadow SSDT) and show every shadow service function address and the real function address. You can restore single shadow service function address or restore the whole table

Scan the interrupts table (IDT) and show every interrupt handler offset, selector, type, Attributes and real handler offset. This is applied to every processor in a multi-processors machines.

Scan the important system kernel modules, detect the modifications in it's body and analyze it. For now it can detect and restore inline code modifications, EAT and IAT hooks. I'm looking for more other types of hooks next releases of Kernel Detective.

A nice disassembler rely on OllyDbg disasm engine, thanks Oleh Yuschuk for publishing the source code of your nice disasm engine . With it you can disassemble, assemble and hex edit virtual memory of a specific process or even the kernel space memory. Kernel Detective use it's own Read/Write routines from kernel-mode and doesn't rely on any windows API. That make Kernel Detective able to R/W processes VM even if NtReadProcessMemory/NtWriteProcessMemory is hooked, also bypass the hooks on other kernel-mode important routines like KeStackAttachProcess and KeAttachProcess

Show the messages sent by drivers to the kernel debugger just like Dbgview by Mark Russinovich. It's doing this by hooking interrupt 0x2d wich is responsible for outputing debug messages. Hooking interrupts may cause problems on some machines so DebugView is turned off by default, to turn it on you must run Kernel Detective with "-debugv" parameter.

Coded by GamingMasteR -AT4RE

Download

http://www.at4re.com/tools/Releases/GamingMasteR/Kernel_Detective_v1.0.zip

I run this and it hang without showing anything. Process Explorer claims it's stopped inside createThread. Any ideas on how to kill this or resurrect it?

Thanks

Seems like the execution is stuck in an endless-loop in kernel-mode after calling the driver via DeviceIoControl.
I think you must reset .

Sorry for that

Very nice tool (I'm sure any possible bugs can be cleaned out too), and thanks for adding it to the CRCETL.

http://www.woodmann.com/collaborative/tools/index.php/Kernel_Detective

Kernel Detective v1.1




Download Link:
http://www.at4re.com/files/Tools/Releases/GamingMasteR/Kernel_Detective_v1.1.zip


CRCETL entry updated.

Thanks for the update and for updating the CRCETL!

Regards,

is the information public how you get the real SSDT addresses ?

There's alot of public opensource samples, take a look at this one :
http://oss.coresecurity.com/projects/sdtcleaner.html

You might look here too for similar source code

http://www.security.org.sg/code/

GamingMasteR:

We really don't need special colored type for your entries.

Regards,

@JMI:
I'm just used to post in that color , sorry for that .

Is is better than rku,thanks for share!.

Hi,

Really a nice useful tool man!

But it crashes on VMWare, when is selected the System Service Table Shadow

Regards,
Giuseppe 'Evilcry' Bonfa'

i am downloaded your tool.
using the program very powerful and strong.
thanx to all my friends..
bye~~~

a countryman: bye!!!!!!!!!

a evilcry: you discovered "yet another way to crash VMWare"!?
with author's CollaBoraTion,

a JMI: no more blue!!

@evilcry:
I didn't try on VMWare, some friends tried on VMWare but they didn't get the same result of yours .
Maybe you can send me the crash-dump file ?

Thanks,
--GM

Hi GamingMasteR,

The problem shoud be caused by the presence of Syses (kmode debugger),
in every case I'll send you the dmp file =)

Regards,
Giuseppe 'Evilcry' Bonfa'

I appreciate your help, thanks in advance .

Kernel Detective v1.2





Download Link:

What's new in v1.3.0 :



Download Link :
http://www.at4re.com/files/Tools/Releases/GamingMasteR/KERNEL_DETECTIVE_V1.3.0.ZIP


SHA-256 : 7E01B3DA8B844C45B69CE1F3615FC0350D26C56B93AFE82E2F1756A318266011

hi GamingMasteR i just wonder about a feature of your tool (if it is a feature)
when softice is loaded/or not loaded the "GUI Settings" shows a red color (only to derokos website) the other are grayed
is that some kind of detection ? i didnt find anything in the readme to that

I get a virus alarm with your Kernel_detective exe file.

What gives?

@Elenil:
YES, Deroko is a big rootkit
The color on deroko's line is sample for a warning line's color, play abit with warning colors and it will change

@naides:
It's not malicious
Only F/Ps

I would guess it's the presence of a driver and the API's it uses. Any tool that accesses the system at a very low level that isn't as well known (and therefore whitelisted) will probably trigger an AV alert.