Page 1 of 3 123 LastLast
Results 1 to 15 of 31

Thread: Kernel Detective - new security & analysis tool

  1. #1

    Arrow Kernel Detective - new security & analysis tool

    Kernel Detective is a free tool that help you detect, analyze, manually modify and fix some Windows NT kernel modifications. Kernel Detective gives you the access to the kernel directly so it's not oriented for newbies. Changing essential kernel-mode objects without enough knowledge will lead you to only one result, BSOD !!

    Supported NT versions : XP(sp1-sp2-sp3) - Vista Ultimate build 6000


    With Kernel Detective you can:

    Enumerate running processes and print important values like Process Id, Parent Process Id, ImageBase, EntryPoint, VirtualSize, PEB block address and EPROCESS block address. Kernel Detective also has special scan methods for detecting hidden processes

    Enumerate a specific running processe Dynamic-Link Libraries. Also show every Dll ImageBase, EntryPoint, Size and Path .

    Enumerate loaded kernel-mode drivers and show every driver ImageBase, EntryPoint, Size, Name and Path. Also it has special methods for detecting hidden drivers.

    Scan the system service table (SSDT) and show every service function address and the real function address. You can restore single service function address or restore the whole table.

    Scan the shadow system service table (Shadow SSDT) and show every shadow service function address and the real function address. You can restore single shadow service function address or restore the whole table

    Scan the interrupts table (IDT) and show every interrupt handler offset, selector, type, Attributes and real handler offset. This is applied to every processor in a multi-processors machines.

    Scan the important system kernel modules, detect the modifications in it's body and analyze it. For now it can detect and restore inline code modifications, EAT and IAT hooks. I'm looking for more other types of hooks next releases of Kernel Detective.

    A nice disassembler rely on OllyDbg disasm engine, thanks Oleh Yuschuk for publishing the source code of your nice disasm engine . With it you can disassemble, assemble and hex edit virtual memory of a specific process or even the kernel space memory. Kernel Detective use it's own Read/Write routines from kernel-mode and doesn't rely on any windows API. That make Kernel Detective able to R/W processes VM even if NtReadProcessMemory/NtWriteProcessMemory is hooked, also bypass the hooks on other kernel-mode important routines like KeStackAttachProcess and KeAttachProcess

    Show the messages sent by drivers to the kernel debugger just like Dbgview by Mark Russinovich. It's doing this by hooking interrupt 0x2d wich is responsible for outputing debug messages. Hooking interrupts may cause problems on some machines so DebugView is turned off by default, to turn it on you must run Kernel Detective with "-debugv" parameter.

    Coded by GamingMasteR -AT4RE

    Download

    http://www.at4re.com/tools/Releases/GamingMasteR/Kernel_Detective_v1.0.zip
    Last edited by GamingMasteR; September 2nd, 2008 at 16:28.

  2. #2
    Camus SoNiCo
    Guest
    I run this and it hang without showing anything. Process Explorer claims it's stopped inside createThread. Any ideas on how to kill this or resurrect it?

    Thanks
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    Seems like the execution is stuck in an endless-loop in kernel-mode after calling the driver via DeviceIoControl.
    I think you must reset .

    Sorry for that

  4. #4
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Very nice tool (I'm sure any possible bugs can be cleaned out too), and thanks for adding it to the CRCETL.

    http://www.woodmann.com/collaborative/tools/index.php/Kernel_Detective
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  5. #5

    Arrow

    Kernel Detective v1.1

    -Added : Hidden Handles Detection, show every handle's object name and address + ability to close the handle.
    -Improved : Processes Detection, new undocumented algorithms implemented.
    -Improved : Drivers Detection, undocumented algorithms implemented.
    -Improved : SSDT Hooks Detection, detection algorithm improved to bypass KeServiceDescriptorTable EAT/IAT hooks.
    -Improved : User-space memory reader/writer and symbols decoder.
    -Improved : Application GUI.
    -Fixed : BSoD while driver initializing and most known bugs in version 1.0.

    Download Link:
    http://www.at4re.com/files/Tools/Releases/GamingMasteR/Kernel_Detective_v1.1.zip


    CRCETL entry updated.

  6. #6
    Thanks for the update and for updating the CRCETL!

    Regards,
    JMI

  7. #7
    is the information public how you get the real SSDT addresses ?

  8. #8
    There's alot of public opensource samples, take a look at this one :
    http://oss.coresecurity.com/projects/sdtcleaner.html

  9. #9
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,085
    Blog Entries
    5
    You might look here too for similar source code

    http://www.security.org.sg/code/

  10. #10
    GamingMasteR:

    We really don't need special colored type for your entries.

    Regards,
    JMI

  11. #11
    @JMI:
    I'm just used to post in that color , sorry for that .

  12. #12
    ownerscu
    Guest
    Is is better than rku,thanks for share!.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  13. #13
    Registered User
    Join Date
    Aug 2005
    Location
    Italy
    Posts
    133
    Blog Entries
    31
    Hi,

    Really a nice useful tool man!

    But it crashes on VMWare, when is selected the System Service Table Shadow

    Regards,
    Giuseppe 'Evilcry' Bonfa'

    http://evilcry.netsons.org (Repository)
    http://evilcodecave.blogspot.com
    http://evilcodecave.wordpress.com

  14. #14

    your tools~~~

    i am downloaded your tool.
    using the program very powerful and strong.
    thanx to all my friends..
    bye~~~

  15. #15
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,479
    Blog Entries
    1

    some fun..

    a countryman: bye!!!!!!!!!

    a evilcry: you discovered "yet another way to crash VMWare"!?
    with author's CollaBoraTion,

    a JMI: no more blue!!

Similar Threads

  1. security test
    By daniel in forum The Newbie Forum
    Replies: 1
    Last Post: December 2nd, 2005, 11:15
  2. Kernel reverse engineering tool
    By Opcode in forum Advanced Reversing and Programming
    Replies: 3
    Last Post: April 29th, 2004, 13:54
  3. M.sc in security(RE,...)?
    By akimp3 in forum Off Topic
    Replies: 1
    Last Post: April 11th, 2004, 19:18

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •