Hmily 发表于 2009-6-21 09:58

Kernel Detective v1.3 by GamingMaster/AT4RE

Kernel Detective is a free tool that help you detect, analyze, manually modify and fix some Windows NT kernel modifications. Kernel Detective gives you the access to the kernel directly so it's not oriented for newbies. Changing essential kernel-mode objects without enough knowledge will lead you to only one result, BSOD
Everything is done from kernel-mode.
With Kernel Detective you can:
Enumerate running processes and print important values like Process Id, Parent Process Id, ImageBase, EntryPoint, VirtualSize, PEB block address and EPROCESS block address. Kernel Detective also has special scan methods for detecting hidden processes
Enumerate a specific running processe DLLs. Also show every Dll ImageBase, EntryPoint, Size and Path .
Enumerate loaded kernel-mode drivers and show every driver ImageBase, EntryPoint, Size, Name and Path. Also it has special methods for detecting hidden drivers.
Scan the system service table (SSDT) and show every service function address and the real function address. You can restore single service function address or restore the whole table.
Scan the shadow system service table (Shadow SSDT) and show every shadow service function address and the real function address. You can restore single shadow service function address or restore the whole table
Scan the interrupts table (IDT) and show every interrupt handler offset, selector, type, Attributes and real handler offset. This is applied to every processor in a multi-processors machines.
Scan the important system kernel modules, detect the modifications in it's body and analyze it. For now it can detect and restore inline code modifications, EAT and IAT hooks. I'm looking for more other types of hooks


What's new in v1.3.0 :
[+] Support for Vista SP2
[+] Suspend/Resume Process/Thread
[+] Force Resume Process/Thread
[+] Unloaded drivers viewer
[+] Object Types viewer
[+] Timer Objects viewer
[+] Kernel Notification Callbacks viewer (Process/Thread/Image/Registry)
[+] Added simple hex viewer with the disassembler
[+] Force Delete files (even files in use)
[+] File Signature Verifying
[+] Ability to save list contents
Improved Hidden Drivers Detection
Improved disassembler coloring
[!] Fixed annoying problem with listview sorting and refreshing
[!] Fixed known minor bugs in v1.2.1


Download Link :http://www.at4re.com/files/Tools/Releases/GamingMasteR/KERNEL_DETECTIVE_V1.3.0.ZIP

1e3e 发表于 2009-7-21 23:22

谢谢,支持了呀

Hmily 发表于 2009-8-14 15:54

标 题: 【原创】【下载】【分享】Kernel Detective v1.3.0 彻底汉化版
作 者: netprodiag
时 间: 2009-08-13,21:56
链 接: http://bbs.pediy.com/showthread.php?t=95707

昨天在发布我的汉化作品 SuperSpeed Ramdisk 时,看到本论坛该栏目中有人发布了该软件的 v1.2 英文原版,本来还暂时不了解这个软件是做什么用的,大概看了一下软件名字,感兴趣了,因此,昨天晚上DOWN 下来,运行观摩了一番,觉得不错,所以准备本地化。鉴于昨晚时间太晚了,今天还得上班,没敢熬夜汉化。今天上午边工作边汉化,所有进度都完工了。午饭后着手我能及的环境下对汉化进行测试,没遇到因汉化导致的BUG,打算发上来,不注意点到软件链接到官方的地方,既然进到官方来了,肯定看一下有没有更新版本,唉!既可喜由可悲,可喜的是辛辛苦苦汉化终有了成果,可悲的是还没发上了又出新版了,又得花费一些时间了。晚上干脆连 Readme.txt 都汉化,顺便了解一下作者介绍了些什么。不过用这个软件心里总不踏实,作者虽然说的很清楚,使用扩展扫描(Extended Scan :: Risky)由风险,但有时候,普通扫描(Normal Scan)照样引发蓝拼死机。v1.3 版比1.2版新增了一些功能和在界面上做了大幅度“手术”,总体而言,比上版好得多,不足之处就是启动比1.2版慢得多,是否是加载的驱动等原因造成的,本人暂且不得而知。
1.3 版新增功能:
1、支持 vista sp2;
2、新增“挂起/唤醒/ 进程/线程”功能;
3、新增 “强制唤醒 进程/线程”功能;
4、新增“已卸载的驱动程序查看器”;
5、对象类型查看器;
6、定时器对象查看器;
7、内核通知回调查看器(进程/线程/映像/注册表);
8、反汇编器中添加了简易的十六进制查看器;
9、强制删除文件(甚至文件在使用);
10、文件签名校验;
11、能够保存列表内容。

压缩包中提供了英文原版,便于测试是否因汉化导致的问题。

玩的就是技术 发表于 2009-10-14 23:14

谢谢楼主分享

hixiaosheng 发表于 2010-6-13 21:34

两个都下了 对照下

我不再是羔羊 发表于 2012-1-1 16:42

这个工具有用的。

3786785 发表于 2012-5-25 21:18

dd滴答滴答滴答的

mlwy 发表于 2013-8-10 23:19

这个必须得支持啊~
{:17_1080:}

hakusyokou 发表于 2014-5-13 11:58

全是鹰文啊 看不懂撒 在线翻译意思就变了
页: [1]
查看完整版本: Kernel Detective v1.3 by GamingMaster/AT4RE