Hello friends, i started coding this tool 5 months ago and here's the 1st release.
Kernel Detective is a free tool that help you detect, analyze, manually modify and fix some Windows NT kernel modifications. Kernel Detective gives you the access to the kernel directly so it's not oriented for newbies. Changing essential kernel-mode objects without enough knowledge will lead you to only one result, BSOD
Everything is done from kernel-mode.
With Kernel Detective you can:
Enumerate running processes and print important values like Process Id, Parent Process Id, ImageBase, EntryPoint, VirtualSize, PEB block address and EPROCESS block address. Kernel Detective also has special scan methods for detecting hidden processes
Enumerate a specific running processe Dynamic-Link Libraries. Also show every Dll ImageBase, EntryPoint, Size and Path .
Enumerate loaded kernel-mode drivers and show every driver ImageBase, EntryPoint, Size, Name and Path. Also it has special methods for detecting hidden drivers.
Scan the system service table (SSDT) and show every service function address and the real function address. You can restore single service function address or restore the whole table.
Scan the shadow system service table (Shadow SSDT) and show every shadow service function address and the real function address. You can restore single shadow service function address or restore the whole table
Scan the interrupts table (IDT) and show every interrupt handler offset, selector, type, Attributes and real handler offset. This is applied to every processor in a multi-processors machines.
Scan the important system kernel modules, detect the modifications in it's body and analyze it. For now it can detect and restore inline code modifications, EAT and IAT hooks. I'm looking for more other types of hooks next releases of Kernel Detective.
A nice disassembler rely on OllyDbg disasm engine, thanks Oleh Yuschuk for publishing the source code of your nice disasm engine . With it you can disassemble, assemble and hex edit virtual memory of a specific process or even the kernel space memory. Kernel Detective use it's own Read/Write routines from kernel-mode and doesn't rely on any windows API. That make Kernel Detective able to R/W processes VM even if NtReadProcessMemory/NtWriteProcessMemory is hooked, also bypass the hooks on other kernel-mode important routines like KeStackAttachProcess and KeAttachProcess
Show the messages sent by drivers to the kernel debugger just like Dbgview by Mark Russinovich. It's doing this by hooking interrupt 0x2d wich is responsible for outputing debug messages. Hooking interrupts may cause problems on some machines so DebugView is turned off by default, to turn it on you must run Kernel Detective with "-debugv" parameter.
发表于 2009-3-18 09:33
发表于 2009-3-18 11:12
