إقتباس :Posted By: GamingMasteR 02-09-2008, 12:59 PM
Kernel Detective v1.0
Kernel Detective is a free tool that help you detect, analyze, manually modify and fix some Windows NT kernel modifications. Kernel Detective gives you the access to the kernel directly so it's not oriented for newbies. Changing essential kernel-mode objects without enough knowledge will lead you to only one result, BSOD
Everything is done from kernel-mode.
With Kernel Detective you can:
Enumerate running processes and print important values like Process Id, Parent Process Id, ImageBase, EntryPoint, VirtualSize, PEB block address and EPROCESS block address. Kernel Detective also has special scan methods for detecting hidden processes
Enumerate a specific running processe DLLs. Also show every Dll ImageBase, EntryPoint, Size and Path .
Enumerate loaded kernel-mode drivers and show every driver ImageBase, EntryPoint, Size, Name and Path. Also it has special methods for detecting hidden drivers.
Scan the system service table (SSDT) and show every service function address and the real function address. You can restore single service function address or restore the whole table.
Scan the shadow system service table (Shadow SSDT) and show every shadow service function address and the real function address. You can restore single shadow service function address or restore the whole table
Scan the interrupts table (IDT) and show every interrupt handler offset, selector, type, Attributes and real handler offset. This is applied to every processor in a multi-processors machines.
Scan the important system kernel modules, detect the modifications in it's body and analyze it. For now it can detect and restore inline code modifications, EAT and IAT hooks. I'm looking for more other types of hooks next releases of Kernel Detective.
A nice disassembler rely on OllyDbg disasm engine, thanks Oleh Yuschuk for publishing the source code of your nice disasm engine . With it you can disassemble, assemble and hex edit virtual memory of a specific process or even the kernel space memory. Kernel Detective use it's own Read/Write routines from kernel-mode and doesn't rely on any windows API. That make Kernel Detective able to R/W processes VM even if NtReadProcessMemory/NtWriteProcessMemory is hooked, also bypass the hooks on other kernel-mode important routines like KeStackAttachProcess and KeAttachProcess
Show the messages sent by drivers to the kernel debugger just like Dbgview by Mark Russinovich. It's doing this by hooking interrupt 0x2d wich is responsible for outputing debug messages. Hooking interrupts may cause problems on some machines so DebugView is turned off by default, to turn it on you must run Kernel Detective with "-debugv" parameter.
Kernel Detective v1.1
Added : Hidden Handles Detection, show every handle's object name and address + ability to close the handle.
-Improved : Processes Detection, new undocumented algorithms implemented.
-Improved : Drivers Detection, undocumented algorithms implemented.
-Improved : SSDT Hooks Detection, detection algorithm improved to bypass KeServiceDescriptorTable EAT/IAT hooks.
-Improved : User-space memory reader/writer and symbols decoder.
-Improved : Application GUI.
-Fixed : BSoD while driver initializing and most known bugs in version 1.0.
Kernel Detective v1.2
Now Support Vista Service Pack 1 (Build 6001) .
[+] Added Hidden/Suspicious Threads Detection .
[+] Added Smart Process Termination Technique .
[*]Improved Handles Detection .
[*]Improved Processes Detection .
[*]Improved Drivers Detection .
[*]Improved User-mode Memory Reader On Vista .
[!] Fixed bug in IAT Hooks Detection
What's new in v1.3.0
[+] Support for Vista SP2
[+] Suspend/Resume Process/Thread
[+] Force Resume Process/Thread
[+] Unloaded drivers viewer
[+] Object Types viewer
[+] Timer Objects viewer
[+] Kernel Notification Callbacks viewer (Process/Thread/Image/Registry)
[+] Added simple hex viewer with the disassembler
[+] Force Delete files (even files in use)
[+] File Signature Verifying
[+] Ability to save list contents
[*]Improved Hidden Drivers Detection
Improved disassembler coloring
[!] Fixed annoying problem with listview sorting and refreshing
[!] Fixed known minor bugs in v1.2.1
Kernel Detective v1.3.1
[+] Support For WINDOWS SEVEN BUILD 7600
[+] Added Bugcheck(Reason) Callback Notifications Detection
[+] Added Hidden DLLs Detection
[+] Added New Features For DLLs (ZeroMemory/UnmapMemory)
[+] Added Unicode/Ascii String Reference In Disassembler Window
[+] Added Physical Memory Dumper
[+] Added Thread Stack Trace
[+] Added "Copy" and "Select all" Hot-keys (Ctrl+A Ctrl+C)
[*]Improved Files Operations (Open/Copy/Kill)
[*]Application Windows Now Have XP Visual Style
[*]Tabs Now Are Multilined
[*][!] Fixed Bug In Callbacks Detection For VISTA BUILD 600
[!] Fixed Processes Row Selection
[!] Fixed Listview Selection And Sorting Bugs
[!] Fixed Bugs In Kernel Driver Installation Process
Download Link
http://www.at4re.net/files/Tools/Releases/GamingMasteR/Kernel_Detective_v1.3.1.zip
لَّا إِلَٰهَ إِلَّا أَنتَ سُبْحَانَكَ إِنِّي كُنتُ مِنَ الظَّالِمِينْ.
عن أبي هريرة -رضي الله عنه- أن رسول الله -صلى الله عليه وسلم- كانَ يقولُ في سجودِهِ: «اللَّهُمَّ اغْفِرْ لي ذَنْبِي كُلَّهُ: دِقَّهُ وَجِلَّهُ، وَأَوَّلَهُ وَآخِرَهُ، وَعَلاَنِيَتَهُ وَسِرَّهُ».
(صحيح - رواه مسلم).
عن أبي هريرة -رضي الله عنه- أن رسول الله -صلى الله عليه وسلم- كانَ يقولُ في سجودِهِ: «اللَّهُمَّ اغْفِرْ لي ذَنْبِي كُلَّهُ: دِقَّهُ وَجِلَّهُ، وَأَوَّلَهُ وَآخِرَهُ، وَعَلاَنِيَتَهُ وَسِرَّهُ».
(صحيح - رواه مسلم).
