Kernel Detective is a free tool that help you detect, analyze, manually modify and fix some Windows NT kernel modifications. Kernel Detective gives you the access to the kernel directly so it's not oriented for newbies. Changing essential kernel-mode objects without enough knowledge will lead you to only one result, BSOD !!

Supported NT versions : XP(sp1-sp2-sp3) - Vista Ultimate build 6000


With Kernel Detective you can:

Enumerate running processes and print important values like Process Id, Parent Process Id, ImageBase, EntryPoint, VirtualSize, PEB block address and EPROCESS block address. Kernel Detective also has special scan methods for detecting hidden processes

Enumerate a specific running processe Dynamic-Link Libraries. Also show every Dll ImageBase, EntryPoint, Size and Path .

Enumerate loaded kernel-mode drivers and show every driver ImageBase, EntryPoint, Size, Name and Path. Also it has special methods for detecting hidden drivers.

Scan the system service table (SSDT) and show every service function address and the real function address. You can restore single service function address or restore the whole table.

Scan the shadow system service table (Shadow SSDT) and show every shadow service function address and the real function address. You can restore single shadow service function address or restore the whole table

Scan the interrupts table (IDT) and show every interrupt handler offset, selector, type, Attributes and real handler offset. This is applied to every processor in a multi-processors machines.

Scan the important system kernel modules, detect the modifications in it's body and analyze it. For now it can detect and restore inline code modifications, EAT and IAT hooks. I'm looking for more other types of hooks next releases of Kernel Detective.

A nice disassembler rely on OllyDbg disasm engine, thanks Oleh Yuschuk for publishing the source code of your nice disasm engine . With it you can disassemble, assemble and hex edit virtual memory of a specific process or even the kernel space memory. Kernel Detective use it's own Read/Write routines from kernel-mode and doesn't rely on any windows API. That make Kernel Detective able to R/W processes VM even if NtReadProcessMemory/NtWriteProcessMemory is hooked, also bypass the hooks on other kernel-mode important routines like KeStackAttachProcess and KeAttachProcess

Show the messages sent by drivers to the kernel debugger just like Dbgview by Mark Russinovich. It's doing this by hooking interrupt 0x2d wich is responsible for outputing debug messages. Hooking interrupts may cause problems on some machines so DebugView is turned off by default, to turn it on you must run Kernel Detective with "-debugv" parameter.

Coded by GamingMasteR -AT4RE

Download

http://www.at4re.com/tools/Releases/GamingMasteR/Kernel_Detective_v1.0.zip

I run this and it hang without showing anything. Process Explorer claims it's stopped inside createThread. Any ideas on how to kill this or resurrect it?

Thanks

Seems like the execution is stuck in an endless-loop in kernel-mode after calling the driver via DeviceIoControl.
I think you must reset .

Sorry for that

Very nice tool (I'm sure any possible bugs can be cleaned out too), and thanks for adding it to the CRCETL.

http://www.woodmann.com/collaborative/tools/Kernel_Detective

Kernel Detective v1.1




Download Link:
http://www.at4re.com/files/Tools/Releases/GamingMasteR/Kernel_Detective_v1.1.zip


CRCETL entry updated.

Thanks for the update and for updating the CRCETL!

Regards,

is the information public how you get the real SSDT addresses ?

There's alot of public opensource samples, take a look at this one :
http://oss.coresecurity.com/projects/sdtcleaner.html

You might look here too for similar source code

http://www.security.org.sg/code/

GamingMasteR:

We really don't need special colored type for your entries.

Regards,

@JMI:
I'm just used to post in that color , sorry for that .

Is is better than rku,thanks for share!.

Hi,

Really a nice useful tool man!

But it crashes on VMWare, when is selected the System Service Table Shadow

Regards,
Giuseppe 'Evilcry' Bonfa'

i am downloaded your tool.
using the program very powerful and strong.
thanx to all my friends..
bye~~~

a countryman: bye!!!!!!!!!

a evilcry: you discovered "yet another way to crash VMWare"!?
with author's CollaBoraTion,

a JMI: no more blue!!

@evilcry:
I didn't try on VMWare, some friends tried on VMWare but they didn't get the same result of yours .
Maybe you can send me the crash-dump file ?

Thanks,
--GM

Hi GamingMasteR,

The problem shoud be caused by the presence of Syses (kmode debugger),
in every case I'll send you the dmp file =)

Regards,
Giuseppe 'Evilcry' Bonfa'

I appreciate your help, thanks in advance .

Kernel Detective v1.2





Download Link:

What's new in v1.3.0 :



Download Link :
http://www.at4re.com/files/Tools/Releases/GamingMasteR/KERNEL_DETECTIVE_V1.3.0.ZIP


SHA-256 : 7E01B3DA8B844C45B69CE1F3615FC0350D26C56B93AFE82E2F1756A318266011

hi GamingMasteR i just wonder about a feature of your tool (if it is a feature)
when softice is loaded/or not loaded the "GUI Settings" shows a red color (only to derokos website) the other are grayed
is that some kind of detection ? i didnt find anything in the readme to that

I get a virus alarm with your Kernel_detective exe file.

What gives?

@Elenil:
YES, Deroko is a big rootkit
The color on deroko's line is sample for a warning line's color, play abit with warning colors and it will change

@naides:
It's not malicious
Only F/Ps

I would guess it's the presence of a driver and the API's it uses. Any tool that accesses the system at a very low level that isn't as well known (and therefore whitelisted) will probably trigger an AV alert.

Kernel Detective v1.3.1 :
[+] Support For WINDOWS SEVEN BUILD 7600
[+] Added Bugcheck(Reason) Callback Notifications Detection
[+] Added Hidden DLLs Detection
[+] Added New Features For DLLs (ZeroMemory/UnmapMemory)
[+] Added Unicode/Ascii String Reference In Disassembler Window
[+] Added Physical Memory Dumper
[+] Added Thread Stack Trace
[+] Added "Copy" and "Select all" Hot-keys (Ctrl+A Ctrl+C)

Improved Files Operations (Open/Copy/Kill)

Application Windows Now Have XP Visual Style

Tabs Now Are Multilined
[!] Fixed Bug In Callbacks Detection For VISTA BUILD 6000
[!] Fixed Processes Row Selection
[!] Fixed Listview Selection And Sorting Bugs
[!] Fixed Bugs In Kernel Driver Installation Process


Download Link :



SHA-256 :
B4E09993409F3B85989BFF048BDBF9D423468416E7D97843CF80C950E4737A26

What's new in v1.4.0 :
- Added plugins system
- Added support for windows server 2008, seven sp1
- Enhanced stability on NT 6.0+ (windows vista/seven)
- Improved driver scan
- Improved code hook scan
- Fixed bug prevent the tool from working on windows xp
- Fixed bug related to long paths
- Fixed bug in process/driver dumper
- Fixed bug in IDT scan


Download Link :
http://www.mediafire.com/?94hb182iirjpvcr


SHA-256 :
3C0D5426A2FE65EB72FB4F6A396C4CF83285B38EAE188B41C6F8D048157FF6DF

What's new in v1.4.1 :
- Fixed possible BSOD when scanning processes
- Fixed bug in callbacks scanning
- Enhanced showing files properties and signature verifying
- Skeleton SDK for VS2008 included


Download Link :
http://www.mediafire.com/?o4mwekn7jtizdi4


SHA-256 :
619E9AE64CC9DE82DD35CB3469D413E8C78A57EC8021B8450B6EAD15526562D7

Thanks for keeping you tool updated and letting us know about it GamingMasteR.

[QUOTE][Originally Posted by GamingMasteR;88560]What's new in v1.4.1 :]

Running Win 7 on laptop. If I double-click Kernel Detective.exe, it returns an error message: 'Unable to install the system component'. If I double-click Dbgview.bat, it opens a command window and does nothing. The command window closes automatically.

Ctrl-D wont bring it back (that's a softice joke).

Has my brain stopped working? I have begun to suspect that might be the case.

I am running a Comodo firewall with the anti-virus feature running. It asked me if I wanted to sandbox the app and I selected yes. May have been a mistake. However, the app appears in Comodo as a trusted app.

Hello WaxfordSqueers,

You need to :
- Run it on 32-bit OS
- Run it with admin privilege (right click -> run as administrator)
- No sandboxing if it will prevent the kernel-mode driver from loading

Regards.

Thanks for reply GMR. I knew my brain was faulty, hope it's a temporary thing.

Forgot to mention, I have a 64 bit version of Win 7.

No insult intended with sandboxing. Wanted to see how it would react first, and to see how Comodo would handle it.
I have my reversing stuff on a 32 bit machine, I'll try your app later.

I was curious to see if I had picked up any nasty threads that were hidden.