From Collaborative RCE Tool Library

Jump to: navigation, search

Hook Detection Tools


Tool name: Kernel Detective
Rating: 5.0 (1 vote)
Author: GamingMaster -AT4RE                        
Website: http://www.at4re.com
Current version: 1.1
Last updated: September 2, 2008
Direct D/L link: Locally archived copy
License type: Free
Description: Kernel Detective is a free tool that help you detect, analyze, manually modify and fix some Windows NT kernel modifications. Kernel Detective gives you the access to the kernel directly so it's not oriented for newbies. Changing essential kernel-mode objects without enough knowledge will lead you to only one result, BSOD !!

Supported NT versions : XP(sp1-sp2-sp3) - Vista Ultimate build 6000

With Kernel Detective you can:
1- Detect Hidden Processes.
2- Detect Hidden DLLs.
3- Detect Hidden Handles.
4- Detect Hidden Driver.
5- Detect Hooked SSDT.
6- Detect Hooked Shadow SSDT.
7- Detect Hooked IDT.
8- Detect Kernel-mode code modifications and hooks.
9- Disassemble (Read/Write) Kernel-mode/User-mode memory.
10- Monitor debug output on your system.

Enumerate running processes and print important values like Process Id, Parent Process Id, ImageBase, EntryPoint, VirtualSize, PEB block address and EPROCESS block address. Kernel Detective also has special scan methods for detecting hidden processes

Enumerate a specific running processe Dynamic-Link Libraries. Also show every Dll ImageBase, EntryPoint, Size and Path .

Enumerate a specific running processe opened handles, showing every handle's name and address and give you the ability to close the handle .

Enumerate loaded kernel-mode drivers and show every driver ImageBase, EntryPoint, Size, Name and Path. Also it has special methods for detecting hidden drivers.

Scan the system service table (SSDT) and show every service function address and the real function address. You can restore single service function address or restore the whole table.

Scan the shadow system service table (Shadow SSDT) and show every shadow service function address and the real function address. You can restore single shadow service function address or restore the whole table

Scan the interrupts table (IDT) and show every interrupt handler offset, selector, type, Attributes and real handler offset. This is applied to every processor in a multi-processors machines.

Scan the important system kernel modules, detect the modifications in it's body and analyze it. For now it can detect and restore inline code modifications, EAT and IAT hooks. I'm looking for more other types of hooks next releases of Kernel Detective.

A nice disassembler rely on OllyDbg disasm engine, thanks Oleh Yuschuk for publishing the source code of your nice disasm engine . With it you can disassemble, assemble and hex edit virtual memory of a specific process or even the kernel space memory. Kernel Detective use it's own Read/Write routines from kernel-mode and doesn't rely on any windows API. That make Kernel Detective able to R/W processes VM even if NtReadProcessMemory/NtWriteProcessMemory is hooked, also bypass the hooks on other kernel-mode important routines like KeStackAttachProcess and KeAttachProcess

Show the messages sent by drivers to the kernel debugger just like Dbgview by Mark Russinovich. It's doing this by hooking interrupt 0x2d wich is responsible for outputing debug messages. Hooking interrupts may cause problems on some machines so DebugView is turned off by default, to turn it on you must run Kernel Detective with "-debugv" parameter.
Also listed in: Kernel Hook Detection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: GMER
Rating: 0.0 (0 votes)
Author: Przemyslaw Gmerek                        
Website: http://www.gmer.net
Current version: 1.0.14.14205
Last updated: March 5, 2008
Direct D/L link: http://www.gmer.net/gmer.zip
License type: Free
Description: GMER is an application that detects and removes rootkits .

It scans for:
* Hidden processes
* Hidden threads
* Hidden modules
* Hidden services
* Hidden files
* Hidden Alternate Data Streams
* Hidden registry keys
* Drivers hooking SSDT
* Drivers hooking IDT
* Drivers hooking IRP calls
* Inline hooks


GMER also allows to monitor the following system functions:
* Processes creating
* Drivers loading
* Libraries loading
* File functions
* Registry entries
* TCP/IP connections

GMER runs on Windows NT/W2K/XP/VISTA
Also listed in: Kernel Hook Detection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: HookShark
Rating: 0.0 (0 votes)
Author: DeepBlueSea                        
Website: http://home.arcor.de/neotracer/hookshark.html
Current version:
Last updated: September 22, 2008
Direct D/L link: http://home.arcor.de/neotracer/HookShark.rar
License type: Free
Description: HookShark is a detector of installed hooks and patches installed on the system (only usermode for now). It scans through the code-section of every loaded module of each running process and compares it with the file-image. If it detects discrepancies it tries to determine the type of hook or patch and reports it to the user. The detailed report about the type of patch is not 100% reliable and can be wrong. HookShark makes many assumptions and guesses during analysis and report, because of the nature of assembly. In some cases we can't theoretically determine with 100% accuracy whether a block of bytes is data or code. We also can not determine where the next instruction begins, if we are in the middle of a patched block of bytes. An almost safe presumption can only be achieved through full-blown x86 emulation tracing from the entry-point of the binary. But even then not all execution paths are necessarily covered. Yes, even IDA has problems with this in extreme cases.

Currently implemented hook detection:

* - Inline patches / Hooks (NOP, Exceptionhandler, relative Jumps, Custom patches)
* - Other custom patches [...]
* - IAT and EAT Hooks
* - Relocation Hooks
* - Hardware Breakpoints

Planned hook detection:

* - PAGE_GUARD Hooks
* - PEB LdrList Hooks
* - TrapFlag Usage "Hooks"
Also listed in: Usermode Hook Detection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: RAIDE
Rating: 0.0 (0 votes)
Author: petersilberman                        
Website: http://www.rootkit.com/project.php?id=33
Current version: Beta 1
Last updated: August 6, 2006
Direct D/L link: Locally archived copy
License type: Free
Description: RAIDE stands for Rootkit Analysis Identification Elimination. RAIDE is a rootkit detection/removal tool. RAIDE offers unique features like process dumping/firewall identification etc.
Also listed in: Kernel Hook Detection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Rootkit Unhooker
Rating: 0.0 (0 votes)
Author: EP_X0FF                        
Website: http://rku.nm.ru
Current version: 3.7.300.509
Last updated: November 2007
Direct D/L link: Locally archived copy
License type: Free
Description: Rootkit Unhooker LE (RkU) is an advanced rootkit detection/removal utility, designed specially for advanced users and IT professionals. It runs under 32bit Windows 2000, Windows XP, Windows 2003 Server and Windows Vista.

The project was discontinued when it was bought up by Microsoft in November 2007.
Also listed in: Kernel Hook Detection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: SDT Cleaner
Rating: 0.0 (0 votes)
Author: Nahuel C. Riva                        
Website: http://oss.coresecurity.com/projects/sdtcleaner.html
Current version: 1.0
Last updated:
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: SDT Cleaner is a tool that intends to clean the SSDT (system service descriptor table) from hooks.

* The SDT Cleaner allows you to clean hooks installed by Anti-Virus and Firewalls.
* This little tool (in this first release) tries to collect info from your current kernel and then switches to kernel land and if there are any hooks in SSDT, this tool will replace them with the original entries.
Also listed in: Kernel Hook Detection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: SSDT Revealer
Rating: 0.0 (0 votes)
Author: ZaiRoN                        
Website: http://zairon.wordpress.com/2007/03/20/tool-system-service-descriptor-table-revealer/
Current version: 1.0
Last updated: March 20, 2007
Direct D/L link: Locally archived copy
License type: Free
Description: This is little tool I’ve coded some times ago. The name says it all, it reveals System Service Dispatch Table showing possible hooks over one or more functions. It was born as a part of a more complex tool, which is still unfinished.. SSDT revealer is nothing special but could come in handy.

The program has been developed under Win-XP. It should run on other OSs but I really don’t know. Again, it’s a personal program and I didn’t spend nights and nights trying to find one or more bug, when a bug occours I fix it. If you find a bug or something else, please, don’t hesitate to contact me.
Also listed in: Kernel Hook Detection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)


RSS feed Feed containing all updates and additions for this category.

RSS feed Feed containing all updates and additions for this category, including sub-categories.


Subcategories

There are 2 subcategories to this category.


Retrieved from "http://www.woodmann.com/collaborative/tools/index.php/Category:Hook_Detection_Tools"



Views
Category Navigation Tree
RCE Tools
   Categorized by Target Type  (144)
   Categorized by Tool Type  (835)
   Anti Anti Test Tools  (11)
   Assemblers  (14)
   Code Coverage Tools  (11)
   Code Injection Tools  (31)
   Code Ripping Tools  (1)
   Crypto Tools  (3)
   Data Extraction Tools  (15)
   Debuggers  (36)
   Decompilers  (15)
   Deobfuscation Tools  (9)
   Dependency Analyzer Tools  (5)
   Diff Tools  (27)
   Disassemblers  (38)
   Dongle Analysis Tools  (17)
   Exe Analyzers  (23)
   Firefox Extensions  (1)
   GUI Manipulation Tools  (14)
   Hardware Reversing Tools  (17)
   Hex Editors  (11)
   IDA Signature Creation Tools  (5)
   Kernel Tools  (7)
   Memory Data Tracing Tools  (6)
   Memory Patchers  (3)
   Memory Search Tools  (7)
   Monitoring Tools  (84)
   API Monitoring Tools  (13)
   Active Directory Monitoring Tools  (1)
   Bus Monitoring Tools  (1)
   Debug Output Monitoring Tools  (1)
   Disk Monitoring Tools  (2)
   Exception Monitoring Tools  (3)
   File Monitoring Tools  (4)
   Hook Detection Tools  (7)
   Install Monitoring Tools  (3)
   Memory Data Tracing Tools  (6)
   Named Pipe Monitoring Tools  (1)
   Network Monitoring Tools  (7)
   Parallel Comm Monitoring Tools  (1)
   Process Monitoring Tools  (4)
   Registry Monitoring Tools  (6)
   Serial Comm Monitoring Tools  (1)
   SysCall Monitoring Tools  (5)
   Thread Monitoring Tools  (2)
   Tracers  (13)
   Window Monitoring Tools  (3)
   Network Tools  (14)
   PE Executable Editors  (74)
   Packers  (12)
   Patch Packaging Tools  (7)
   Profiler Tools  (10)
   Programming Libraries  (27)
   Regular Expression Tools  (3)
   Resource Editors  (11)
   Reverse Engineering Frameworks  (7)
   Source Code Tools  (11)
   String Finders  (5)
   Symbol Tools  (11)
   System Information Extraction Tools  (4)
   Technical PoC Tools  (5)
   Test and Sandbox Environments  (12)
   Tool Extensions  (124)
   Tool Hiding Tools  (4)
   Tool Signatures  (20)
   Tracers  (13)
   Unpacking Tools  (50)
   Needs New Category