From Collaborative RCE Tool Library
Malware Analysis Tools
| Tool name: | Kernel Detective |
| ||
|---|---|---|---|---|
| Author: | GamingMaster -AT4RE | |||
| Website: | http://www.at4re.com | |||
| Current version: | 1.3.1 | |||
| Last updated: | December 06, 2009 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free | |||
| Description: | Kernel Detective is a free tool that help you detect, analyze, manually modify and fix some Windows NT kernel modifications. Kernel Detective gives you the access to the kernel directly so it's not oriented for newbies. Changing essential kernel-mode objects without enough knowledge will lead you to only one result ... BSoD ! Supported NT versions : XP/Vista/SEVEN Kernel Detective gives you the ability to : 1- Detect Hidden Processes. 3- Detect Hidden Threads. 2- Detect Hidden DLLs. 3- Detect Hidden Handles. 4- Detect Hidden Driver. 5- Detect Hooked SSDT. 6- Detect Hooked Shadow SSDT. 7- Detect Hooked IDT. 8- Detect Kernel-mode code modifications and hooks. 9- Disassemble (Read/Write) Kernel-mode/User-mode memory. 10- Monitor debug output on your system. Enumerate running processes and print important values like Process Id, Parent Process Id, ImageBase, EntryPoint, VirtualSize, PEB block address and EPROCESS block address. Special undocumented detection algorithms were implemented to detect hidden processes. Detect hidden and suspicious threads in system and allow user to forcely terminate them . Enumerate a specific running process Dynamic-Link Libraries and show every Dll ImageBase, EntryPoint, Size and Path. You can also inject or free specific module. Enumerate a specific running process opened handles, show every handle's object name and address and give you the ability to close the handle. Enumerate loaded kernel-mode drivers and show every driver ImageBase, EntryPoint, Size, Name and Path. Undocumented detection algorithms were implemented to detect hidden drivers. Scan the system service table (SSDT) and show every service function address and the real function address, detection algorithm improved to bypass KeServiceDescriptorTable EAT/IAT hooks.You can restore single service function address or restore the whole table. Scan the shadow system service table (Shadow SSDT) and show every shadow service function address and the real function address. You can restore single shadow service function address or restore the whole table Scan the interrupts table (IDT) and show every interrupt handler offset, selector, type, Attributes and real handler offset. This is applied to every processor in a multi-processors machines. Scan the important system kernel modules, detect the modifications in it's body and analyze it. For now it can detect and restore inline code modifications, EAT and IAT hooks. I'm looking for more other types of hooks next releases of Kernel Detective. A nice disassembler rely on OllyDbg disasm engine, thanks Oleh Yuschuk for publishing your nice disasm engine .With it you can disassemble, assemble and hex edit virtual memory of a specific process or even the kernel space memory. Kernel Detective use it's own Read/Write routines from kernel-mode and doesn't rely on any windows API. That make Kernel Detective able to R/W processes VM even if NtReadProcessMemory/NtWriteProcessMemory is hooked, also bypass the hooks on other kernel-mode important routines like KeStackAttachProcess and KeAttachProcess. Show the messages sent by drivers to the kernel debugger just like Dbgview by Mark Russinovich. It's doing this by hooking interrupt 0x2d wich is responsible for outputing debug messages. Hooking interrupts may cause problems on some machines so DebugView is turned off by default, to turn it on you must run Kernel Detective with "-debugv" parameter. | |||
| Also listed in: | Hook Detection Tools, Kernel Hook Detection Tools, Kernel Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Process Hacker |
| ||
|---|---|---|---|---|
| Author: | wj32 | |||
| Website: | http://processhacker.sourceforge.net | |||
| Current version: | 1.4 | |||
| Last updated: | August 22, 2009 | |||
| Direct D/L link: | http://downloads.sourceforge.net/project/processhacker/processhacker/processhacker-1.4/processhacker-1.4-bin.zip | |||
| License type: | Open Source (GNU General Public License) | |||
| Description: | Process Hacker is a feature-packed tool for manipulating processes and services on your computer. Key features of Process Hacker: - A simple, customizable tree view with highlighting showing you the processes running on your computer. - Detailed performance graphs. - A complete list of services and full control over them (start, stop, pause, resume and delete). - A list of network connections. - Comprehensive information for all processes: full process performance history, thread listing and stacks with dbghelp symbols, token information, module and mapped file information, virtual memory map, environment variables, handles, ... - Full control over all processes, even processes protected by rootkits or security software. Its kernel-mode driver has unique abilities which allows it to terminate, suspend and resume all processes and threads, including software like IceSword, avast! anti-virus, AVG Antivirus, COMODO Internet Security, etc. (just to name a few). - Find hidden processes and terminate them. Process Hacker detects processes hidden by simple rootkits such as Hacker Defender and FU. - Easy DLL injection and unloading - simply right-click a process and select "Inject DLL" to inject and right-click a module and select "Unload" to unload! - Many more features... | |||
| Also listed in: | Process Monitoring Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Malcode Analysis Pack |
| ||
|---|---|---|---|---|
| Author: | David Zimmer (iDefense Labs) | |||
| Website: | http://labs.idefense.com/files/labs/releases/previews/map/ | |||
| Current version: | ||||
| Last updated: | November 13, 2006 | |||
| Direct D/L link: | http://labs.idefense.com/software/download/?downloadID=8 | |||
| License type: | GPL2 | |||
| Description: | The Malcode Analyst Pack contains a series of utilities that were found to be necessary tools while doing rapid malcode analysis. Included in this package are: • ShellExt - 4 explorer shell extensions • socketTool - manual TCP Client for probing functionality. • MailPot - mail server capture pot • fakeDNS - spoofs dns responses to controlled ip's • sniff_hit - HTTP, IRC, and DNS sniffer • sclog - Shellcode research and analysis application • IDCDumpFix - aids in quick RE of packed applications • Shellcode2Exe - embeds multiple shellcode formats in exe husk • GdiProcs - detect hidden processes | |||
| Also listed in: | Network Tools, Process Monitoring Tools, TCP Proxy Tools, Network Sniffers, Import Editors, Reverse Engineering Frameworks, API Monitoring Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
Feed containing all updates and additions for this category.
Feed containing all updates and additions for this category, including sub-categories.
