From Collaborative RCE Tool Library
Usermode Hook Detection Tools
| Tool name: | HookShark |
| ||
|---|---|---|---|---|
| Author: | DeepBlueSea | |||
| Website: | http://home.arcor.de/neotracer/hookshark.html | |||
| Current version: | ||||
| Last updated: | September 22, 2008 | |||
| Direct D/L link: | http://home.arcor.de/neotracer/HookShark.rar | |||
| License type: | Free | |||
| Description: | HookShark is a detector of installed hooks and patches installed on the system (only usermode for now). It scans through the code-section of every loaded module of each running process and compares it with the file-image. If it detects discrepancies it tries to determine the type of hook or patch and reports it to the user. The detailed report about the type of patch is not 100% reliable and can be wrong. HookShark makes many assumptions and guesses during analysis and report, because of the nature of assembly. In some cases we can't theoretically determine with 100% accuracy whether a block of bytes is data or code. We also can not determine where the next instruction begins, if we are in the middle of a patched block of bytes. An almost safe presumption can only be achieved through full-blown x86 emulation tracing from the entry-point of the binary. But even then not all execution paths are necessarily covered. Yes, even IDA has problems with this in extreme cases. Currently implemented hook detection: * - Inline patches / Hooks (NOP, Exceptionhandler, relative Jumps, Custom patches) * - Other custom patches [...] * - IAT and EAT Hooks * - Relocation Hooks * - Hardware Breakpoints Planned hook detection: * - PAGE_GUARD Hooks * - PEB LdrList Hooks * - TrapFlag Usage "Hooks" | |||
| Also listed in: | (Not listed in any other category) | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | System Virginity Verifier |
| ||
|---|---|---|---|---|
| Author: | Joanna Rutkowska | |||
| Website: | http://www.invisiblethings.org/code.html | |||
| Current version: | 2.3 | |||
| Last updated: | February 27, 2005 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free / Open Source | |||
| Description: | Joanna Rutswoka provides on her site (invisiblethings.org) interesting papers and tools about rootkits since a few years and is a well known contributors on the official rootkit web site. SYSTEM VIRGINITY VERIFIER or SVV is very interesting because it checks the system for malicious hooking and also checks the integrity of code section modules directly in memory. After the verification, SVV notifies the user with five level of infection or seriousness: -level 0: 100% Virgin (not expected to ocuur in the wild); -level 1: Seems ok; -level 2: Innocent hooking detected; -level 3: Very suspected but may be a false positive; -level 4: compromised. The final verdict uses a color codification from blue to deepred. Resource: the SVV powerpoint presentation (available at invisiblethings.org). It's important to note that many softwares can interfere with the verdict: antivirus such as Kaspersky, desktop intrusion systems which operate at a low level like AntiHook, ProcessGuard and so on. SVV in action: After rebooting the PC in the diagnose mode, SVV gives its first verdict: Microsoft Windows XP [version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:WINDOWSsystem32>svv check /m module ntoskrnl.exe [0x804d7000 - 0x806ebf80]: 0x804db4f0 [RtlPrefetchMemoryNonTemporal()+0] 1 byte(s): exclusion filter: single byte modification file :c3 memory :90 verdict = 1 0x804dc032 18 byte(s): exclusion filter: KeFlushCurrentTb() file :d8 0f 22 d8 c3 0f 20 e0 25 7f ff ff ff 0f 22 e0 0d 80 memory :e0 25 7f ff ff ff 0f 22 e0 0d 80 00 00 00 0f 22 e0 c3 verdict = 1 0x804dc04a 1 byte(s): exclusion filter: single byte modification file :c3 memory :00 verdict = 1 0x804df16a 1 byte(s): exclusion filter: single byte modification file :05 memory :06 verdict = 1 module ntoskrnl.exe: end of details SYSTEM INFECTION LEVEL: 1 0 - BLUE --> 1 - GREEN 2 - YELLOW 3 - ORANGE 4 - RED 5 - DEEPRED Nothing suspected was detected. Level 1/Green: this a good news for a beginning. Now let's hook some windows APIs and let's see the new verdict: Microsoft Windows XP [version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:WINDOWSsystem32>svv check /m ntoskrnl.exe (804d7000 - 806ebf80)... module ntoskrnl.exe [0x804d7000 - 0x806ebf80]: 0x804db4f0 [RtlPrefetchMemoryNonTemporal()+0] 1 byte(s): exclusion filter: single byte modification file :c3 memory :90 verdict = 1 0x804dc032 18 byte(s): exclusion filter: KeFlushCurrentTb() file :d8 0f 22 d8 c3 0f 20 e0 25 7f ff ff ff 0f 22 e0 0d 80 memory :e0 25 7f ff ff ff 0f 22 e0 0d 80 00 00 00 0f 22 e0 c3 verdict = 1 0x804dc04a 1 byte(s): exclusion filter: single byte modification file :c3 memory :00 verdict = 1 0x804df16a 1 byte(s): exclusion filter: single byte modification file :05 memory :06 verdict = 1 0x804e72c4 [ExAllocatePoolWithQuotaTag()+0] 6 byte(s): JMPing code (jmp to: 0xbab1dbfc) address 0xbab1dbfc is inside TRACE.SYS module [0xbab1a000-0xbab26000] target module path: ??C:DOCUMENTS AND SETTINGSMICHELMES DOCUMENTSKAPIMON 2TRACE.SYS file :8b ff 55 8b ec 51 memory :ff 25 fc db b1 ba verdict = 2 0x804eb321 [ExAllocatePoolWithTagPriority()+0] 6 byte(s): JMPing code (jmp to: 0xbab1dba4) address 0xbab1dba4 is inside TRACE.SYS module [0xbab1a000-0xbab26000] target module path: ??C:DOCUMENTS AND SETTINGSMICHELMES DOCUMENTSKAPIMON 2TRACE.SYS file :8b ff 55 8b ec 53 memory :ff 25 a4 db b1 ba verdict = 2 module ntoskrnl.exe: end of details SYSTEM INFECTION LEVEL: 2 0 - BLUE 1 - GREEN --> 2 - YELLOW 3 - ORANGE 4 - RED 5 - DEEPRED Nothing suspected was detected. | |||
| Also listed in: | Kernel Hook Detection Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
Feed containing all updates and additions for this category.
Feed containing all updates and additions for this category, including sub-categories.
