hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
Full Version: Modgreper 0.1
GovernmentSecurity.org > System Security > Windows Systems
da_cash
Jun 7 2005, 10:27 AM
CODE

                            modGREPER 0.1

      Joanna Rutkowska, June 2005.
       http://invisiblethings.org


modGREPER is a hidden module detector for Windows 2000/XP/2003. It
searches through whole kernel memory (0x80000000 - 0xffffffff) in
order to find structures which looks like a valid module description
objects. Currently two most important objects type are recognized:
well known _DRIVER_OBJECT and _MODULE_DESCRIPTION. GREPER has some
sort of artificial intelligence built in, which allows it recognize if
the given bytes actually describe a module-specific object. The term
AI for this algorithm is probably a little bit exaggerated, since it
is just a few bunches of logical rules which should be satisfied by
the potential fields of the structure in question.

modGREPER builds a list of found objects, matches them to each other
and finally compares this list against the list of kernel modules
obtained with documented API (EnumDeviceDrivers).

modGREPER should be able to detect all kinds of modules hiding
techniques used today. Some of the modules are also marked as
"SUSPECTED". This applies to (not hidden) modules which corresponding
image files are either not present either lie within hidden
directories (hidden by rootkit not system)). This feature was added
because, sadly, most of the rootkits do not even try to hide their
kernel modules against API!

modGREPER is also able to find and display the list of unloaded kernel
modules. This way it is sometime possible to detect also more advanced
driverless kernel rootkits. However the list has some limitations - it
is of a limited capacity and contains only a module base name (no path
included).

Q: Is it possible to write kernel rootkit which will not be detected
by tool like modGREPER?  
A: Yes it is;)

Q: What is the reason to release such tool then?
A: To stimulate people to write more subtle rootkits :)

Q: What about userland rootkits?  
A: Userland rootkits can be ALWAYS detected with much simpler means.
And also some of the rootkits which are believed to be usermode only,
do contain also some kernel modules. Now you can find out which :)

WARNING: This is experimental tool and there is completely no warranty
for it. It can blue screen your machine without a single question. Use
at your own risk! Especially please note that, as many other AI based
tools, some false positives may be possible (though are rather
unlikely). Use ?-v? switch to examine all suspected situations.


It works great on my 2000 but hangs on my XP SP2.... Also ite easily detects orginal hacker defender ..
guinn3ss
Jun 13 2005, 08:07 PM
Freeeezzzzzzzeeeee my computer

but Why ........
i forget to thx yu

Thx yu for this tool
belgther
Jun 14 2005, 07:15 AM
Do rootkits ever modify memory management apis to hide themselves? Because if a requested memory range is not in the memory allocation table, then it allocates it, and any existing "hidden" data will be overwritten. I might be wrong with my opinion and knowledge, but it means it's senseless to scan the whole kernel memory wink.gif
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.