klister is a simple set of utilities for Windows 2000, designed to read the internal kernel data structures, in order to get reliable information about the system state, which can be compromised by some smart rootkits.
It consists of a kernel module and a simple, command line programs, which provides the user's interface.
Process listing ----------------
In current version only process listing has been implemented. Klister is using 3 internal dispatcher data structures in order to find running processes:
Unfortunately addresses of these structures are not exported by the kernel, so you will have to use debug symbols (which can be downloaded from Microsoft) to get their addresses.
SDT listing ------------
sdt.exe utility can be used to obtain the real address of the Service Table which is used by all threads running in the system (by examining pSDT filed in each KTHREAD structure). It also dumps its contents, so you can catch all simple rootkit which hooks that table.
IDT listing ------------
idt.exe just dumps the contents of IDT table (pointed by IDTR register).
Usage ------
You will have to use 3rd party utility program to load klister's kernel module (kmodule.sys) into kernel. You can use Schreiber's program w2k_load for example, which is attached in the file w2k_internals.zip
w2k_load kmodule.sys
This is a proof-of-concept code, and no warranty is given. Use at your own risk.
Currently only Windows 2000 is supported!
DJVASTVASTY2K
Dec 22 2003, 11:43 PM
Hello M8's
Now this is what I call security
Looks very intresting I will have to test this on another machine
Thank You
Best Regards
Adam
Vast Gsm
Kynroxes
Dec 23 2003, 12:46 PM
yeah tks skydance, I will test it ... great work !!
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
