开发工具:Visual C++
上传日期:2004-07-12 09:22:54
上 传 者管理员
说明:  read the internal kernel data structures, in order to get reliable information about the system state (like list of all processes, including those "hidden" by rootkits, even by fu )

klister-0.4 (0, 2004-03-08)
klister-0.4\bin (0, 2004-03-08)
klister-0.4\bin\idt.exe (28672, 2004-03-08)
klister-0.4\bin\klister.exe (28672, 2004-03-08)
klister-0.4\bin\kmodule.sys (4096, 2004-03-08)
klister-0.4\bin\sdt.exe (28672, 2004-03-08)
klister-0.4\bin\w2k_lib.dll (49152, 2001-02-12)
klister-0.4\bin\w2k_load.exe (20480, 2000-08-27)
klister-0.4\idt (0, 2004-03-08)
klister-0.4\idt\idt.dsp (4339, 2003-12-17)
klister-0.4\idt\main.cpp (1507, 2003-12-17)
klister-0.4\klister (0, 2004-03-08)
klister-0.4\klister.dsw (1120, 2003-10-26)
klister-0.4\klister\klister.dsp (4391, 2003-12-17)
klister-0.4\klister\main.cpp (3281, 2004-03-08)
klister-0.4\kmodule (0, 2004-03-08)
klister-0.4\kmodule\.kmodule.c.swp (16384, 2004-02-12)
klister-0.4\kmodule\kmodule.c (10404, 2004-03-08)
klister-0.4\kmodule\kmodule.dsp (4541, 2003-12-17)
klister-0.4\kmodule\kmodule.h (1732, 2004-03-08)
klister-0.4\kmodule\targets.h (880, 2003-12-17)
klister-0.4\kmodule\w2k_def.h (88931, 2000-08-28)
klister-0.4\kmodule\w2k_def_jr.h (88920, 2003-07-07)
klister-0.4\sdt (0, 2004-03-08)
klister-0.4\sdt\main.cpp (4274, 2003-12-17)
klister-0.4\sdt\sdt.dsp (4343, 2003-12-17)
klister-0.4\TODO (465, 2003-12-17)

KLISTER v 0.4 About ------ klister is a simple set of utilities for Windows 2000, designed to read the internal kernel data structures, in order to get reliable information about the system state, which can be compromised by some smart rootkits. It consists of a kernel module and a simple, command line programs, which provides the user's interface. Process listing ---------------- In current version only process listing has been implemented. Klister is using 3 internal dispatcher data structures in order to find running processes: - KiDispatcherReadyListHead, - KiWaitInListHead_addr, - KiWaitOutListHead_addr. Unfortunately addresses of these structures are not exported by the kernel, so you will have to use debug symbols (which can be downloaded from Microsoft) to get their addresses. SDT listing ------------ sdt.exe utility can be used to obtain the real address of the Service Table which is used by all threads running in the system (by examining pSDT filed in each KTHREAD structure). It also dumps its contents, so you can catch all simple rootkit which hooks that table. IDT listing ------------ idt.exe just dumps the contents of IDT table (pointed by IDTR register). Usage ------ You will have to use 3rd party utility program to load klister's kernel module (kmodule.sys) into kernel. You can use Schreiber's program w2k_load for example, which is attached in the file w2k_internals.zip w2k_load kmodule.sys This is a proof-of-concept code, and no warranty is given. Use at your own risk. Currently only Windows 2000 is supported! Credits -------- -> fuzzen_op, for writing fu rootkit, which inspired me to develope this tool ;) -> Greg, for pioneer work on windows rootkits and for rootkit.com. -> Sven Schreiber, for really good book about windows internals (and useful tools:)) -> Microsoft, for writing Windows ;) Author ------- Joanna Rutkowska joanna at mailsnare dot net