klister-0.4 read the internal kernel data 联合开发网

klister-0.4

rootkits kernel list Klister 0.4 klister Fu rootkits

所属分类：系统/网络安全
开发工具：Visual C++
文件大小：112KB
下载次数：40
上传日期：2004-07-12 09:22:54
上传者：管理员

说明： read the internal kernel data structures, in order to get reliable information about the system state (like list of all processes, including those "hidden" by rootkits, even by fu )

文件列表:

klister-0.4 (0, 2004-03-08)
klister-0.4\bin (0, 2004-03-08)
klister-0.4\bin\idt.exe (28672, 2004-03-08)
klister-0.4\bin\klister.exe (28672, 2004-03-08)
klister-0.4\bin\kmodule.sys (4096, 2004-03-08)
klister-0.4\bin\sdt.exe (28672, 2004-03-08)
klister-0.4\bin\w2k_lib.dll (49152, 2001-02-12)
klister-0.4\bin\w2k_load.exe (20480, 2000-08-27)
klister-0.4\idt (0, 2004-03-08)
klister-0.4\idt\idt.dsp (4339, 2003-12-17)
klister-0.4\idt\main.cpp (1507, 2003-12-17)
klister-0.4\klister (0, 2004-03-08)
klister-0.4\klister.dsw (1120, 2003-10-26)
klister-0.4\klister\klister.dsp (4391, 2003-12-17)
klister-0.4\klister\main.cpp (3281, 2004-03-08)
klister-0.4\kmodule (0, 2004-03-08)
klister-0.4\kmodule\.kmodule.c.swp (16384, 2004-02-12)
klister-0.4\kmodule\kmodule.c (10404, 2004-03-08)
klister-0.4\kmodule\kmodule.dsp (4541, 2003-12-17)
klister-0.4\kmodule\kmodule.h (1732, 2004-03-08)
klister-0.4\kmodule\targets.h (880, 2003-12-17)
klister-0.4\kmodule\w2k_def.h (88931, 2000-08-28)
klister-0.4\kmodule\w2k_def_jr.h (88920, 2003-07-07)
klister-0.4\sdt (0, 2004-03-08)
klister-0.4\sdt\main.cpp (4274, 2003-12-17)
klister-0.4\sdt\sdt.dsp (4343, 2003-12-17)
klister-0.4\TODO (465, 2003-12-17)

KLISTER v 0.4 About ------ klister is a simple set of utilities for Windows 2000, designed to read the internal kernel data structures, in order to get reliable information about the system state, which can be compromised by some smart rootkits. It consists of a kernel module and a simple, command line programs, which provides the user's interface. Process listing ---------------- In current version only process listing has been implemented. Klister is using 3 internal dispatcher data structures in order to find running processes: - KiDispatcherReadyListHead, - KiWaitInListHead_addr, - KiWaitOutListHead_addr. Unfortunately addresses of these structures are not exported by the kernel, so you will have to use debug symbols (which can be downloaded from Microsoft) to get their addresses. SDT listing ------------ sdt.exe utility can be used to obtain the real address of the Service Table which is used by all threads running in the system (by examining pSDT filed in each KTHREAD structure). It also dumps its contents, so you can catch all simple rootkit which hooks that table. IDT listing ------------ idt.exe just dumps the contents of IDT table (pointed by IDTR register). Usage ------ You will have to use 3rd party utility program to load klister's kernel module (kmodule.sys) into kernel. You can use Schreiber's program w2k_load for example, which is attached in the file w2k_internals.zip w2k_load kmodule.sys This is a proof-of-concept code, and no warranty is given. Use at your own risk. Currently only Windows 2000 is supported! Credits -------- -> fuzzen_op, for writing fu rootkit, which inspired me to develope this tool ;) -> Greg, for pioneer work on windows rootkits and for rootkit.com. -> Sven Schreiber, for really good book about windows internals (and useful tools:)) -> Microsoft, for writing Windows ;) Author ------- Joanna Rutkowska joanna at mailsnare dot net

近期下载者：

相关文件：

评论：我要评论

收藏者：