I've recently finished a beta of a new security tool that I've been working on as a hobby in my spare time. I just made it public within the last 24 hrs. and would appreciate any feedback. I figure that Madshi's forum would be a more appropriate place to post this since some members here are knowledgeable about Windows internals and are interested in security. The tool is called kX-Ray and it's an anti-rootkit tool that offers similar features comparable to some of IceSword and RKU's functionality.
kX-Ray is 100% clean and not malware. It is not packed or encrypted, installs no usermode or kernel mode hooks and uses no code injection whatsoever. The only alert that you may receive from AV software is it extracts 2 drivers from the executable. One is the core driver and the other is used to enumerate usermode windows message hooks.
Please submit any feedback to Brock (Bindshell<at>gmail<dot>com) or join my forum located at http://forum.ytkpro.com and post under the "kX-Ray" section. You're also welcome to provide feedback here under this thread if Madshi permits this.
Supported Operating Systems:
Windows 2000 / Windows XP / Windows 2003
Service Pack Independent (requires none at all)
See screenshots here.
I released another small update a few days ago. Please see release notes below (This "special" build runs on Windows XP 32-bit only).
Download kX-Ray_v184.108.40.206_XP32_beta.zipkX-Ray_v220.127.116.11_XP32_beta (Windows XP 32-bit Operation Only!)
Older kXRay.exe and KMD.sys files are NOT compatible with this build!
This *public* build still does not have hidden driver detection methods implemented yet.
My private alpha driver is in testing that implements some of this. Please do not email me asking stupid questions as to why hidden drivers are not listed under "Kernel Modules"
-Force Kill Process by EPROCESS
(*The latter 2 process termination options both used only PID and this can be zero in some cases*)
-All Force Kill Process options updated to work with Windows XP Service Pack 3 Final
-File System Inspection
(*Basic file/folder browsing of Windows drive.
Will list hidden files/folders by some rootkits including hxdef (Hacker Defender),
Vanquish, HE4HOOK etc.*)
(*Right click popup menu included in File System area. Requires Windows to be rebooted once file is marked for deletion*)
-Improved Hidden Process Detection
(*Detection of newer rootkit process hiding methods such as DKOM which
FUto Enhanced uses to manipulate the PspCidTable and unlink a process.
phide_ex method is also detected*)
-String to Integer type access violation fixed in Shadow SDT