New Security Tool Released

just write whatever you want
iconic
Site Admin
Posts: 1064
Joined: Wed Jun 08, 2005 5:08 am

New Security Tool Released

Post by iconic »

Hello,
I've recently finished a beta of a new security tool that I've been working on as a hobby in my spare time. I just made it public within the last 24 hrs. and would appreciate any feedback. I figure that Madshi's forum would be a more appropriate place to post this since some members here are knowledgeable about Windows internals and are interested in security. The tool is called kX-Ray and it's an anti-rootkit tool that offers similar features comparable to some of IceSword and RKU's functionality.

kX-Ray is 100% clean and not malware. It is not packed or encrypted, installs no usermode or kernel mode hooks and uses no code injection whatsoever. The only alert that you may receive from AV software is it extracts 2 drivers from the executable. One is the core driver and the other is used to enumerate usermode windows message hooks.

Please submit any feedback to Brock (Bindshell<at>gmail<dot>com) or join my forum located at http://forum.ytkpro.com and post under the "kX-Ray" section. You're also welcome to provide feedback here under this thread if Madshi permits this.

Supported Operating Systems:
Windows 2000 / Windows XP / Windows 2003
Service Pack Independent (requires none at all)

Download kX-Ray.

See screenshots here.

[Edit]
I released another small update a few days ago. Please see release notes below (This "special" build runs on Windows XP 32-bit only).
kX-Ray_v1.0.0.54_XP32_beta (Windows XP 32-bit Operation Only!)

Important Note:
===============
Older kXRay.exe and KMD.sys files are NOT compatible with this build!

This *public* build still does not have hidden driver detection methods implemented yet.
My private alpha driver is in testing that implements some of this. Please do not email me asking stupid questions as to why hidden drivers are not listed under "Kernel Modules"


Additions:
==========
-Force Kill Process by EPROCESS
(*The latter 2 process termination options both used only PID and this can be zero in some cases*)

-All Force Kill Process options updated to work with Windows XP Service Pack 3 Final

-File System Inspection
(*Basic file/folder browsing of Windows drive.
Will list hidden files/folders by some rootkits including hxdef (Hacker Defender),
Vanquish, HE4HOOK etc.*)

-File Deletion
(*Right click popup menu included in File System area. Requires Windows to be rebooted once file is marked for deletion*)

-Improved Hidden Process Detection
(*Detection of newer rootkit process hiding methods such as DKOM which
FUto Enhanced uses to manipulate the PspCidTable and unlink a process.
phide_ex method is also detected*)


Bug Fixes:
==========
-String to Integer type access violation fixed in Shadow SDT
Download kX-Ray_v1.0.0.54_XP32_beta.zip

--Iconic
madshi
Site Admin
Posts: 10749
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

if Madshi permits this
Of course I do! I absolutely support any kind of (useful and well working) security software... :)
iconic
Site Admin
Posts: 1064
Joined: Wed Jun 08, 2005 5:08 am

Post by iconic »

:D Thanks!
iconic
Site Admin
Posts: 1064
Joined: Wed Jun 08, 2005 5:08 am

kX-Ray v1.0 Build 68 (32-bit XP-Only Build) Available

Post by iconic »

Release Notes:
-Experimental SYSENTER/INT 2Eh unhooking now supported for uniprocessors only. Exclusive to kX-Ray? I've never seen it done by any other tool.

-Process module unloading is now supported (Click "Hidden Modules" on a specific process and then right click a module to see this option). It doesn't matter if a module is statically or dynamically linked, kX-Ray can now free it regardless of how it was loaded as long as a valid PE header is still intact. Being able to free an in-use module has its advantages since the loaded module can then be deleted from hard disk even while it's still in use by a given process without the need to terminate the process.

***Note***: If you're unloading a module solely to delete it from hard disk without needing to terminate any processes or reboot you must unload the given module from ALL processes which have loaded the same module in order to delete it from hard disk. It's best to use kX-Ray's "Delete File" option under "File System" in order to guarantee deletion of files however, which will take effect after a system reboot.

-Check Hidden DLLs
kX-Ray now lists all loaded process modules from kernel mode, this allows it to detect any hidden module that exists on hard disk and was loaded in a conventional manner (i.e> LoadLibrary), not unconventional such as loaded and executed directly from memory by own PE loader (i.e> Darawk's ManualMap). Modules which have their PE headers destroyed (common practice for malware or game cheat authors), filenames zeroed out in memory (address of filename in the PEB) and PEB entries (linked lists) completely unlinked (i.e> Darawk's CloakDLL method) will still be detected by kX-Ray. I've yet to see any anti-rootkit tool be able to undoubtedly list all hidden modules when the above criteria is in place. RKU and IceSword does not offer this ability. RootRepeal offers some ability to discover hidden modules in memory (Stealth Objects) but fails to detect modules hidden by PEB list entry unlinking or destruction.

***Note***: kX-Ray does internally possess the ability to detect completely stealth DLL injection methods such as "reflective DLL injection" as well (the file is loaded and executed directly in memory without using Windows PE loader) but you will not be able to determine a filename, only a base address and module size can be determined so this is why it has not been included. Perhaps I will offer this in a future build to show any suspicious memory regions which contain loaded images, I felt that it's too much investigation on the user's behalf and kX-Ray's main goal is to show definitive suspicious activity.

-kX-Ray now detects Windows shell crashes (explorer.exe) and will redraw its system tray icon as needed.

-Main window is now displayed upon starting the program unlike past builds which hid the window to the system tray.

-Fixed a small bug in hidden process detection involving short filename to long filename comparison

-An option to remove AppInit_DLL entries from the registry was added

-Other small miscellaneous bug fixes
Download kX-Ray v1.0.0.68 (XP-Only Build):
http://bugczech.fu8.com/bin/kX-Ray_v1.0 ... 2_beta.zip

--Iconic
linden
Posts: 36
Joined: Tue Mar 08, 2005 9:17 am
Location: Japan

Post by linden »

hi, just played around with KX-Ray! Cool tool :D
But are you sure that the ring0 hook detection is working?
I have about 50 kernel inline hooks installed, but none of them were detected... :wink:
iconic
Site Admin
Posts: 1064
Joined: Wed Jun 08, 2005 5:08 am

Post by iconic »

Hi Linden,

Unless I broke something it should definitely be working ;) Ring0 hooks scan all kernel exports + some unexported functions, you can see pics here of this http://geocities.com/d1v1n3_1nt3rv3nti0 ... _hooks.PNG

What's installing the API hooks in kernel land for you? Maybe I will see if I did goof up something last minute prior to releasing. You might also check your logging area in kX-Ray and make sure that it was able to build its own internal API table.

--Iconic
linden
Posts: 36
Joined: Tue Mar 08, 2005 9:17 am
Location: Japan

Post by linden »

Hi iconic,

KX-Ray didn't seem to log any errors...
I've many kernel land hooks that overwrite the first few bytes of the target functions...but they are not E9 or FF25 jumps. Maybe KX-Ray only detect orthodox hooks that uses commonly used jump instructions instead of comparing against file image byte for byte?
iconic
Site Admin
Posts: 1064
Joined: Wed Jun 08, 2005 5:08 am

Post by iconic »

Linden,
Maybe KX-Ray only detect orthodox hooks
Ahh yes, I assumed these were not unorthodox hooks. Perhaps you are speaking of short jumps *i.e> opcode 0xEB? My private version does detect these, my latest build of PErvert (usermode only hook detection) also checks for these types of hooks. Currently, if the hook isn't 0xE9, 0x25FF or 0x68 <Offs32> 0xC3 then the API isn't further inspected. This has changed a bit in my private copy where the APIs prologue is fully disassembled and compared against disk image. The current build 68 doesn't compare memory to file image until the prologue contains the jumps I mentioned. I intend on releasing another build this week, one which extended both usermode and kernel mode hook scanning.

--Iconic
iconic
Site Admin
Posts: 1064
Joined: Wed Jun 08, 2005 5:08 am

kX-Ray v1.0 Build 74 (32-bit XP-Only Build) Available

Post by iconic »

kX-Ray v1.0 Build 74 (32-bit XP-Only Build) Release Notes
-Ring3 API Scanning now scans all exported APIs from all loaded modules (not just user32, ntdll and kernel32 modules with past kX-Ray builds) system-wide for common inline API hooks as well as EAT (Export Address Table) hooks. IAT scanning will be available in the next public build as it's currently being tweaked and isn't ready for release to date.
-Hidden Modules detection bug fixed and stability improved from build 68
-IDT hooks are now listed in black like other suspicious system activity observed by kX-Ray

|3 /^ () ( |<
Download kX-Ray v1.0.0.74 (32-bit XP-Only Build)

--Iconic
iconic
Site Admin
Posts: 1064
Joined: Wed Jun 08, 2005 5:08 am

kX-Ray v1.0.0.80 Public 32-bit XP-Only Build Released

Post by iconic »

kX-Ray v1.0 Build 80 (32-bit XP-Only Build) Release Notes
kX-Ray v1.0.0.80 Public 32-bit XP-Only Build
=============================

-Ring3 API Hooks was extended to support IAT (Import Address Table) hook detection
-Fixed a minor bug involving Ring3 API hook engine
-Other touch-ups throughout various areas

|3 /^ () ( |<
Download kX-Ray v1.0.0.80 (32-bit XP-Only Build)


--Iconic
iconic
Site Admin
Posts: 1064
Joined: Wed Jun 08, 2005 5:08 am

kX-Ray v1.0.0.82 Public 32-bit XP-Only Build Released

Post by iconic »

kX-Ray v1.0.0.82 32-bit (XP-Only) Build
==========================

-Inline IDT hook detection support added
-Inline System Service Descriptor Table Shadow hook detection support added
-Fixed Shadow SDT "Properties" right-click menu

Note:
Past public builds of kX-Ray only checked for 4 byte pointer replacements (direct address modification hooks) in the IDT
and SSDT Shadow.
Download kX-Ray v1.0.0.82 (32-bit XP-Only Build)

--Iconic
iconic
Site Admin
Posts: 1064
Joined: Wed Jun 08, 2005 5:08 am

kX-Ray v1.0 build 90 32-bit XP-Only Available

Post by iconic »

kX-Ray v1.0 build 90 32-bit XP-Only Beta
==========================

-Fixed a resource leak involving displayed processes under "Active Processes"
-Added PEB analyzer/viewer under "Active Processes" right-click menu with file saving option
-Updated program icon and added icon to kX-Ray's systray menu
-Added status bar to "Hidden Modules" window which reflects loaded module and hidden module counts respectively
-File signature verification support added to drivers, active processes and hidden module areas
Download:
http://bugczech.fu8.com/bin/kX-Ray_v1.0 ... 2_beta.zip


--Iconic
iconic
Site Admin
Posts: 1064
Joined: Wed Jun 08, 2005 5:08 am

kX-Ray v1.0 build 96 32-bit XP-Only Available

Post by iconic »

kX-Ray v1.0 build 96 32-bit XP-Only Beta
==========================

-Improved overall stability of Ring3 API Hook scanning especially if other security programs are running concurrently.
Download:
http://bugczech.fu8.com/bin/kX-Ray_v1.0 ... 2_beta.zip


--Iconic
aiwnjoo
Posts: 52
Joined: Tue Mar 06, 2007 1:06 pm

Post by aiwnjoo »

Could this pick up a shadow hook driver?
iconic
Site Admin
Posts: 1064
Joined: Wed Jun 08, 2005 5:08 am

Post by iconic »

Drivers that implement Service Descriptor Table Shadow hooks? Yes, along with virtually any other type of hook.

--Iconic
Post Reply