New Security Tool Released

just write whatever you want
aiwnjoo
Posts: 52
Joined: Tue Mar 06, 2007 1:06 pm

Post by aiwnjoo »

Weird, it found my proxy hook, but not the actual hook that was streamed. This tool helps me out a lot.
jonny_valentine
Posts: 109
Joined: Thu Dec 30, 2004 9:59 pm
Location: UK

Post by jonny_valentine »

Iconic... amazing tool, very impressed :)
iconic
Site Admin
Posts: 975
Joined: Wed Jun 08, 2005 5:08 am

Post by iconic »

Thanks,

I only plan to make it much better and more accurate in detections. Thanks for the positive feedback.

--Iconic
aiwnjoo
Posts: 52
Joined: Tue Mar 06, 2007 1:06 pm

Post by aiwnjoo »

Much more effective than DBS's new tool, update from HookShark, forget the name now.

He mainly released that tool to help detect loaded modules, also with options to erase ldr entry for specific usage, but with the new tool (DebugHook i think) it has many more options and routines.

I hope you continue to update and improve this tool, cheers!

EDIT: Actually it did recognise trace of my driver :(
iconic
Site Admin
Posts: 975
Joined: Wed Jun 08, 2005 5:08 am

Post by iconic »

aiwnjoo,

Even modules with zeroed out PE headers and ldr entries can still be detected by kX-Ray (module base, size and module name). Once the DLL is completely erased from the PEB kX-Ray resolves the filename through undocumented kernel mode techniques. This is exactly what kX-Ray does if you hide a module. Click the process under "Active Processes" where the hidden module resides and then right-click the process and click "Hidden Modules" in the popup menu. Any hidden module will be listed in black.

--Iconic
iconic
Site Admin
Posts: 975
Joined: Wed Jun 08, 2005 5:08 am

kX-Ray v1.0 build 98 32-bit XP-Only Available

Post by iconic »

kX-Ray v1.0 build 98 beta
=========================

-Ring-3 Api Hooks Scanning Improved
-Moderate Code Optimizations

|3 /^ () ( |<
Download:
http://bugczech.fu8.com/bin/kX-Ray_v1.0 ... 2_beta.zip

--Iconic
aiwnjoo
Posts: 52
Joined: Tue Mar 06, 2007 1:06 pm

Post by aiwnjoo »

do you have email access as i cant pm you?
iconic
Site Admin
Posts: 975
Joined: Wed Jun 08, 2005 5:08 am

Post by iconic »

bindshell <at> gmail <dot> com
Post Reply