-
-
[原创]Antirootkit: CodeWalker
-
发表于: 2008-12-12 15:02
-
Hi,
Hi all,
I've developed an antirootkit tool called CodeWalker which can:
+ Detect hidden processes
+ Detect hidden drivers
+ Detect hidden files (support NTFS only)
+ Detect hooks in both kernel mode and usermode.
+ Works on Windows English 2000/XP/2003/Vista/2008.
The tool is currently in beta stage and im looking for people for testing it. I've already tested it with all rootkits samples I have and its detection rate seems optimistic. I think it's very great if you guys test it against your rootkit zoo and provide the result you got with the tool. If there's BSOD (of cos, you can never write a bug free proggie, rite? :P), it would be very appreciated of you to upload minidumps to help me correct the tool. Thanks in advance.
I will update this tool frequently for new detection methods, bug fixs etc. Welcome for your all suggestions, bugs and minidumps :P
In this beta version, the main improves to other ark is heavily put in hidden driver object (System Modules tab) and code hooking detection.
For hidden driver detection, you can test it with some pretty well hidden driver PoC such as phide_ex and many builds of Rustock.B variants. Although you have to use the "Hardcore Scan" method to detect them.
For code hooking detection, the engine walks all the branches of scanned module i.e any execution path of it to detect modification (btw, that's why i call it CodeWalker). IMHO, It can detect code hooking very well especially with rootkits that place abnormal hooks like Rustock.C (FF25 & FF15 - jmp/call dword ptr [abc]) tho there're still some problems with false-positive hooks/modifications.
Here's the link:
http://cmcinfosec.com/download/cmcark_codewalker.0.2.2.9.12.rar
Please send your feedbacks to npson a.t cmcinfosec.com
Hi all,
I've developed an antirootkit tool called CodeWalker which can:
+ Detect hidden processes
+ Detect hidden drivers
+ Detect hidden files (support NTFS only)
+ Detect hooks in both kernel mode and usermode.
+ Works on Windows English 2000/XP/2003/Vista/2008.
The tool is currently in beta stage and im looking for people for testing it. I've already tested it with all rootkits samples I have and its detection rate seems optimistic. I think it's very great if you guys test it against your rootkit zoo and provide the result you got with the tool. If there's BSOD (of cos, you can never write a bug free proggie, rite? :P), it would be very appreciated of you to upload minidumps to help me correct the tool. Thanks in advance.
I will update this tool frequently for new detection methods, bug fixs etc. Welcome for your all suggestions, bugs and minidumps :P
In this beta version, the main improves to other ark is heavily put in hidden driver object (System Modules tab) and code hooking detection.
For hidden driver detection, you can test it with some pretty well hidden driver PoC such as phide_ex and many builds of Rustock.B variants. Although you have to use the "Hardcore Scan" method to detect them.
For code hooking detection, the engine walks all the branches of scanned module i.e any execution path of it to detect modification (btw, that's why i call it CodeWalker). IMHO, It can detect code hooking very well especially with rootkits that place abnormal hooks like Rustock.C (FF25 & FF15 - jmp/call dword ptr [abc]) tho there're still some problems with false-positive hooks/modifications.
Here's the link:
http://cmcinfosec.com/download/cmcark_codewalker.0.2.2.9.12.rar
Please send your feedbacks to npson a.t cmcinfosec.com
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
good job! but I found some problems with your program
1. when I want to skip Scanning Hidden file. I pushed down on the "skip" Button, but It dose not work. 2. your code HOOK scan module is so weak that It can not detect my inline hook. I think you just scan functions that are exported by ntoskrnl/ntkrnlpa...,but there are still many undocumneted APIs you had missed. here is the result:   3. "Hidden Module",is also not strong enough, My virus proc bypass it easily. 4. "Process Module", can't kill my protected EXE. DKOM+inline... 5. other.... 
|
|
|
I am wondering if your proc is worthiness to reserve.
|
|
|
|
|
|
|
|
|
Chinese English . sorry for may poor English.
I haven't study it for more than two years... 
|
|
|
 wow, if codewalker even cannot bypass sudami's rootkit , it also can not deal with my tophet
|
|
|
算了算了,欺负老外不厚道啊~
|
|
|
Hi sudami:
No, i scan all functions in ntoskrnl and other modules, not only exported symbols e.g it can regconize hooks in wanarp.sys placed by rustock. It's weird, maybe something wrong in results processing here. Ill upload a fixed version soon. Maybe because I've modified something to reduce false-positive results.  3. "Hidden Module",is also not strong enough, My virus proc bypass it easily. At the moment, its limited to hidden standalone rootkit driver only, but not virus :) You can test it with any hidden driver too, with "Hardcore scan" method. By the way, can u give me your process which my tool cant delete ? Have you tried "Corrupt memory" kill method ? PS: This is the same result i posted a long time ago: http://reaonline.net/showthread.php?t=7455 |
|
|
|
|
|
*** Fatal System Error: 0x00000050
(0xF79E6998,0x00000000,0xF52796D8,0x00000003) Driver at fault: *** cmcantirootkit.sys - Address F52796D8 base at F526E000, DateStamp 4925140b . Break instruction exception - code 80000003 (first chance) A fatal system error has occurred. Debugger entered on first try; Bugcheck callbacks have not been invoked. A fatal system error has occurred. Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE Loading Kernel Symbols
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
but my hook in tophet will not modify any of execution image and any of function pointer(do you forgot the IAT/EAT?)
|
|
|
I tested your Program on VMWARE, and I forgot to set the Computer Model to "Minidump Module", so there isn't any dumps.
but, your hook for KiFastCallEntry cause the SYSTEM to crash...
|
|
|
楼上的欺负人 俺不懂洋码码...
|
|
|
@sudami:
Hi, what a pity, i really love minidumps, each minidump help me fix a bug :( CodeWalker doesnt hook anything, so KiFastCallEntry is not the reason. Could you please reproduce the bug and send me the minidump ? And, for the hook u mention, CodeWalker can detect really fine here. For a quick test, i modify the hook like you post on-the-fly by WinDbg. You can retest the tool in the link in my 1st post: The test: Original: kd> u nt!MmLoadSystemImage+0x22 nt!MmLoadSystemImage+0x22: 8059fb9b 8975b8 mov dword ptr [ebp-48h],esi 8059fb9e 89b564ffffff mov dword ptr [ebp-9Ch],esi 8059fba4 830d042d558001 or dword ptr [nt!MiFirstDriverLoadEver (80552d04)],1 8059fbab 684d6d4c6e push 6E4C6D4Dh 8059fbb0 6800010000 push 100h 8059fbb5 56 push esi 8059fbb6 e889aefaff call nt!ExAllocatePoolWithTag (8054aa44) Patch by WinDbg: kd> ed 8059fbb7 773a6448 kd> eb f7946003 68 kd> ed f7946004 8054aa44 kd> eb f7946008 c3 Modified (like sudami's): kd> u nt!MmLoadSystemImage+0x22 nt!MmLoadSystemImage+0x22: 8059fb9b 8975b8 mov dword ptr [ebp-48h],esi 8059fb9e 89b564ffffff mov dword ptr [ebp-9Ch],esi 8059fba4 830d042d558001 or dword ptr [nt!MiFirstDriverLoadEver (80552d04)],1 8059fbab 684d6d4c6e push 6E4C6D4Dh 8059fbb0 6800010000 push 100h 8059fbb5 56 push esi 8059fbb6 e848643a77 call f7946003 8059fbbb 8945a0 mov dword ptr [ebp-60h],eax kd> u f7946003 l4 f7946003 6844aa5480 push offset nt!ExAllocatePoolWithTag (8054aa44) f7946008 c3 ret And here's the result:  Anyway, I'll recheck the code again and again to make sure it works like design purpose. |
