IOCTL Fuzzer v1.2 Download ~ THN : The Hacker News. “IOCTL Fuzzer is a tool designed to automate the task of searching vulnerabilities in Windows kernel drivers by performing fuzz tests on them.
The fuzzer’s own driver hooks NtDeviceIoControlFile in order to take control of all IOCTL requests throughout the system. While processing IOCTLs, the fuzzer will spoof those IOCTLs conforming to conditions specified in the configuration file. A spoofed IOCTL is identical to the original in all respects except the input data, which is changed to randomly generated fuzz.“ Features and support added in new IOCTL Fuzzer version 1.2: Windows 7 supportFull support of 64-bit versions of WindowsExceptions monitoring“Fair Fuzzing” featureDifferent data generation modesBoot fuzzing (during OS initialization)Download IOCTL Fuzzer v1.2 (ioctl_fuzzer-1.2.zip) here.
RKAnalyzer - kernel level rootkit analyzer ! ~ THN : The Hacker News. RKAnalyzer - kernel level rootkit analyzer ! RKAnalyzer is a kernel level rootkit analyzer and defender using Hardware Virtualization Techniques, based on the BitVisor Project(A VMM developed by Tsukuba University and open-sourced under BSD License). It tries to monitor kernel level rootkits' actions and log them. What differs RKAnalyzer with tranditional detection softwares(i.e. Rootkit Revealer, IceSword) is that RKAnalyzer actively intercepts rootkit actions, rather than reacting to rootkit after already infected. Also, RKAnalyzer support analysis mode, which differs from defend mode by presenting a much more transparent environment, in which rootkit would consider itself running without being monitored. How to Use : : GMER - Automating Rootkit Analyzer Released ~ THN : The Hacker News.
The Strider GhostBuster Project. See Strider at Assembling an All-Star Team of Research Talent and Imagining What Comes Next detects API-hiding rootkits by doing a between "the truth" and "the lie".
It's not based on a known-bad signature, and it does not rely on a known-good state. It targets the fundamental weakness of hiding rootkits, and turns the hiding behavior into its own detection mechanism. Bruce Schneier called it "Simple. Clever. In practice, there are three versions of Strider GhostBusters: It detects hidden files and Registry entries by comparing an inside-the-box infected scan with an outside-the-box clean scan (of the same infected drive) from a WinPE CD boot.
See our July 2004 tech report "Strider GhostBuster: Why It’s A Bad Idea For Stealth Software To Hide Files" for a quick introduction. See our December 2004 submission to DSN'05 "Detecting Stealth Software with Strider GhostBuster" for more details. Read Bruce Schneier's comments on Strider GhostBuster. Read Slashdot posting on Feb. 18, 2005: Projects.
RootRepeal – Rootkit Detector v1.3.5 Download Now ~ THN : The Hacker News. – Rootkit Detector v1.3.5 Download Now RootRepeal is a new rootkit detector currently in public beta. It is designed with the following goals in mind: Easy to use – a user with little to no computer experience should be able to use it.
Powerful – it should be able to detect all publicly available rootkits. Stable – it should work on as many different system configurations as possible, and, in the event of an incompatibility, not crash the host computer. Safe – it will not use any rootkit-like techniques (hooking, etc.) to protect itself. – scans the system for kernel-mode drivers. Scans any fixed drive on the system for hidden, locked or falsified* files. – scans the system for processes.
. – shows whether any of the functions in the System Service Descriptor Table (SSDT) are hooked. – attempts to determine if any rootkits are active by looking for typical symptoms. – scans for hidden system services. – counterpart to the SSDT Scan, but deals mostly with graphics and window-related functions.