TDSSKiller v3.1.0.28
TDSSKiller - is a free tool for fighting rootkits and bootlits. You can run the tool in the regular mode, Safe Mode or in the silent mode.
The TDSSKiller tool is designed to detect and remove malware from the Rootkit.Win32.TDSS family, as well as bootkits and rootkits. These include the following malicious applications:
• Backdoor.Win32.Phanta.a,b
• Backdoor.Win32.Sinowal.knf,kmy
• Backdoor.Win32.Trup.a,b
• Rootkit.Boot.Mebusta.a
• Rootkit.Boot.Backboot.c
• Rootkit.Boot.Aeon.a
• Rootkit.Boot.Adrasteia.a
• Rootkit.Boot.Backboot.a
• Rootkit.Boot.Batan.a
• Rootkit.Boot.Bootkor.a
• Rootkit.Boot.Clones.a
• Rootkit.Boot.CPD.a,b
• Rootkit.Boot.Fisp.a
• Rootkit.Boot.Geth.a
• Rootkit.Boot.Goodkit.a
• Rootkit.Boot.Harbinger.a
• Rootkit.Boot.Krogan.a
• Rootkit.Boot.Lapka.a
• Rootkit.Boot.MyBios.b
• Rootkit.Boot.Nimnul.a
• Rootkit.Boot.Nix.a
• Rootkit.Boot.Pihar.a,b,c
• Rootkit.Boot.Plite.a
• Rootkit.Boot.Prothean.a
• Rootkit.Boot.Qvod.a
• Rootkit.Boot.Sawlam.a
• Rootkit.Boot.Smitnyl.a
• Rootkit.Boot.SST.a,b
• Rootkit.Boot.SST.b
• Rootkit.Boot.Wistler.a
• Rootkit.Boot.Xpaj.a
• Rootkit.Boot.Yurn.a
• Rootkit.Win32.PMax.gen
• Rootkit.Win32.Stoned.d
• Rootkit.Win32.TDSS
• Rootkit.Win32.TDSS.mbr
• Rootkit.Win32.ZAccess.aml,c,e,f,g,h,i,j,k
• Trojan-Clicker.Win32.Wistler.a,b,c
• Trojan-Dropper.Boot.Niwa.a
• Trojan-Ransom.Boot.Mbro.d,e
• Trojan-Ransom.Boot.Mbro.f
• Trojan-Ransom.Boot.Siob.a
• Trojan-Spy.Win32.ZBot
• Virus.Win32.Cmoser.a
• Virus.Win32.Rloader.a
• Virus.Win32.TDSS.a,b,c,d,e
• Virus.Win32.Volus.a
• Virus.Win32.ZAccess.k
• Virus.Win32.Zhaba.a,b,c
TDSSKiller Version 3.1.0.28 Updated 10.04.2019
Download: https://media.kaspersky.com/utilities/VirusUtilities/EN/tdsskiller.zip
Download: https://media.kaspersky.com/utilities/VirusUtilities/EN/tdsskiller.exe
Homepage: https://support.kaspersky.com/utility#TDSSKiller
Homepage: https://usa.kaspersky.com/content/custom/global/tdsskiller/tdsskiller.html
Скачать: TDSSKiller v3.1.0.28
Avast! Antirootkit v0.9.6
This free and portable anti rootkit tool by avast! is outdated and no longer being maintained since 2008 because it has been integrated into their antivirus program but can still be downloaded directly from their server. avast! ANTIROOTKIT uses rootkit detection technology based on GMER.
- Avast!’s GMER technology gets top score in rootkit detection tests [?] / [?]
Homepage: http://forum.avast.com/index.php?topic=33753.0 / eng / eng / arb
Download: http://files.avast.com/files/beta/aswar.exe
Скачать: Avast! Antirootkit v0.9.6
aswMBR v1.0.1.2290
aswMBR - is the rootkit scanner that scans for MBR/VBR/SRV rootkits. It can detect TDL4/3(Alureon), ZAccess, MBRoot (Sinowal), Whistler, SST, Cidox, Pihar and other malware.
The current version of aswMBR uses "Virtualization Technology" to improve detection of stealth malware. Please note that to use this feature your machine & CPU must support hardware virtualization.
Homepage: http://public.avast.com/~gmerek/aswMBR.htm
Download: http://public.avast.com/~gmerek/aswMBR.exe
Скачать: aswMBR v1.0.1.2252
Скачать: aswMBR v1.0.1.2290
IceSword v1.22 (only WinXP)
添加的小功能有:
1、进程栏里的模块搜索(Find Modules)
2、注册表栏里的搜索功能(Find、Find Next)
3、文件栏里的搜索功能,分别是ADS的枚举(包括或不包括子目录)、普通文件查找(Find Files)
上面是要求最多的,确实对查找恶意软件有帮助
4、BHO栏的删除、SSDT栏的恢复(Restore)
这项算是“鸡肋”项吧,可加可不加。
5、Advanced Scan:第三步的Scan Module提供给一些高级用户使用,一般用户不要随便restore,特别不要restore第一项显示为"-----"的条目,因为它们或是操作系统自己修改项、或是IceSword修改项,restore后会使系统崩溃或是IceSword不能正常工作。
最早的IceSword也会自行restore一些内核执行体、文件系统的恶意inline hook,不过并未提示用户,现在觉得像SVV那样让高级用户自行分析可能会有帮助。另外里面的一些项会有重复(IAT hook与Inline modified hook),偷懒不检查了,重复restore并没有太大关系。还有扫描时不要做其它事,请耐心等待。
有朋友建议应该对找到的结果多做一些分析,判断出修改后代码的意义,这当然不错,不过要完美的结果工作很烦琐——比如我可以用一条指令跳转,也可以用十条或更多冗余指令做同样的工作——而目前没有时间完善,所以只有JMP/PUSH+RET的判断。提议下对高级用户可选的替代方案:记住修改的地址,使用进程栏里的“内存读写”中的“反汇编”功能,就先请用户人工分析一下吧,呵呵。
6、隐藏签名项(View->Hide Signed Items)。在菜单中选中后对进程、模块列举、驱动、服务四栏有作用。要注意选中后刷新那四栏会很慢,要耐心等。运行过程中系统相关函数会主动连接外界以获取一些信息(比如去crl.microsoft.com获取证书吊销列表),一般来说,可以用防火墙禁之,所以选中后发现IS有连接也不必奇怪,M$搞的,呵呵。
7、其他就是内部核心功能的加强了,零零碎碎有挺多,就不细说了。使用时请观察下View->Init State,有不是“OK”的说明初始化未完成,请report一下
Homepage: http://pjf.blogcn.com/index.shtml
Chinese version: http://pjf.blogcn.com/diary,9956289.shtml
English version: http://pjf.blogcn.com/diary,8435946.shtml
Скачать: IceSword v1.22
DarkSpy Anti-Rootkit v1.0.5 (only WinXP)
DarkSpy Anti-Rookit - is a powerful tool for rootkit detection. DarkSpy is a multiway-based detection tool, it internally combines many effective detection techniques, including DarkSpy's own handlers and also methods used by other famous tools.
DarkSpy 1.0.5 new features:
- Enhanced Process/Driver Module detection.
- Fixed some problems working with other security software(Karspersky...etc).
- Enhanced process force terminate functionality.
- Start to support multi-cpu and hyperthread.
- Registry functionality added.
- Help document added.
Use it at your own risk.
Homepage: http://cardmagic.bokee.com/
Homepage: http://www.fyyre.net/~cardmagic/
Homepage: http://www.fyyre.net/~cardmagic/index_en.html
~Crashes on my Windows XP system.
Скачать: DarkSpy Anti-Rootkit v1.0.5
System Explorer v7.0.0.5356
System Explorer - is free , awards winning software for exploration and management of System Internals. This small software includes many usefull tools which help you Keep Your System Under Control. With System Explorer You get also fast access to File Database which help you to determine unwanted processes or threats .
Main Features:
• Detailed information about Tasks, Processes, Modules, Startups, IE Addons, Uninstallers, Windows, Services, Drivers, Connections and Opened Files.
• Easy check of suspicious files via File Database or the VirusTotal service.
• Easy monitoring of processes activities and System changes.
• Usage graphs of important System resources.
• Tray Hint with detailed System and Battery status.
• WMI Browser and System Additional Info
• Multilanguage Support
Licensing & Requirements:
SystemExplorer is FREE for personal and commercial use!
Homepage: http://systemexplorer.mistergroup.org
Homepage: https://systemexplorer.net
Скачать: System Explorer v7.0.0.5356 / PAF
Скачать: System Explorer v7.1.0.5359 / PAF
Rootkit Unhooker v3.8.389.593 SR 2 (only x86)
Rootkit Unhooker - an advanced rootkit detection utility
Rootkit Unhooker features:
- Service Descriptor Table Hooks Detection and Restoring
- Ultimate Processes Detection/Dumping
- Ultimate Drivers Detection
- Hidden Processes Termination
- System Call hook Detection and Unhooking
- Code Hooks Detection and Unhooking
- Hidden Files Detection
- Drivers Dumping
- Report generation
Supported operation systems:
- x86 32 bit Windows 2000 SP4
- x86 32 bit Windows XP +SP1, SP2
- x86 32 bit Windows 2003 +SP1
Note: RkU requires Administrator rights to launch and work.
Homepage: http://rkunhooker1.narod.ru/ / http://rku.xell.ru/?l=e&a=main
Скачать: Rootkit Unhooker v3.8.388.590 SR 2
Скачать: Rootkit Unhooker v3.8.389.592 SR 2
Скачать: Rootkit Unhooker v3.8.389.593 SR 2
NoVirusThanks Anti-Rootkit v1.2 (only x86)
NoVirusThanks Anti-Rootkit - is a sophisticated low-level system analysis tool whose main goal is to detect the presence of malware and rootkits. Hidden processes, hidden drivers, stealth DLL modules, code hooks etc. are just a few of the objects which can be detected in user space and system memory. This tool is a must-have for anyone seeking true 32-bit Windows NT kernel security and system threat analysis. The vast detection range of industry standard rootkits is truly amazing especially without compromising system stability.
For Windows XP, Vista, 7, 8, 10 (32-bit ONLY)
Homepage: https://www.novirusthanks.org/products/anti-rootkit/
Скачать: NoVirusThanks Anti-Rootkit v1.2
GMER v2.2.19882
GMER - is an application that detects and removes rootkits.
It scans for:
- hidden processes
- hidden threads
- hidden modules
- hidden services
- hidden files
- hidden disk sectors (MBR)
- hidden Alternate Data Streams
- hidden registry keys
- drivers hooking SSDT
- drivers hooking IDT
- drivers hooking IRP calls
- inline hooks
Version History:
This is list of changes for each release of GMER:
• 2.2
- Added support for Windows 10
- Improved files & disk scanning
• 2.1
- Added third-party software component scan
- Improved services scanning
- Improved registry scanning
- Fixed Windows 8 x86 lock issue
• 2.0
- Added support for Windows 8
- Added full support for Windows x64
- Added Trace I/O function
- Added disk "Quick scan" function
GMER runs on Windows XP/VISTA/7/8/10
It's recommended to download randomly named EXE (click button above) because some malware won't let gmer.exe launch. <Download EXE>
Please see the FAQ section and feel free to send any comments here.
Homepage: http://www.gmer.net/
Скачать: GMER v2.1.19357
Скачать: GMER v2.2.19882
SysProt AntiRootkit v1.0.1.0 (only x86)
SysProt AntiRootkit - is a free tool to detect and remove rootkits. Currently, SysProt AntiRootkit supports Windows 2000/XP/2003/Vista 32-bit operating systems. Some of the key features of the tool are:
• Hidden process detection and removal
• Hidden driver detection and removal
• SSDT hooks detection and removal
• Kernel inline hooks detection and removal
• Sysenter hook detection
• TCP/UDP ports information
• Hidden/locked files detection and removal
Recent Changes:
SysProt AntiRootkit v1.0.1.0
- Added a "activity bar" to indicate scan progress
- Optimzed device driver scanning
- Added help file
- Fixed process and driver scanning bugs in Windows 2003 SP1 and SP2
SysProt AntiRootkit v1.0.0.9
- Added Windows Vista support
- Improved device driver detection
- Faster "Kernel Hooks" scan
- Faster "Ports" scan
~May cause Windows 7 system to crash.
Homepage: http://swatrant.blogspot.com/2009/03/sysprot-antirootkit-v1010-released.html
Google Sites: http://sites.google.com/site/sysprotantirootkit/
Скачать: SysProt AntiRootkit v1.0.1.0
USEC Radix v1.0.0.13
Rootkits are dangerous programs that are downloaded from the Internet, or present in malicious purchased software, that once installed take over your computer without your knowledge. Rootkits can do anything from logging every one of your keystrokes, including user names and passwords, email messages or even your word processing documents and sending that data off to hackers, to executing programs in the background without your knowledge or permission.
And there's nothing that you can do about it unless you take the time right now to install Radix. It's your best hope against combating Rootkit Attacks.
Here's what Radix does...
• Detects and removes Rootkits using sophisticated methodologies.
• Detects and repairs drivers that have been modified by Rootkits.
• Detects and repairs computer processes modified by Rootkits.
• Detects and reveals hidden processes and files, including Alternate Data Streams (ADS).
• Detects MBR Rootkits.
• Allows the removal of "locked" or "unremovable" processes and files.
• Provides to dump memory areas from processes.
• Shows the Global Descriptor Table (GDT) for advanced Rootkit Detection capabilities.
• Shows the Import Address Table (IAT) for advanced Rootkit Detection capabilities.
• Shows the Interrupt Descriptor Table (IDT) for advanced Rootkit Detection capabilities.
• Shows and fixes rootkits found in the Service Dispatcher/Descriptor Table (SDT).
• Shows hidden Registry Keys.
• Operates in both command line mode for power users, or as a graphical tool for regular users.
• Shows and terminates all kind of Windows Handles.
• Allows removal scripts to be run to help in rootkit removal.
• Detects SYSENTER Rootkits.
• Detects hidden Services.
• Detects hidden Handles / Registry Callbacks.
• Object handling Routines (ParseProcedure,)
• Windows 7 support
Homepage: http://usec.at/rootkit.html / http://usec.at/radix.html
Скачать: USEC Radix v1.0.0.13
HookExplorer v1.0.0.0
Technical tool to analyze a process trying to find various types of runtime hooks. Interface and output is geared torwards security experts. Average users wont be able to decipher its output.
Author: David Zimmer
CopyRight: Copyright: 2005 iDefense a Verisign Company
GPL Olly.dll is Copyright (C) 2001 Oleh Yuschuk - http://ollydbg.de
Dependancies
-------------------------------------------------
Hook Explorer is written in VB6. Your system will
need the VB6 runtimes and the Microsoft Common
Controls OCX (mscomctl.ocx)
Source: https://github.com/dzzie/HookExplorer
iDefense: http://labs.idefense.com/software/malcode.php#more_hookexplorer
Скачать: HookExplorer v1.0.0.0
XueTr v0.45 (only x86/x64)
XueTr anti-rootkit - is a free and handy toolkit for Windows with various powerful features for kernel structure viewing and manipulation.It offers you the ability with the highest privileges to detect, analyze and restore various kernel modifications and gives you a wide scope of the kernel.With its assistance, you can easily spot and neutralize malwares hidden from normal detectors.
XueTr currently supports the following Windows 32-bit versions:
Windows 2000 SP4
Windows XP (no SP,SP1, SP2, SP3)
Windows Server 2003 (no SP,SP1,SP2,R2)
Windows Vista (no SP,SP1,SP2)
Windows Server 2008 (no SP,SP1)
Windows 7 (no SP,SP1)
Currently,the following features are available:
*Process Manager
View system process and thread basic information.
Detect hidden processes,threads,process modules.
Terminate, suspend and resume processes and threads.
View and manipulate process handles,windows and memory regions.
*Kernel Module Viewer
Display kernel module information including ImageBase,Size,Driver Object,ImagePath,ServiceName and Load Order.
Detect hidden kernel modules.
Unload kernel module(dangerous,never try it on Windows 7).
Dump kernel image memory.
Display and delete system driver service information.
*Hook Detector
View and restore SSDT,Shadow SSDT,sysenter and int2e hooks.
View and restore FSD and keyboard disptach hooks.
View and restore kernel code hooks including kernel inline hooks,patches,IAT and EAT hooks.
View and restore usermode process hooks incluing inline hooks,patches,IAT and EAT hooks.
View and restore message hooks(both global and local).
View and restore kernel ObjectType hooks.
Display Interrupt Descriptor Table(IDT).
*System Callback Viewer
Display and remove Kernel Notifications(Process/Thread/Image/Registry/Lego/Shutdown/Bugcheck/FileSystem/Logon).
*Network Viewer
Display current network connections, including the local and remote addresses and state of TCP connections.
View and delete IE plugins and context menu.
View and restore tcpip dispatch hooks.
Display winsock providers(SPI).
View and edit hosts file.
*Filter Viewer
View and remove filters for common devices including disk,volume,keyboard and network devices.
*Registry Viewer
View and edit system registry.
Detect hidden registry entries using live registry hive analysis.
*File Explorer
Detect hidden files using both disk analysis and driver methods.
View and delete locked files and folders.
View file basic information including NTFS Alternate Data Streams.
*Autorun Manager
Display and delete common autorun entries.
*Service Manager
Display Win32 service information (for Ring0 modules,it is included in Kernel Module Viewer).
Change service status and configuration.
*DPC Timer
Enumerate and delete DPC Timer objects.
*Miscellaneous
View and repair common filetype assosications.
View and repair image hijacks.
*Settings
Option to defense from process creation,thread creation,module load and message hook installation.
Option to defense from file creation,registry key creation.
Option to prevent system suspend,log-off,shutdown and reboot.
Option to prevent locking workstation and switching destop.
option to prevent setting system time.
Warning:Use it at your own risk.This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY.
Change log:
2011-12-03 V0.45:
*Fixed several bugs.
2011-11-09 V0.44:
*Added computer examination feature
*Fixed several bugs.
~Full list of changes~
-------------------------------------------------------------------------------
一个强大的手工杀毒工具,目前暂时只支持32位的2000、xp、2003、vista、2008和Win7操作系统,等忙完这阵,会购买微软的数字签名以开发支持64位和Windows8的XueTr,请大家拭目以待。
本工具目前实现如下功能:
1.进程、线程、进程模块、进程窗口、进程内存、定时器、热键信息查看,杀进程、杀线程、卸载模块等功能
2.内核驱动模块查看,支持内核驱动模块的内存拷贝
3.SSDT、Shadow SSDT、FSD、KBD、TCPIP、Classpnp、Atapi、Acpi、SCSI、IDT、GDT信息查看,并能检测和恢复ssdt hook和inline hook
4.CreateProcess、CreateThread、LoadImage、CmpCallback、BugCheckCallback、Shutdown、Lego等Notify Routine信息查看,并支持对这些Notify Routine的删除
5.端口信息查看,目前不支持2000系统
6.查看消息钩子
7.内核模块的iat、eat、inline hook、patches检测和恢复
8.磁盘、卷、键盘、网络层等过滤驱动检测,并支持删除
9.注册表编辑
10.进程iat、eat、inline hook、patches检测和恢复
11.文件系统查看,支持基本的文件操作
12.查看(编辑)IE插件、SPI、启动项、服务、Host文件、映像劫持、文件关联、系统防火墙规则、IME
13.ObjectType Hook检测和恢复
14.DPC定时器检测和删除
15.MBR Rootkit检测和修复
16.内核对象劫持检测
17.WorkerThread枚举
免责声明:这只是一个免费的辅助小工具,如果您使用本工具,给您直接或者间接造成损失、损害,本人概不负责。从您使用本小工具的一刻起,将视为您已经接受了本免责声明。
Download latest version of XueTr
工具主页: http://www.xuetr.com/?p=25
Скачать: XueTr v0.45 (2011.12.03)
Скачать: XueTr v0.45 (2012.10.22)
PCHunter v1.56 (ex-XueTr)
PCHunter是一个Windows系统信息查看软件,同时也是一个手工杀毒辅助软件。
2023年08月12日发布V1.6版本。
免费版本下载地址:本地下载(md5:0825CA3F3667D6F62F0300B39DFF1C05)
其中PCHunter32.exe是32位版本,PCHunter64.exe是64位版本。
本工具目前初步实现如下功能:
1.进程、线程、进程模块、进程窗口、进程内存信息查看,杀进程、杀线程、卸载模块等功能
2.内核驱动模块查看,支持内核驱动模块的内存拷贝
3.SSDT、Shadow SSDT、FSD、KBD、TCPIP、Classpnp、Atapi、Acpi、SCSI、IDT、GDT信息查看,并能检测和恢复ssdt hook和inline hook
4.CreateProcess、CreateThread、LoadImage、CmpCallback、BugCheckCallback、Shutdown、Lego等Notify Routine信息查看,并支持对这些Notify Routine的删除
5.端口信息查看,目前不支持2000系统
6.查看消息钩子
7.内核模块的iat、eat、inline hook、patches检测和恢复
8.磁盘、卷、键盘、网络层等过滤驱动检测,并支持删除
9.注册表编辑
10.进程iat、eat、inline hook、patches检测和恢复
11.文件系统查看,支持基本的文件操作
12.查看(编辑)IE插件、SPI、启动项、服务、Host文件、映像劫持、文件关联、系统防火墙规则、IME
13.ObjectType Hook检测和恢复
14.DPC定时器检测和删除
15.MBR Rootkit检测和修复
16.内核对象劫持检测
17.WorkerThread枚举
18.Ndis中一些回调信息枚举
19.硬件调试寄存器、调试相关API检测
20.枚举SFilter/Fltmgr的回调
21.系统用户名检测
免责声明:这只是一个免费的辅助软件,如果您使用本软件,给您直接或者间接造成损失、损害,本公司概不负责。从您使用本软件的一刻起,将视为您已经接受了本免责声明。
Download: http://www.xuetr.com/download/PCHunter_free.zip
Download: http://www.xuetr.com/download/PCHunter_pro.zip
Download: http://down.epoolsoft.com/pchunter/PCHunter_free.zip
Download: http://down.epoolsoft.com/pchunter/PCHunter_pro.zip
PC Hunter V1.56发布,支持Win10(17763): http://www.xuetr.com/?p=191
PCHunter V1.6发布无签名版,支持Win11(22621): http://www.xuetr.com/?p=191
홈페이지: http://www.xuetr.com / http://www.epoolsoft.com
홈페이지: https://www.anxinsec.com/view/antirootkit/
홈페이지: https://www.anxinsec.com/view/pchunter/update/index.html
Скачать: PCHunter v1.55
Скачать: PCHunter v1.56
Скачать: PCHunter v1.57
Скачать: PCHunter v1.6
OpenArk v1.3.4
The Next Generation of Anti-Rookit(ARK) tool for Windows.
OpenArk - is an open source anti-rookit(ARK) tool for Windows. Ark is Anti-Rootkit abbreviated, it aimmed at reversing/programming helper and also users can find out hidden malwares in the OS. More and more powerful features will be supported in future.
Features:
• Process - Process/Thread/Module/Handles/Memory/Window/Token/MemoryScan/PPL etc information view, Unload/Dll Injector x86/x64 also.
• Kernel - OS Kernel internal toolkit, eg: Memory, Drivers, Hotkey, Callback, Filters, IDT/SDT/NDIS/WFP etc.
• CoderKit - Helper for coders.
• Scanner - PE/ELF file parsers, evolved to virus analyzer in future.
• Bundler - Directory and files could be bundled to one executable file, it also support scripts.
• ToolRepo - Collect many useful tools that functional complementation each others, for efficient, always thinking.
• Console - Many useful coammands in here.
• Language - Support English and Chinese now, more in future.
• More powerful features in developing...
Distributions:
• Program: one exe binary, no dependence, support 32/64 bit.
• Supported OS: Windows XP ... Win7 ... Win10 ... Win11 ...
BUILD 202312202152:
• Impoved process manager: Added memory usage, PEB, TEB, CallStack, Terminate Thread etc.
• Impoved kernel manager: Added memory search, Unloaded drivers, IFEO, Load symbols etc.
• Improved scanner: Improved pe scanner, Added scanner for Memory PE.
• Fixed some failure case when enter kernel mode.
• Bugfixed and many other unmentioned features.
• Special Notes: Added acknowledgements, thanks for your support!
英文说明: https://github.com/BlackINT3/OpenArk/blob/master/README.md
中文说明: https://github.com/BlackINT3/OpenArk/blob/master/doc/README-zh.md
Homepage: https://openark.blackint3.com
Source: https://github.com/BlackINT3/OpenArk
Скачать: OpenArk v1.3.4
Tuluka v1.0.394.77 (only x86)
Tuluka - is a new powerful AntiRootkit, which has the following features:
• Detects hidden processes, drivers and devices
• Detects IRP hooks
• Identifies the substitution of certain fields in DRIVER_OBJECT structure
• Checks driver signatures
• Detects and restores SSDT hooks
• Detects suspicious descriptors in GDT
• IDT hook detection
• SYSENTER hook detection
• Displays list of system threads and allows you to suspend them
• IAT and Inline hook detection
• Shows the actual values of the debug registers, even if reading these registers is controlled by someone
• Allows you to find the system module by the address within this module
• Allows you to display contents of kernel memory and save it to disk
• Allows you to dump kernel drivers and main modules of all processes
• Allows you to terminate any process
• Is able to dissasemble interrupt and IRP handlers, system services, start routines of system threads and many more
• Allows to build the stack for selected device
• Much more..
Tuluka is tested on the following operating systems(32-bit):
- Windows XP SP0 SP1 SP2 SP3
- Windows Server 2003 SP0 SP1 SP2 R2
- Windows Vista SP0 SP1 SP2
- Windows Server 2008 SP0 SP1 SP2
- Windows 7 SP0 SP1
Work on other versions of the operating system is not guaranteed.
You use this software at your own risk. The author makes no warranty.
Tuluka v1.0.360.51 Beta (04.08.2010)
- Initial testing version
Tuluka v1.0.394.77 (14.10.2010)
- Improved detection of processes, drivers and threads
- Added buttons "Find stealth processes" and "Find stealth drivers"
- Improved stability
Homepage: http://www.tuluka.org
Скачать: Tuluka v1.0.394.77
HRSword v5.0.1.1
火绒剑-互联网安全分析软件(HRSword),
它是火绒安全软件里的高级工具,适用Windows系统的安全分析辅助工具,
具有系统动作监控、文件管理、进程管理、启动项管理、注册表管理、
服务管理、驱动模块、网络管理、系统内核查看、钩子扫描等功能。
用它可以查看各类系统信息,通过监控分析系统各种行为。
此版特点
byZD423
提取自sysdiag-all-5.0.46.11,最新驱动签名
绿色版带资源管理器文件粉碎扩展功能模块
单文件无资源管理器文件粉碎扩展功能模块
单文件版启动可自动驱动提权,免重启系统
Source: https://www.52pojie.cn/thread-1208162-1-1.html
Source: https://www.52pojie.cn/thread-1358296-1-1.html
Source: https://github.com/szdyg/HRSword
Скачать: HRSword v5.0.1.1 / II
Скачать: HRSword v5.0.69.2-2022.7.13.1
Скачать: HRSword v5.0.74.1-2023.09.25.1
Powertool x86 v4.8 & x64 v2.0 (32-bit/64-bit)
PowerTool - is a free anti-virus&rootkit utility.It offers you the ability to detect, analyze and fix various kernel structure modifications and gives you a wide scope of the kernel. With its help,you can easily spot and remove malwares hidden from normal software.
PowerTool currently supports the following Windows 32-bit versions: for Windows PE/Safe Mode/Windows XP/Windows 2003 Server/Vista/Windows 2008 Server/Windows7 SP1/Windows8/Windows8.1/Windows 10 build 10586
-------------------------------------------------------------------------------------------
PowerTool 一款免费强大的进程管理器,支持进程强制结束,可以Unlock占用文件的进程,查看文件/文件夹被占用的情况,内核模块和驱动的查看和管理,进程模块的内存的dump等功能。最新版还支持上传文件在线扫描病毒。支持离线的启动项和服务的检测和删除,新增注册表和服务的强删功能,可在PE系统下清除感染MBR的病毒(如鬼影等),通过Windows7 SP1的测试。
软件简介编辑
新增加硬件检测,可检查硬盘使用情况和电池损耗率等,识别奸商,也可查看CPU,硬盘等部件的温度。
主要功能编辑
1. 所有进程的枚举(包括内核中隐藏的进程)
2. 所有文件的枚举(包括内核中隐藏的文件)
3. 进程中所有模块的枚举(包括内核中隐藏的模块)
4. 进程的强制结束
5. 进程中模块的强制卸载
6. 模块被哪些进程加载的检索
7. 查看文件/文件夹被占用的情况
8. 可以Unlock占用文件的进程
9. 文件/文件夹的粉碎(可强删Unlocker1.8.9/金山/超级巡警文件粉碎机无法删除的顽固文件)
10. 阻止文件粉碎后用还原软件还原(采用美国国防部DOD 5220.22-m标准阻止文件还原)
11. 用磁盘解析技术检索硬盘数据
12. 内核模块和驱动的查看和管理
13. 启动项的查看和管理
14.系统服务的查看和管理
15. 集成文件粉碎功能到系统右键菜单
16.消息钩子的查看和卸载
17. SSDT/Shadow SSDT钩子的查看和卸载
18. 各种内核回调的查看和卸载
19. 多国语言版本的对应(中文和英文)
20. 暂停进程运行和恢复进程运行
21. 进程模块的内存的dump
22. 进程的线程的查看和结束
23. 进程的窗口的查看和控制
24. 进程的定时器的查看和摘除(该功能还没对应Windows2003)
25.内核定时器的查看和摘除
26. 上传文件在线扫描病毒
27. 查看和摘除用户层的钩子
28. 查看和结束内核线程
29. 关机回调的清除
30. 查看和摘除mini文件驱动
31. 系统恢复功能(检测项目包括注册表关键部位,已安装的杀毒软件,AutoRun文件,Windows漏洞检测,共享文件夹)
32. 流氓快捷方式的检测和删除
33.镜像劫持的检测和删除
34. 文件关联的检测和删除
35. IE相关的检测和删除
36. FSD Hook的检测和删除
37. Object Hook的检测和删除
38. 部分CPU/硬盘/显卡/主板的温度检测
39. 部分硬件信息的确认
40. 修复漏洞功能,可以下载和安装Windows补丁
41. IDT钩子的检测和恢复
42. 禁止进程创建,新建文件,注册表修改等配置
43. 注册表功能,几乎可以无视一切隐藏注册表的钩子
44. SPI的检测
45. 通过磁盘解析进行文件浏览
46. 文件强制拷贝功能,可拷贝网络视频的缓存文件
47. 通过磁盘解析取得和拷贝ADS流文件
48. 添加和查看文件重启删除信息
49. Disk/Atapi驱动钩子的检测和恢复
50. 进程权限的枚举和摘除
51. 检测键盘侦听软件
52. 检测被监视的文件
53. IO定时器的检测和停止
54. 工作列线程的检测和暂停
55. FAT32格式的磁盘解析
56. 新增MBR的检测和修复(可对抗鬼影等Bootkit和MBR Rootkit)
57. 新增检测被替换的或被感染的内核文件(内核文件劫持)
58. 支持多硬盘的MBR检测和恢复
59. 新增可疑设备的检测和清除
60. 支持离线的启动项和服务的检测和删除
61. 注册表和服务的强删功能
62. 启动项和服务里新增PT注册表和文件浏览器的跳转
63. 简易的防止关机和重启功能(不一定可以阻止病毒的强制重启)
64. IME输入法的管理
65. 内存条(目前只支持DDR2/DDR3)的检测(频率,大小,厂商,生产日期等)
66. 显示器的检测(尺寸,厂商,生产日期等)
67.电池信息的检测
68. 拷贝驱动模块内存和卸载驱动的功能
69. AMD CPU(K8/K10)温度的检测
70. 可动态显示中/英文名硬件制造厂商
71. 识别奸商
72. 网络连接查看
73. 内核IAT/EAT钩子检测
74. 对文件/文件夹重命名(包括被其他进程占用的文件)
75.隐藏账户或/隆账户的管理查看功能
76. 对鬼影3的MBR的检测和自动恢复功能
77. 进程的回调表钩子检测
78. 增加了硬盘读写过程的检测
79. 查看调试寄存器钩子
80. 查看内核入口点的钩子
81. 检测并可恢复系统驱动感染
82. 检测BMW/Mebromi等Award的BIOS rootkit,并显示一些BIOS信息
83. 检测VBR bootkit,并可上传到VirusTotal检测
84. 检测rootkit的内存欺骗/内核调试器
更新日志:
应用平台:for Windows PE/WindowsXp/Windows 2003 Server/Vista/Windows 2008 Server/Windows7 SP1(32位)(只在这几个上面测试过,其他的系统上可能会出现问题)
Blog: http://hi.baidu.com/new/ithurricane
百度百科: http://baike.baidu.com/item/powertool
工具主页: http://powertool.s601.xrea.com/
GoogleCode: http://code.google.com/p/powertool-google/
GoogleCode: https://code.google.com/archive/p/powertool-google/
Скачать: PowerTool x64 v1.5
Скачать: PowerTool x64 v1.6
Скачать: PowerTool x86 v4.6
Скачать: PowerTool x86 v4.7 & x64 v1.7
Скачать: PowerTool x86 v4.7 & x64 v1.8
Скачать: PowerTool x86 v4.8 & x64 v1.9
Скачать: PowerTool x86 v4.8 & x64 v2.0
Kernel Detective v1.4.1 (AT4RE) (only x86)
Kernel Detective - is a free tool that help you detect, analyze, manually modify and fix some Windows NT kernel modifications. Kernel Detective gives you the access to the kernel directly so it's not oriented for newbies. Changing essential kernel-mode objects without enough knowledge will lead you to only one result ... BSoD!
Kernel Detective gives you the ability to:
1- Detect Hidden Processes.
3- Detect Hidden Threads.
2- Detect Hidden DLLs.
3- Detect Hidden Handles.
4- Detect Hidden Driver.
5- Detect Hooked SSDT.
6- Detect Hooked Shadow SSDT.
7- Detect Hooked IDT.
8- Detect Kernel-mode code modifications and hooks.
9- Disassemble (Read/Write) Kernel-mode/User-mode memory.
10- Monitor debug output on your system.
What's new in v1.4.1:
- Fixed possible BSOD when scanning processes
- Fixed bug in callbacks scanning
- Enhanced showing files properties and signature verifying
- Skeleton SDK for VS2008 included
What's new in v1.4.0:
- Added plugins system
- Added support for windows server 2008, seven sp1
- Enhanced stability on NT 6.0+ (windows vista/seven)
- Improved driver scan
- Improved code hook scan
- Fixed bug prevent the tool from working on windows xp
- Fixed bug related to long paths
- Fixed bug in process/driver dumper
- Fixed bug in IDT scan
SHA-256 (v1.4.1):
619E9AE64CC9DE82DD35CB3469D413E8C78A57EC8021B8450B6EAD15526562D7
SHA-256 (v1.4.0):
3C0D5426A2FE65EB72FB4F6A396C4CF83285B38EAE188B41C6F8D048157FF6DF
Author: GamingMasteR
Homepage: http://www.at4re.com/download.php?view.2
Скачать: Kernel Detective v1.4.0
Скачать: Kernel Detective v1.4.1
WIN64AST v1.19
软件简介:
WIN64AST全称Windows x64 Advanced System Tool,是一个针对64位Windows操作系统设计的ARK类工具,本软件目前支持的系统包括WIN7/2008R2/8/2012/8.1/2012R2/10/2016。由于UI部分使用VB2010写成,所以WIN7需要安装.NET4运行库(安装包大小约为48MB,以8M的网速计算,下载时间大约为1分钟;安装时间大约为5分钟,安装完毕后不需要重启电脑,也没有任何后续麻烦;WIN8/2012以及之后的系统自带此库,不需要单独安装)。
已实现的功能:
1.进程/内存/线程/模块/句柄/窗口管理
2.内核模块查看
3.网络连接查看和禁止
4.查看/恢复SSDT和Shadow SSDT
5.扫描/恢复RING3和RING0的内联钩子
6.查看并删除消息钩子
7.查看/恢复重要驱动程序分发函数
8.查看/恢复内核对象例程钩子
9.枚举通告和回调
10.枚举I/O定时器
11.枚举DPC定时器
12.枚举MiniFilter/失效MiniFilter的回调函数
13.枚举/摘除过滤驱动
14.查看/备份/恢复/自动修复主引导记录(MBR)
15.进程行为监视(创建进程/创建线程/加载驱动/修改注册表/改动文件系统/连接网络/修改时间)
16.内核内存编辑
17.在驱动里枚举文件、强制新建/解锁/删除/破坏文件
18.在驱动里枚举注册表、强制删除/新建/重命名注册表键(KEY)和注册表值(VALUE)
19.禁止创建进程/禁止创建文件/禁止创建注册表键(KEY)和注册表值(VALUE)/禁止加载驱动
20.校验文件签名
21.枚举/恢复中断描述符表钩子
22.枚举全局描述符表
23.显示特殊寄存器的值
24.检测进程的IAT钩子和EAT钩子
25.查看/备份/恢复/自动修复卷引导记录(VBR)
26.网络防火墙
27.枚举/删除SPI、BHO、IE右键菜单
28.DLL/驱动加载器
29.枚举/删除自启动项、枚举/编辑文件关联
30.枚举/恢复内核回调表
31.PE文件查看器
32.证书拉黑工具
--------------------------------------------------------------------------------------------------------
Announcement:
WIN64AST will NOT be updated anymore. I don't want to follow tempo of Microsoft to do an endless job forever. It wastes my time, I need to save my time to do other things which are more meaningful.
Similar tools: Process Explorer, Process Hacker, Windows Kernel Explorer
The source code of WIN64AST is on sale, please click on the link for details (Chinese page).
通知:
WIN64AST将不再更新。我不想永远跟随微软的节奏来做一件没有终点的工作。我要做一些更有意义的事情。
类似的工具:Process Explorer、Process Hacker、Windows Kernel Explorer
WIN64AST的源码正在销售中,请点击链接查看详情。
--------------------------------------------------------------------------------------------------------
Source: http://www.m5home.com/bbs/thread-6975-1-1.html
Скачать: WIN64AST v1.19
WinArk v1.0.0
WinArk - is an open source Anti-Rootkit(ARK) tool for Windows, aimed at reverse engineering of kernel. It supports from Windows 7 to Windows 11. We also support both 32 bit and 64 bit. Compared with other Ark tools, WinArk can run on the latest Windows 11 without updating binary files since it will automatically downloads requisite symbol files.
• How to build WinArk
If you have any questions about the WinArk, just don't hesitate to join this group.
Telegram Group: t.me/WinArk_dev
Source: https://github.com/BeneficialCode/WinArk
Source: https://github.com/BeneficialCode/Anti-Rootkit
Скачать: WinArk v1.0.0
WKTools v1.0.0.17
WKTools - Is a Power Windows Kernel Tools
About open source
I don't plan to share the source code. If you can't accept it, please close the page
System Support Win7X64 (7601) Win10X64 (19041,19042,19043,19044,19045) Win11(22000,22621,22631)
Change log:
V1.0.0.17(2024-2-5)
- 1.fix some bug
- 2.Add win11 22631 support
V1.0.0.16(2023-8-4)
- 1.fix some bug
- 2 add show and operate process windows Protect (PROCESS--->RightClick--->View Process Windows-->RightClick) To disable App Anti Capture Screen
V1.0.0.14(2023-7-22)
- 1.fix some bug
- Update the prompt every time you open it
- Driver Load Fail Beacuse signature verification failed
Source: https://github.com/AngleHony/WKTools
Скачать: WKTools v1.0.0.13
Скачать: WKTools v1.0.0.17
AntiSpy v2.1 (only x86)
A powerful anti rootkit toolkit
AntiSpy - is a free but powerful anti virus and rootkits toolkit.
It offers you the ability with the highest privileges that can detect,analyze and restore various kernel modifications and hooks.
With its assistance,you can easily spot and neutralize malwares hidden from normal detectors.
Development
• IDE: Visual Studio 2008
• Userspace: MFC
• WDK: WDK7600
• Third-party Library: Codejock toolkit pro
Features
Currently,the following features are available(including but not limited to):
Process Manager
• Display system process and thread basic informations.
• Detect hidden processes,threads,process modules.
• Terminate, suspend and resume processes and threads.
• View and manipulate process handles,windows and memory regions.
• View and manipulate process hotkeys,privileges,and timers.
• Detect and restore process hooks incluing inline hooks,patches,iat and eat hooks.
• Inject dll,dump process memory.
• Create debug dump,include mini dump and full dump.
Kernel Module Viewer
• Display kernel module basic information,include image base,size,driver object,and so on.
• Detect hidden kernel modules.
• Unload kernel modules.
• Dump kernel image memory.
• Display and delete system driver service informations.
Hook Detector
• Detect and restore SSDT,Shadow SSDT,sysenter and int2e hooks.
• Detect and restore FSD and keyboard disptach hooks.
• Detect and restore kernel code hooks including kernel inline hooks,patches,iat and eat hooks.
• Detect and restore message hooks,both global and local.
• Detect and restore kernel ObjectType hooks.
• Display Interrupt Descriptor Table(IDT).
Other Kernel Information Viewer
• View and remove kernel notifications.
• View filters for common devices include disk,volume,keyboard and network devices.
• View IO timers,DPC timers,system threads,and so on.
Registry Manager
• View and edit system registry.
• Detect hidden registry entries using live registry hive analysis.
File Manager
• Display file basic information,include file name,size,attributes,and so on.
• Detect hidden files.
• View and delete locked files and folders.
Service Manager
• Display system services basic informations.
• Control services status.
• Modify services startup type.
Autorun Manager
• Display almost all kinds of system autorun types.
• Enable,disable or permanently delete autoruns.
Network Viewer
• Display current network connections,include TCP and UDP informations.
• View and delete IE plugins and context menu.
• Display winsock providers(LSP).
• View and edit hosts file.
Other Tools
• Hex Editor - View and edit memory,include ring3 process memory and ring0 system memory.
• Disassembler - Like OllyDBG,support ring3 process memory and ring0 system memory.
English: https://github.com/mohuihui/antispy/blob/master/README.md
简体中文: https://github.com/mohuihui/antispy/blob/master/README-CN.md
Source: https://github.com/mohuihui/antispy
Скачать: AntiSpy v2.1
KE64 Free v2.3.0.0
ke64是一个免费但功能强大的内核研究工具。它支持从Windows 7(7601)到Windows 10(19045)(win11-22621),仅支持x64位系统,请在虚拟机运行。
1. 进程,线程,模块,窗口,内存,定时器,热键,(等显示 隐藏,欺骗,杀进程,杀线程,卸载,移除)
2. 用户钩子(消息钩子,事件钩子,inline,iat,eat,hook检测)
3. 驱动模块(卸载等操作)
4. FilterDriver(File,Disk,RAW,Volume,Keyboard,Mouse,I8042prt,Tdx,NDIS,PnpManager)(移除等操作)
5. CreateProcess,LoadImage,CreateThread,CmpCallback,Shutdown(移除等操作)
6. Callbak,ObjectType,ObjectTypeHook,DPC,WFPCallout,minifilter,WorkerThread(堆栈回溯)(移除等操作)
7. IRP(Keyboard,Mouse,I8042prt,ndis,nsiproxy,tcpip,partmgr,disk,ntfs,scsi,npfs,fltmgr)
8. GDI,IDT
9. 端口查看
10. 启动项(删除等操作)
11. 服务(启动,停止,暂定,恢复,重启,删除,启动类型,定位注册表,属性)
12. 注册表管理(删除,重命名,导出,新建(项,二进制,DWORD,QWORD,多字符串,可扩充字符串),修改(DWORD,QWORD,多字符串))
13. 文件管理(删除,文件快速定位,文件锁定,重命名,拷贝文件,去除只读隐藏属性,设置只读隐藏属性,属性)
14. 新增行为监视(行为包括:
文件(创建,读,写,删除,更名,设置属性,设置权限),
注册表(打开,创建,删除项,删除值,读值,更名项,设置安全,查询值,设置值),
进程(创建, 启动,销毁),
线程(创建,销毁),
模块(加载),
网络(连接,监听,接收,发送)
)等行为监控。
15. 应用层和驱动层(支持反汇编和汇编内存)
16. 功能(...)
2.0.0.0
1. 新增行为监视(行为包括:
文件(创建,读,写,删除,更名,设置属性,设置权限),
注册表(打开,创建,删除项,删除值,读值,更名项,设置安全,查询值,设置值),
进程(创建, 启动,销毁),
线程(创建,销毁),
模块(加载),
网络(连接,监听,接收,发送)
)等行为监控。
2. 新增结束删除进程
3. 增强文件删除(解决 反应慢 蓝屏)
4. 增加对隐藏进程占用文件删除
5. 新增进程保护
6. 新增进程隐藏(后面版本在开启)
7. 新增进程伪装(后面版本在开启)
8. 新增PlugPlay即插即用回调枚举
9. 新增内存扫描Ldr驱动模块
10. 新增文件定位输入栏 回车
11. 新增文件暴力删除(可以无视句柄占用,irp占坑,硬链接,等等等...)
12. 重写文件句柄查看包括隐藏更底层(解决 反应慢 蓝屏)
13. 修改文件树列表右击并选中
14. 修复列表删除文件不会清理显示
15. 修复文件转到
16. 修改列表颜色深一点点
17. 修复已知Bug
18. 优化部分功能
----------------------------------------------------------------------------------------------------
免责声明: 这只是一个免费的辅助软件, 如果您使用本软件, 给您直接或者间接造成损失、损害, 本人概不负责. 从您使用本软件的一刻起, 将视为您已经接受了本免责声明。
本软件未经作者书面授权禁止用于商业用途;禁止使用本软件恶意破环计算机系统或软件环境等等等...违法行为。
本软件仅限于学习交流,如侵权请在24小时进行删除。
----------------------------------------------------------------------------------------------------
Source: https://github.com/alinml/ke64
Source: https://github.com/alinml/ke64/blob/main/ke64.7z
Chinese forum: https://www.52pojie.cn/thread-1529267-1-1.html
Latest version: https://down.52pojie.cn/Tools/Anti_Rootkit/
Скачать: KE64 Free v2.3.0.0
PYArkClient v1.0.0
飘云ark(pyark)
if you find any bugs report it at Github user issues
Still in development
Support win7 to win11(22h2)
Source: http://www.pysafe.cn/index.html
Source: https://github.com/antiwar3/py
Скачать: PYArkClient v1.0.0
YDArk v1.0.3.3
X64内核小工具
免责声明: 这只是一个免费的软件, 如果您使用本软件, 给您直接或者间接造成损失、损害, 本人概不负责. 从您使用本软件的一刻起, 将视为您已经接受了本免责声明.
// 本软件加了VMProtect壳, 可能有些杀毒软件会报毒...请大家放心使用, 这属于杀毒软件误报.
// 本软件免费, 但未获得作者书面授权, 禁止用于商业用途; 另外禁止本软件用于恶意用途(比如作为病毒木马的一部分、破解网吧收费系统等等).
// 本软件仅限于学习交流,如侵权请在24小时进行删除.
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// 本驱动加了VMProtect壳, 不支持启用内核隔离.
// 驱动未进行驱动签名, 请自行对驱动文件签名或开启调试模式, (已签名但还加载驱动失败)请禁用Secure Boot或微软Ev签名或虚拟机使用.
// 欢迎大家在使用中若是发现BUG, 请及时联系反馈, 将会尽快修复, 如果大家有好的建议或意见, 也可以联系以下QQ或QQ群. // QQ: 3269334485; QQ群: 399309204
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
Source: https://github.com/ClownQq/YDArk
Скачать: YDArk v1.0.3.3
RootkitRevealer [?] / [?] / [?] | KernelV [?] | Windows Kernel Explorer [?]
|