Kernel Detective is a free tool that help you detect, analyze, manually modify a nd fix some Windows NT kernel

modifications. Kernel Detective gives you the acce ss to the kernel directly so it's not oriented for newbies. Changing essential k ernel-mode objects without enough knowledge will lead you to only one result ... BSoD ! Supported NT versions : XP/Vista Kernel Detective gives you the ability to : 1- Detect Hidden Processes. 3- Detect Hidden Threads. 2- Detect Hidden DLLs. 3- Detect Hidden Handles. 4- Detect Hidden Driver. 5- Detect Hooked SSDT. 6- Detect Hooked Shadow SSDT. 7- Detect Hooked IDT. 8- Detect Kernel-mode code modifications and hooks. 9- Disassemble (Read/Write) Kernel-mode/User-mode memory. 10- Monitor debug output on your system. Enumerate running processes and print important values like Process Id, Parent P rocess Id, ImageBase, EntryPoint, VirtualSize, PEB block address and EPROCESS bl ock address. Special undocumented detection algorithms were implemented to detec t hidden processes. Detect hidden and suspicious threads in system and allow user to forcely termina te them . Enumerate a specific running process Dynamic-Link Libraries and show every Dll I mageBase, EntryPoint, Size and Path. You can also inject or free specific module . Enumerate a specific running process opened handles, show every handle's object name and address and give you the ability to close the handle. Enumerate loaded kernel-mode drivers and show every driver ImageBase, EntryPoint , Size, Name and Path. Undocumented detection algorithms were implemented to det ect hidden drivers. Scan the system service table (SSDT) and show every service function address and the real function address, detection algorithm improved to bypass KeServiceDesc riptorTable EAT/IAT hooks.You can restore single service function address or res tore the whole table. Scan the shadow system service table (Shadow SSDT) and show every shadow service function address and the real function address. You can restore single shadow s ervice function address or restore the whole table Scan the interrupts table (IDT) and show every interrupt handler offset, selecto r, type, Attributes and real handler offset. This is applied to every processor in a multi-processors machines. Scan the important system kernel modules, detect the modifications in it's body and analyze it. For now it can detect and restore inline code modifications, EAT and IAT hooks. I'm looking for more other types of hooks next releases of Kerne l Detective.

A nice disassembler rely on OllyDbg disasm engine, thanks Oleh Yuschuk for publi shing your nice disasm engine .With it you can disassemble, assemble and hex edi t virtual memory of a specific process or even the kernel space memory. Kernel D etective use it's own Read/Write routines from kernel-mode and doesn't rely on a ny windows API. That make Kernel Detective able to R/W processes VM even if NtRe adProcessMemory/NtWriteProcessMemory is hooked, also bypass the hooks on other k ernel-mode important routines like KeStackAttachProcess and KeAttachProcess. Show the messages sent by drivers to the kernel debugger just like Dbgview by Ma rk Russinovich. It's doing this by hooking interrupt 0x2d wich is responsible fo r outputing debug messages. Hooking interrupts may cause problems on some machin es so DebugView is turned off by default, to turn it on you must run Kernel Dete ctive with "-debugv" parameter. GamingMasteR - AT4RE