modGREPER (a hidden module detector)
Results 1 to 2 of 2

Thread: modGREPER (a hidden module detector)

  1. #1
    Senior Member
    Join Date
    May 2004
    Posts
    274

    modGREPER (a hidden module detector)

    Hi all,


    modGREPER is a hidden module detector for Windows 2000/XP/2003. It searches through whole kernel memory (0x80000000 – 0xffffffff) in order to find structures which looks like a valid module description objects. Currently two most important objects type are recognized: well known _DRIVER_OBJECT and _MODULE_DESCRIPTION. GREPER has some sort of artificial intelligence built in, which allows it recognize if the given bytes actually describe a module-specific object. The term AI for this algorithm is probably a little bit exaggerated, since it is just a few bunches of logical rules which should be satisfied by the potential fields of the structure in question.

    modGREPER builds a list of found objects, matches them to each other and finally compares this list against the list of kernel modules obtained with documented API (EnumDeviceDrivers).

    modGREPER should be able to detect all kinds of modules hiding techniques used today. Some of the modules are also marked as “SUSPECTED”. This applies to (not hidden) modules which corresponding image files are either not present either lie within hidden directories (hidden by rootkit not system)). This feature was added because, sadly, most of the rootkits do not even try to hide their kernel modules against API!

    modGREPER is also able to find and display the list of unloaded kernel modules. This way it is sometime possible to detect also more advanced driverless kernel rootkits. However the list has some limitations it is of a limited capacity and contains only a module base name (no path included).
    Source: http://invisiblethings.org/tools/modGREPER/readme.txt
    Download: http://invisiblethings.org/tools/mod...ER-0.2-bin.zip

    Thanks
    Excuse me, is there an airport nearby large enough for a private jet to land?

  2. #2
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    great tool!

    but now a question. what in hell are these?

    C:\security\ModGrepper\modGREPER-0.2-bin>modgreper -h
    modGREPER 0.2, written by Joanna Rutkowska (June 2005)
    http://invisiblethings.org
    searching phase 1 completed.
    searching phase 2 completed.

    ? f7dd6000 - f7dd8000 : \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    ? ee94a000 - ee962000 : \SystemRoot\System32\Drivers\dump_atapi.sys

    THERE ARE 2 SUSPECTED MODULE(S)!!!


    i go to the folder and cant find them and the computer is set to view all files including system files.


    OK, sorry to ask this question before i did any research. i just got nervous.

    ump_wmilib.sys
    dump_WMILIB.SYS is a part of Microsoft Windows Operation system.
    dump_WMILIB.SYS is the WMI driver.

    so why cant i find them. they aren't even found in the registry
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •