modGREPER (a hidden module detector)

[mmkhan]

Hi all,

Quote:

modGREPER is a hidden module detector for Windows 2000/XP/2003. It searches through whole kernel memory (0x80000000 – 0xffffffff) in order to find structures which looks like a valid module description objects. Currently two most important objects type are recognized: well known _DRIVER_OBJECT and _MODULE_DESCRIPTION. GREPER has some sort of artificial intelligence built in, which allows it recognize if the given bytes actually describe a module-specific object. The term AI for this algorithm is probably a little bit exaggerated, since it is just a few bunches of logical rules which should be satisfied by the potential fields of the structure in question.

modGREPER builds a list of found objects, matches them to each other and finally compares this list against the list of kernel modules obtained with documented API (EnumDeviceDrivers).

modGREPER should be able to detect all kinds of modules hiding techniques used today. Some of the modules are also marked as “SUSPECTED”. This applies to (not hidden) modules which corresponding image files are either not present either lie within hidden directories (hidden by rootkit not system)). This feature was added because, sadly, most of the rootkits do not even try to hide their kernel modules against API!

modGREPER is also able to find and display the list of unloaded kernel modules. This way it is sometime possible to detect also more advanced driverless kernel rootkits. However the list has some limitations it is of a limited capacity and contains only a module base name (no path included).

Source: http://invisiblethings.org/tools/modGREPER/readme.txt
Download: http://invisiblethings.org/tools/mod...ER-0.2-bin.zip

Thanks

[Tedob1]

great tool!

but now a question. what in hell are these?

C:\security\ModGrepper\modGREPER-0.2-bin>modgreper -h
modGREPER 0.2, written by Joanna Rutkowska (June 2005)
http://invisiblethings.org
searching phase 1 completed.
searching phase 2 completed.

? f7dd6000 - f7dd8000 : \SystemRoot\System32\Drivers\dump_WMILIB.SYS
? ee94a000 - ee962000 : \SystemRoot\System32\Drivers\dump_atapi.sys

THERE ARE 2 SUSPECTED MODULE(S)!!!


i go to the folder and cant find them and the computer is set to view all files including system files.


OK, sorry to ask this question before i did any research. i just got nervous.

ump_wmilib.sys
dump_WMILIB.SYS is a part of Microsoft Windows Operation system.
dump_WMILIB.SYS is the WMI driver.

so why cant i find them. they aren't even found in the registry