A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #3884  by STRELiTZIA
 Wed Dec 08, 2010 6:31 pm
Hello,
What's new in v1.4.0 :
- Added plugins system
- Added support for windows server 2008, seven sp1
- Enhanced stability on NT 6.0+ (windows vista/seven)
- Improved driver scan
- Improved code hook scan
- Fixed bug prevent the tool from working on windows xp
- Fixed bug related to long paths
- Fixed bug in process/driver dumper
- Fixed bug in IDT scan

Download Link :
http://www.mediafire.com/?94hb182iirjpvcr

SHA-256 :
3C0D5426A2FE65EB72FB4F6A396C4CF83285B38EAE188B41C6 F8D048157FF6DF
I like: Added new plugins system and Script Engine.

Regards.
You do not have the required permissions to view the files attached to this post.
 #3886  by Meriadoc
 Wed Dec 08, 2010 8:03 pm
Yes, nice additions :)

Kernel Detective is always in my 'tool kit', so I appreciate the update - thanks for a nice tool.
 #3891  by EP_X0FF
 Thu Dec 09, 2010 4:01 am
Hi,

nice release :)

here is bugreport

when trying to access callbacks program crashes.

Clean XP SP3
You do not have the required permissions to view the files attached to this post.
 #3892  by STRELiTZIA
 Thu Dec 09, 2010 7:49 am
Hi,
EP_X0FF wrote:Hi,

nice release :)

here is bugreport

when trying to access callbacks program crashes.

Clean XP SP3
Bug reproduced successfully...

My Tests:
First test, Launch KDetective (viewing System Notify Callbacks without crash)
Second test: clear all callbacks... (Crash during cleaning)
Third test, Launch KDetective second time (Crash at viewing System Notify Callbacks)

- Tested on Win Xp SP3 + Windows 7.

Regards.
 #3894  by Mehdi
 Thu Dec 09, 2010 8:00 am
I got a BSOD on my Windows 7
DRIVER_IRQL_NOT_LESS_OR_EQUAL
(In the "Processes" tab, there was a process called "G" that its "Virtual Size" was 0 and its entry was red. I killed it; switched to other tabs, then again switched to "Processes" tab and got a BSOD)
(That "G" process had anything related to "Kernel Detective" ??
cause now (after reboot) I have something similar:
Image
but other tools (Gmer, Xuetr, RKUnhooker don't show anything suspicious!)
I've attached output of "!analyze -v" and "whocrashed"
You do not have the required permissions to view the files attached to this post.
 #3899  by Mehdi
 Thu Dec 09, 2010 11:30 am
a very minor issue:
in "Drivers" tab, we can right-click on any entry, then "Properties" and we'll see the "Properties" of that driver file; but this operation doesn't work on some entries. For example in Windows XP SP2, "right click->Properties" on "devflt.sys" doesn't work (although, the file is in system32\drivers)
(these don't work either: disk.sys, dmio.sys, acpi.sys)
 #3904  by STRELiTZIA
 Thu Dec 09, 2010 5:54 pm
Hi,
Mehdi wrote:a very minor issue:
in "Drivers" tab, we can right-click on any entry, then "Properties" and we'll see the "Properties" of that driver file; but this operation doesn't work on some entries. For example in Windows XP SP2, "right click->Properties" on "devflt.sys" doesn't work (although, the file is in system32\drivers)
(these don't work either: disk.sys, dmio.sys, acpi.sys)
Yes, confirmed...
all driver names displayed without full path are affected...

E.g:
- C:\WINDOWS\System32\Drivers\Null.sys --> properties... ok
- pci.sys --> failed.

KDetective searchs "pci.sys" in "system32" folder but ignores "drivers" folder.
 #3907  by Alex
 Thu Dec 09, 2010 7:49 pm
Thanks GamingMasteR for sharing!

I don't have any troubles with the new version - everything works well!

Alex
 #3911  by GamingMasteR
 Fri Dec 10, 2010 3:20 pm
What's new in v1.4.1 :
- Fixed possible BSOD when scanning processes
- Fixed bug in callbacks scanning
- Enhanced showing files properties and signature verifying
- Skeleton SDK for VS2008 included


Download Link :
http://www.mediafire.com/?o4mwekn7jtizdi4


SHA-256 :
619E9AE64CC9DE82DD35CB3469D413E8C78A57EC8021B8450B6EAD15526562D7