Monthly Archives: December 2006

IDTGuard v0.1 December, 2005 Build

This is a very interessting tool I did one year ago to realize proof of concept of my IDT authenticity theory.

Tool can be found at : IDTGuard v0.1

Note: This tool doesn’t work with Windows 2003 SP1 cause I used \\PhysicalMemory. (http://technet2.microsoft.com/WindowsServer/en/library/e0f862a3-cf16-4a48-bea5-f2004d12ce351033.mspx?mfr=true

The following paste is a sample of use with the 0x2D interrupt on Windows 2000.

Interrupt Descriptor Table(IDT) Guard
matt@msuiche.net www.msuiche.net
Version 0.1 – (c) December, 2005 –

INT 0x01 has been hooked at 0x816C001D (Org INT = 0x80466786) by Unknow
INT 0x02 has been hooked at 0x0000145E (Org INT = 0x80466826) by Unknow
INT 0x03 has been hooked at 0x816C003C (Org INT = 0x80466A5E) by Unknow
INT 0x08 has been hooked at 0x000014B8 (Org INT = 0x80467670) by Unknow
INT 0x0E has been hooked at 0x816C007A (Org INT = 0x804688F4) by Unknow
INT 0x13 has been hooked at 0x8046900B (Org INT = 0x80468C8F) by ntoskrnl.exe
INT 0x1F has been hooked at 0x80064908 (Org INT = 0x80468C8F) by hal.dll
INT 0x2D has been hooked at 0xBE8C2B5C (Org INT = 0x8046694E) by DbgMsg.SYS
INT 0x37 has been hooked at 0x800640B8 (Org INT = 0x80464C56) by hal.dll
INT 0x3D has been hooked at 0x80065254 (Org INT = 0x80464C92) by hal.dll
INT 0x41 has been hooked at 0x800650C8 (Org INT = 0x80464CBA) by hal.dll
INT 0x50 has been hooked at 0x80064190 (Org INT = 0x80464D50) by hal.dll
INT 0x51 has been hooked at 0x816878A4 (Org INT = 0x80464D5A) by Unknow
INT 0x52 has been hooked at 0x81688DC4 (Org INT = 0x80464D64) by Unknow
INT 0x83 has been hooked at 0x81674424 (Org INT = 0x80464F4E) by Unknow
INT 0x92 has been hooked at 0x816B4584 (Org INT = 0x80464FE4) by Unknow
INT 0x93 has been hooked at 0x81686DC4 (Org INT = 0x80464FEE) by Unknow
INT 0xA2 has been hooked at 0x81687D64 (Org INT = 0x80465084) by Unknow
INT 0xA3 has been hooked at 0x816B6504 (Org INT = 0x8046508E) by Unknow
INT 0xB1 has been hooked at 0x816F8044 (Org INT = 0x8046511A) by Unknow
INT 0xB3 has been hooked at 0x816891C4 (Org INT = 0x8046512E) by Unknow
INT 0xC1 has been hooked at 0x800642FC (Org INT = 0x804651BA) by hal.dll
INT 0xD1 has been hooked at 0x80063964 (Org INT = 0x8046525A) by hal.dll
INT 0xE1 has been hooked at 0x80064858 (Org INT = 0x804652FA) by hal.dll
INT 0xE3 has been hooked at 0x800645D4 (Org INT = 0x8046530E) by hal.dll
INT 0xFD has been hooked at 0x80064D64 (Org INT = 0x804653E2) by hal.dll
INT 0xFE has been hooked at 0x80064EEC (Org INT = 0x804653E9) by hal.dll

27 Interruptions have been modified.

Help:
q :quit
s :reshow list of modified interrupt
r X :restore interruption X in IDT(sample: r 0xA1)
h :show this help

cmd>r 0x2D
Are you sure that you want to restore the Interruption 0x2D(45)? (y/n)y

Let’s restore it !
I will do that :
Offset : 0xBE8C2B5C => 0x8046694E
Dpl : 0x01 => 0x01
Type : IntG32 => IntG32

Are you sure?(y/n)y

Reconstrution of the INT 0x2D
Offset value…Done
Dpl(Descriptor Privilege Level) value…Done
Type value…Done

OKiE

cmd>s
INT 0x01 has been hooked at 0x816C001D (Org INT = 0x80466786) by Unknow
INT 0x02 has been hooked at 0x0000145E (Org INT = 0x80466826) by Unknow
INT 0x03 has been hooked at 0x816C003C (Org INT = 0x80466A5E) by Unknow
INT 0x08 has been hooked at 0x000014B8 (Org INT = 0x80467670) by Unknow
INT 0x0E has been hooked at 0x816C007A (Org INT = 0x804688F4) by Unknow
INT 0x13 has been hooked at 0x8046900B (Org INT = 0x80468C8F) by ntoskrnl.exe
INT 0x1F has been hooked at 0x80064908 (Org INT = 0x80468C8F) by hal.dll
INT 0x37 has been hooked at 0x800640B8 (Org INT = 0x80464C56) by hal.dll
INT 0x3D has been hooked at 0x80065254 (Org INT = 0x80464C92) by hal.dll
INT 0x41 has been hooked at 0x800650C8 (Org INT = 0x80464CBA) by hal.dll
INT 0x50 has been hooked at 0x80064190 (Org INT = 0x80464D50) by hal.dll
INT 0x51 has been hooked at 0x816878A4 (Org INT = 0x80464D5A) by Unknow
INT 0x52 has been hooked at 0x81688DC4 (Org INT = 0x80464D64) by Unknow
INT 0x83 has been hooked at 0x81674424 (Org INT = 0x80464F4E) by Unknow
INT 0x92 has been hooked at 0x816B4584 (Org INT = 0x80464FE4) by Unknow
INT 0x93 has been hooked at 0x81686DC4 (Org INT = 0x80464FEE) by Unknow
INT 0xA2 has been hooked at 0x81687D64 (Org INT = 0x80465084) by Unknow
INT 0xA3 has been hooked at 0x816B6504 (Org INT = 0x8046508E) by Unknow
INT 0xB1 has been hooked at 0x816F8044 (Org INT = 0x8046511A) by Unknow
INT 0xB3 has been hooked at 0x816891C4 (Org INT = 0x8046512E) by Unknow
INT 0xC1 has been hooked at 0x800642FC (Org INT = 0x804651BA) by hal.dll
INT 0xD1 has been hooked at 0x80063964 (Org INT = 0x8046525A) by hal.dll
INT 0xE1 has been hooked at 0x80064858 (Org INT = 0x804652FA) by hal.dll
INT 0xE3 has been hooked at 0x800645D4 (Org INT = 0x8046530E) by hal.dll
INT 0xFD has been hooked at 0x80064D64 (Org INT = 0x804653E2) by hal.dll
INT 0xFE has been hooked at 0x80064EEC (Org INT = 0x804653E9) by hal.dll

cmd>q