Hi, I just wrote SanityCheck XE. Here’s what it does: This software checks
running kernel modules, processes, threads, object types and DPCs, and
checks the modules in which related routines reside. It’s intended to reveal
misbehaving third party drivers.
-Get all driver objects in the system along with their related driver files,
image base addresses, sizes, driver init routines, start I/O, unload and
function routines. Then it checks all those addresses and displays the
drivers in which these addresses reside so if any of your driver objects are
hijacked it will be easy to find out.
-Get a list of DPCs in the system and see of what type and kind they are
(threaded DPCs will be revealed). It will show related device objects,
related driver names and will check in what kernel modules are pointing the
DeferredProcedures. If any DPCs are legally hijacked, this software will let
you find out.
-Get all device objects in the system along with their related drivers along
with a bunch of info.
-Get all object types and check their type intializers and display the names
of the kernel modules in which their open, close, parse, dump, delete and
security routines are pointing. Makes it easy
-Get all processes. It uses six unmentioned ways to detect processes, giving
hidden processes really little chance.
-Get all threads in the system and display them with along with a bunch of
info.
Note: this software is not intended as an anti-rootkit software but as a
utility to find interop issues with misbehaving third-party drivers.
It may take ages to detect these things using standard WinDbg. This software
runs on Windows 2000-2008 and everything in between (x86 and x64 editions).
This software has been thoroughly tested, verified and unverified on a bunch
of OSes and runs without problems. If this software does crash on a certain
service pack, please drop me a line. This is a read-only driver, it loads,
gets information and unloads leaving the kernel in an unaltered state. It
does NOT make use of any undocumented system calls but yes, makes use of
undocumented structures. The software relies on a GlobalFlags registry
setting, the program sets and restores this upon request.
Download it from here:
http://www.resplendence.com/download/sanityxe.zip
Note: no help is provided. Any comments will be appreciated.
//Daniel