Kdrill: Python tool to check rootkits in Windows kernel
Kdrill
Kdrill is a tool to analyze the kernel land of Windows 64b systems (tested from Windows 7 to Windows 11). Its main objective is to assess if the kernel is compromised by a rootkit.
The code is compatible with python2/3 without dependencies and can perform checks without Microsoft symbols or Internet connectivity.
For live memory/kernel analysis, the Winpmem driver is used and Kdrill interfaces itself with the driver, another possibility is to connect to a remote GDB server. KDrill can also analyze Full crash dumps and Kernel crash dumps (mainly stored in C:\Windows\MEMORY.DMP) and a fucked version of AFF4 dumps (zip, but not zipped).
Kdrill accesses the physical memory and decodes/re-builds the OS internals structures to explore them, and to verify their integrity.
The following checks are performed:
- Loaded modules list
- Drivers in memory code (compared to on-disk version)
- Callbacks of kernel objects and internal ntoskrnl lists
- PlugAndPlay tree and filters
- FltMgr callbacks
- KTimers DPC functions
- IRP driver’s tables
- Driver signing global variables avec callbacks
- NDIS filters and callbacks
- NetIO/FwpkCLNT filtering dispatch
- Devices and their attached device objects
- IDT entries
- PatchGuard initialization and state
Download
Copyright (c) 2024, ExaTrack & Stefan Le Berre
All rights reserved.
