Kdrill: Python tool to check rootkits in Windows kernel

by ddos · Published · Updated

Kdrill

Kdrill is a tool to analyze the kernel land of Windows 64b systems (tested from Windows 7 to Windows 11). Its main objective is to assess if the kernel is compromised by a rootkit.

The code is compatible with python2/3 without dependencies and can perform checks without Microsoft symbols or Internet connectivity.

For live memory/kernel analysis, the Winpmem driver is used and Kdrill interfaces itself with the driver, another possibility is to connect to a remote GDB server. KDrill can also analyze Full crash dumps and Kernel crash dumps (mainly stored in C:\Windows\MEMORY.DMP) and a version of AFF4 dumps (zip, but not zipped).

Kdrill accesses the physical memory and decodes/re-builds the OS internals structures to explore them, and to verify their integrity.

The following checks are performed:

  • Loaded modules list
  • Drivers in memory code (compared to on-disk version)
  • Callbacks of kernel objects and internal ntoskrnl lists
  • PlugAndPlay tree and filters
  • FltMgr callbacks
  • KTimers DPC functions
  • IRP driver’s tables
  • Driver signing global variables avec callbacks
  • NDIS filters and callbacks
  • NetIO/FwpkCLNT filtering dispatch
  • Devices and their attached device objects
  • IDT entries
  • PatchGuard initialization and state

Download

Copyright (c) 2024, ExaTrack & Stefan Le Berre
All rights reserved.

Tags: KdrillWindows Kernel