IDTGuard v0.1 December, 2005 Build
Matthieu Suiche (msuiche) <mattmsuichenet> Sunday, December 10 2006 18:41.36 CST


This is a very interessting tool I did one year ago to realize proof of concept of my IDT authenticity theory.


Tool can be found at : IDTGuard v0.1


Note: This tool doesn’t work with Windows 2003 SP1 cause I used \PhysicalMemory. (http://technet2.microsoft.com/WindowsServer/en/library/e0f862a3-cf16-4a48-bea5-f2004d12ce351033.mspx?mfr=true


The following paste is a sample of use with the 0×2D interrupt on Windows 2000.


Interrupt Descriptor Table(IDT) Guard

[email protected] www.msuiche.net

Version 0.1 - (c) December, 2005 -


INT 0×01 has been hooked at 0×816C001D (Org INT = 0×80466786) by Unknow

INT 0×02 has been hooked at 0×0000145E (Org INT = 0×80466826) by Unknow

INT 0×03 has been hooked at 0×816C003C (Org INT = 0×80466A5E) by Unknow

INT 0×08 has been hooked at 0×000014B8 (Org INT = 0×80467670) by Unknow

INT 0×0E has been hooked at 0×816C007A (Org INT = 0×804688F4) by Unknow

INT 0×13 has been hooked at 0×8046900B (Org INT = 0×80468C8F) by ntoskrnl.exe

INT 0×1F has been hooked at 0×80064908 (Org INT = 0×80468C8F) by hal.dll

INT 0×2D has been hooked at 0xBE8C2B5C (Org INT = 0×8046694E) by DbgMsg.SYS

INT 0×37 has been hooked at 0×800640B8 (Org INT = 0×80464C56) by hal.dll

INT 0×3D has been hooked at 0×80065254 (Org INT = 0×80464C92) by hal.dll

INT 0×41 has been hooked at 0×800650C8 (Org INT = 0×80464CBA) by hal.dll

INT 0×50 has been hooked at 0×80064190 (Org INT = 0×80464D50) by hal.dll

INT 0×51 has been hooked at 0×816878A4 (Org INT = 0×80464D5A) by Unknow

INT 0×52 has been hooked at 0×81688DC4 (Org INT = 0×80464D64) by Unknow

INT 0×83 has been hooked at 0×81674424 (Org INT = 0×80464F4E) by Unknow

INT 0×92 has been hooked at 0×816B4584 (Org INT = 0×80464FE4) by Unknow

INT 0×93 has been hooked at 0×81686DC4 (Org INT = 0×80464FEE) by Unknow

INT 0xA2 has been hooked at 0×81687D64 (Org INT = 0×80465084) by Unknow

INT 0xA3 has been hooked at 0×816B6504 (Org INT = 0×8046508E) by Unknow

INT 0xB1 has been hooked at 0×816F8044 (Org INT = 0×8046511A) by Unknow

INT 0xB3 has been hooked at 0×816891C4 (Org INT = 0×8046512E) by Unknow

INT 0xC1 has been hooked at 0×800642FC (Org INT = 0×804651BA) by hal.dll

INT 0xD1 has been hooked at 0×80063964 (Org INT = 0×8046525A) by hal.dll

INT 0xE1 has been hooked at 0×80064858 (Org INT = 0×804652FA) by hal.dll

INT 0xE3 has been hooked at 0×800645D4 (Org INT = 0×8046530E) by hal.dll

INT 0xFD has been hooked at 0×80064D64 (Org INT = 0×804653E2) by hal.dll

INT 0xFE has been hooked at 0×80064EEC (Org INT = 0×804653E9) by hal.dll


27 Interruptions have been modified.


Help:

        q    :quit

        s    :reshow list of modified interrupt

        r X  :restore interruption X in IDT(sample: r 0xA1)

        h    :show this help


cmd>r 0×2D

Are you sure that you want to restore the Interruption 0×2D(45)? (y/n)y


Let’s restore it !

I will do that :

        Offset   : 0xBE8C2B5C => 0×8046694E

        Dpl      :       0×01 =>       0×01

        Type     : IntG32     => IntG32


Are you sure?(y/n)y


Reconstrution of the INT 0×2D

Offset value…Done

Dpl(Descriptor Privilege Level) value…Done

Type value…Done


OKiE


cmd>s

INT 0×01 has been hooked at 0×816C001D (Org INT = 0×80466786) by Unknow

INT 0×02 has been hooked at 0×0000145E (Org INT = 0×80466826) by Unknow

INT 0×03 has been hooked at 0×816C003C (Org INT = 0×80466A5E) by Unknow

INT 0×08 has been hooked at 0×000014B8 (Org INT = 0×80467670) by Unknow

INT 0×0E has been hooked at 0×816C007A (Org INT = 0×804688F4) by Unknow

INT 0×13 has been hooked at 0×8046900B (Org INT = 0×80468C8F) by ntoskrnl.exe

INT 0×1F has been hooked at 0×80064908 (Org INT = 0×80468C8F) by hal.dll

INT 0×37 has been hooked at 0×800640B8 (Org INT = 0×80464C56) by hal.dll

INT 0×3D has been hooked at 0×80065254 (Org INT = 0×80464C92) by hal.dll

INT 0×41 has been hooked at 0×800650C8 (Org INT = 0×80464CBA) by hal.dll

INT 0×50 has been hooked at 0×80064190 (Org INT = 0×80464D50) by hal.dll

INT 0×51 has been hooked at 0×816878A4 (Org INT = 0×80464D5A) by Unknow

INT 0×52 has been hooked at 0×81688DC4 (Org INT = 0×80464D64) by Unknow

INT 0×83 has been hooked at 0×81674424 (Org INT = 0×80464F4E) by Unknow

INT 0×92 has been hooked at 0×816B4584 (Org INT = 0×80464FE4) by Unknow

INT 0×93 has been hooked at 0×81686DC4 (Org INT = 0×80464FEE) by Unknow

INT 0xA2 has been hooked at 0×81687D64 (Org INT = 0×80465084) by Unknow

INT 0xA3 has been hooked at 0×816B6504 (Org INT = 0×8046508E) by Unknow

INT 0xB1 has been hooked at 0×816F8044 (Org INT = 0×8046511A) by Unknow

INT 0xB3 has been hooked at 0×816891C4 (Org INT = 0×8046512E) by Unknow

INT 0xC1 has been hooked at 0×800642FC (Org INT = 0×804651BA) by hal.dll

INT 0xD1 has been hooked at 0×80063964 (Org INT = 0×8046525A) by hal.dll

INT 0xE1 has been hooked at 0×80064858 (Org INT = 0×804652FA) by hal.dll

INT 0xE3 has been hooked at 0×800645D4 (Org INT = 0×8046530E) by hal.dll

INT 0xFD has been hooked at 0×80064D64 (Org INT = 0×804653E2) by hal.dll

INT 0xFE has been hooked at 0×80064EEC (Org INT = 0×804653E9) by hal.dll


cmd>q



Comments
Posted: Wednesday, December 31 1969 18:00.00 CST