This is a very interessting tool I did one year ago to realize proof of concept of my IDT authenticity theory.
Tool can be found at : IDTGuard v0.1
Note: This tool doesn’t work with Windows 2003 SP1 cause I used \PhysicalMemory. (http://technet2.microsoft.com/WindowsServer/en/library/e0f862a3-cf16-4a48-bea5-f2004d12ce351033.mspx?mfr=true
The following paste is a sample of use with the 0×2D interrupt on Windows 2000.
Interrupt Descriptor Table(IDT) Guard [email protected] www.msuiche.net Version 0.1 - (c) December, 2005 -
INT 0×01 has been hooked at 0×816C001D (Org INT = 0×80466786) by Unknow INT 0×02 has been hooked at 0×0000145E (Org INT = 0×80466826) by Unknow INT 0×03 has been hooked at 0×816C003C (Org INT = 0×80466A5E) by Unknow INT 0×08 has been hooked at 0×000014B8 (Org INT = 0×80467670) by Unknow INT 0×0E has been hooked at 0×816C007A (Org INT = 0×804688F4) by Unknow INT 0×13 has been hooked at 0×8046900B (Org INT = 0×80468C8F) by ntoskrnl.exe INT 0×1F has been hooked at 0×80064908 (Org INT = 0×80468C8F) by hal.dll INT 0×2D has been hooked at 0xBE8C2B5C (Org INT = 0×8046694E) by DbgMsg.SYS INT 0×37 has been hooked at 0×800640B8 (Org INT = 0×80464C56) by hal.dll INT 0×3D has been hooked at 0×80065254 (Org INT = 0×80464C92) by hal.dll INT 0×41 has been hooked at 0×800650C8 (Org INT = 0×80464CBA) by hal.dll INT 0×50 has been hooked at 0×80064190 (Org INT = 0×80464D50) by hal.dll INT 0×51 has been hooked at 0×816878A4 (Org INT = 0×80464D5A) by Unknow INT 0×52 has been hooked at 0×81688DC4 (Org INT = 0×80464D64) by Unknow INT 0×83 has been hooked at 0×81674424 (Org INT = 0×80464F4E) by Unknow INT 0×92 has been hooked at 0×816B4584 (Org INT = 0×80464FE4) by Unknow INT 0×93 has been hooked at 0×81686DC4 (Org INT = 0×80464FEE) by Unknow INT 0xA2 has been hooked at 0×81687D64 (Org INT = 0×80465084) by Unknow INT 0xA3 has been hooked at 0×816B6504 (Org INT = 0×8046508E) by Unknow INT 0xB1 has been hooked at 0×816F8044 (Org INT = 0×8046511A) by Unknow INT 0xB3 has been hooked at 0×816891C4 (Org INT = 0×8046512E) by Unknow INT 0xC1 has been hooked at 0×800642FC (Org INT = 0×804651BA) by hal.dll INT 0xD1 has been hooked at 0×80063964 (Org INT = 0×8046525A) by hal.dll INT 0xE1 has been hooked at 0×80064858 (Org INT = 0×804652FA) by hal.dll INT 0xE3 has been hooked at 0×800645D4 (Org INT = 0×8046530E) by hal.dll INT 0xFD has been hooked at 0×80064D64 (Org INT = 0×804653E2) by hal.dll INT 0xFE has been hooked at 0×80064EEC (Org INT = 0×804653E9) by hal.dll
27 Interruptions have been modified.
Help: q :quit s :reshow list of modified interrupt r X :restore interruption X in IDT(sample: r 0xA1) h :show this help
cmd>r 0×2D Are you sure that you want to restore the Interruption 0×2D(45)? (y/n)y
Let’s restore it ! I will do that : Offset : 0xBE8C2B5C => 0×8046694E Dpl : 0×01 => 0×01 Type : IntG32 => IntG32
Are you sure?(y/n)y
Reconstrution of the INT 0×2D Offset value…Done Dpl(Descriptor Privilege Level) value…Done Type value…Done
OKiE
cmd>s INT 0×01 has been hooked at 0×816C001D (Org INT = 0×80466786) by Unknow INT 0×02 has been hooked at 0×0000145E (Org INT = 0×80466826) by Unknow INT 0×03 has been hooked at 0×816C003C (Org INT = 0×80466A5E) by Unknow INT 0×08 has been hooked at 0×000014B8 (Org INT = 0×80467670) by Unknow INT 0×0E has been hooked at 0×816C007A (Org INT = 0×804688F4) by Unknow INT 0×13 has been hooked at 0×8046900B (Org INT = 0×80468C8F) by ntoskrnl.exe INT 0×1F has been hooked at 0×80064908 (Org INT = 0×80468C8F) by hal.dll INT 0×37 has been hooked at 0×800640B8 (Org INT = 0×80464C56) by hal.dll INT 0×3D has been hooked at 0×80065254 (Org INT = 0×80464C92) by hal.dll INT 0×41 has been hooked at 0×800650C8 (Org INT = 0×80464CBA) by hal.dll INT 0×50 has been hooked at 0×80064190 (Org INT = 0×80464D50) by hal.dll INT 0×51 has been hooked at 0×816878A4 (Org INT = 0×80464D5A) by Unknow INT 0×52 has been hooked at 0×81688DC4 (Org INT = 0×80464D64) by Unknow INT 0×83 has been hooked at 0×81674424 (Org INT = 0×80464F4E) by Unknow INT 0×92 has been hooked at 0×816B4584 (Org INT = 0×80464FE4) by Unknow INT 0×93 has been hooked at 0×81686DC4 (Org INT = 0×80464FEE) by Unknow INT 0xA2 has been hooked at 0×81687D64 (Org INT = 0×80465084) by Unknow INT 0xA3 has been hooked at 0×816B6504 (Org INT = 0×8046508E) by Unknow INT 0xB1 has been hooked at 0×816F8044 (Org INT = 0×8046511A) by Unknow INT 0xB3 has been hooked at 0×816891C4 (Org INT = 0×8046512E) by Unknow INT 0xC1 has been hooked at 0×800642FC (Org INT = 0×804651BA) by hal.dll INT 0xD1 has been hooked at 0×80063964 (Org INT = 0×8046525A) by hal.dll INT 0xE1 has been hooked at 0×80064858 (Org INT = 0×804652FA) by hal.dll INT 0xE3 has been hooked at 0×800645D4 (Org INT = 0×8046530E) by hal.dll INT 0xFD has been hooked at 0×80064D64 (Org INT = 0×804653E2) by hal.dll INT 0xFE has been hooked at 0×80064EEC (Org INT = 0×804653E9) by hal.dll
cmd>q
There are 31,328 total registered users.
[+] expand
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}