DISCLAIMER: All the tools in this section should be considered as proof-of-concepts tools. They are provided with the hope that they might be useful for other researches. They are not intended to be used by 'end users'. There is no support. Keep in mind that some of these tools may crash your system without a single warning! USE AT YOUR OWN RISK!
I wrote the original Blue Pill proof of concept code while working for COSEINC back in 2006, and presented it at the Black Hat Briefings 2006 in Las Vegas on August 3rd. In April 2007 I decided to quit COSEINC and start my own security consulting firm, Invisible Things Lab. In May 2007 Alexander Tereshkin, a former member of COSEINC AML, joined ITL as a principal researcher. Together with Alex we decided to redesign and write from scratch the New Blue Pill rootkit, so that it would be possible to use it for further research and for educational purposes. Most of the New Blue Pill’s code was developed by Alexander Tereshkin. You can get the sources from the project's website.
The idea behind SVV is to check important Windows System components, which are usually altered by various stealth malware, in order to ensure system integrity and to discovery potential system compromise.
See my HITB and Black Hat presentations (links below) for more details about design and usage.
modGREPER is a hidden module detector for Windows 2000/XP/2003. It searches through kernel memory in order to find structures which looks like a valid module description objects.
FLISTER is a proof-of-concept code for detecting files hidden by both usermode and kernelmode Windows rootkits. It exploits the bugs (usually made by rootkit authors) in handling ZwQueryDirectoryFile() calls with ReturnSingleEntry set to TRUE. flister works on Windows 2000, XP and 2003.
NUSHU is the sample implementation of TCP ISN based passive covert channel for Linux kernels, which I presented at 21st CCC in Berlin in 2004. It should be considered as proof-of-concept code, since it is only the communication channel engine.
