			    modGREPER 0.1

		     Joanna Rutkowska, June 2005.
		      http://invisiblethings.org


modGREPER is a hidden module detector for Windows 2000/XP/2003. It
searches through whole kernel memory (0x80000000 – 0xffffffff) in
order to find structures which looks like a valid module description
objects. Currently two most important objects type are recognized:
well known _DRIVER_OBJECT and _MODULE_DESCRIPTION. GREPER has some
sort of artificial intelligence built in, which allows it recognize if
the given bytes actually describe a module-specific object. The term
AI for this algorithm is probably a little bit exaggerated, since it
is just a few bunches of logical rules which should be satisfied by
the potential fields of the structure in question.

modGREPER builds a list of found objects, matches them to each other
and finally compares this list against the list of kernel modules
obtained with documented API (EnumDeviceDrivers).

modGREPER should be able to detect all kinds of modules hiding
techniques used today. Some of the modules are also marked as
“SUSPECTED”. This applies to (not hidden) modules which corresponding
image files are either not present either lie within hidden
directories (hidden by rootkit not system)). This feature was added
because, sadly, most of the rootkits do not even try to hide their
kernel modules against API!

modGREPER is also able to find and display the list of unloaded kernel
modules. This way it is sometime possible to detect also more advanced
driverless kernel rootkits. However the list has some limitations – it
is of a limited capacity and contains only a module base name (no path
included).

Q: Is it possible to write kernel rootkit which will not be detected
by tool like modGREPER?  
A: Yes it is ;) 

Q: What is the reason to release such tool then? 
A: To stimulate people to write more subtle rootkits :)

Q: What about userland rootkits?  
A: Userland rootkits can be ALWAYS detected with much simpler means.
And also some of the rootkits which are believed to be usermode only,
do contain also some kernel modules. Now you can find out which :)

WARNING: This is experimental tool and there is completely no warranty
for it. It can blue screen your machine without a single question. Use
at your own risk! Especially please note that, as many other AI based
tools, some false positives may be possible (though are rather
unlikely). Use ?-v? switch to examine all suspected situations.