A long time ago, in a galaxy far far away...
I
promised to write some nice documentation about
wincheck
Wincheck is a tool that inspects undocumented or not enough documented Windows internal structures. Note that Wincheck is NOT an anti rootkit (ARK) software. Also it does NOT support disinfection or automatic analysis. Mainly because many
offiical commercial products also set lots of hooks in system and full list of such hooks don`t exists
There are several reasons why I wrote this tool
1) Many existing commercial and free ARK tools can't display or check multiple important Windows structures that modern rootkits use
2) There is an option to check these structures using WinDbg (with pykd perhaps) and a bunch of different scripts. But this requires additional steps while I was looking for a tool that can be easily started without any installation (from a flash drive, for example). Moreover WinDbg is not very useful without symbols available and symbols can be missing on suspicious system if network support doesn't work. Wincheck does not use symbols and it detects addresses and functions with static code analysis only.
3) hard
NIH syndrome
Supported Windows versions
32bit:
- w2k
- xp
- w2k3
- vista
- windows 2008
- windows 7
- windows 8 dev preview
- windows 8 consumer preview
- windows 8 release preview
- windows 8 rtm
- windows 8.1 preview
- windows 8.1 rtm
- windows 10 builds 9926, 9879, 10041 & 10074
64bit:
- xp
- w2k3
- vista
- windows 2008
- windows 7
- windows 2008r2
- windows 8 consumer preview
- windows 8 server consumer preview
- windows 8 release preview
- windows 8 rtm
- windows server 2012 rtm
- windows 8.1 preview
- windows 8.1 rtm
- windows 10 builds 9926, 9879, 10041 & 10074
Wincheck implementation uses unsigned driver so starting from Windows Vista it requires system boot with "Disable Driver Signature Enforcement" option (use F8 boot menu).
Supported Modes
Wincheck can analyze kernel mode structures or user mode processes. It has to be run with Administrator privileges in both cases.
Kernel Mode
- code sections integrity checks for kernel, some vital drivers and their import/export tables
- IDT ('-idt' option)
- SSDT. '-sdt' option enables ETHREAD.ServiceTable checks for all threads. 32bit only
- process/thread/image/registry/session notificators and fs change notifiers
- PnP notificators
- tables registered with ExRegisterExtension ('-ext' option)
- registered callbacks
- bugcheck callbacks
- OBJECT_TYPE_INITIALIZER handlers for all registered object types
- g_CiEnabled & g_CiCallbacks
- HAL tables, for example, HalAcpiDispatchTable and HalPrivateDispatchTable ('-hal' option)
- NDIS structures & WFP callouts ('-ndis' option)
- netio.sys NPI clients & providers, WFP callouts, NsiRegisterChangeNotification(Ex) callbacks ('-ndis' option)
- RPC interfaces in user mode ('-rpc' option) . '-npo' option displays process owner for all RPC enpoints (ALPC ports/named pipes)
- CmControlVector content ('-kopts' option)
- registered WMI providers ('-wmi' option)
- IopNotifyShutdownQueueHead and IopNotifyLastChanceShutdownQueueHead ('-shutntfy' option)
- KTIMERs ('-kt' option)
- FltMgr guts ('-fm' option)
- WdfFunctions for KMDF-based drivers ('-wdf' option)
- CrashdmpCallTable
- callbacks registered with IoRegisterIoTracking (windows 8 only)
- CLASS_INIT_DATA & CLASS_DRIVER_EXTENSION
- win32k!gahti ('-gahti' option)
- sockets and established connections from tcpip.sys ('-sockets' option. for xp/w2k3 only)
- sockets and established connections from tcpip6.sys ('-sockets6' option. for xp/w2k3 only)
- and many others.
User Mode
Checks all or specific (see '-pid ProcessID' option) process. This check can take significant time to execute but '-p' option can be used to run these checks in parallel on available CPUs. The number of threads used won't exceed KeNumberProcessors.
In this mode the application can check:
- memory content in all executable sections
- export table
- import table
- delayed import table
- TLS callbacks
- different structures that use function pointers including:
- ntdll.dll callbacks like PFNCLIENT tables, RtlpUnhandledExceptionFilter, LdrpManifestProberRoutine, CsrServerApiRoutine, RtlpDebugPageHeapXXX handlers etc.
- shim handlers
- apfnDispatch, InitializeLpkHooks and WOW callbacks from user32.dll
- wow64win.dll function tables (64-bit only)
- wow64.dll service tables (64-bit only)
- WNF notifiers ('-wnf ' option)
- EventCallbacks registered with SetTraceCallback function call ('-traces' option)
- WMI callbacks/trace guids ('-wmi' option)
- LSA Security Providers table functions
- handlers installed with LsaIRegisterPolicyChangeNotificationCallback
- CSR_SERVER_DLL handlers
- ole32!IMallocSpy
- ole32!ChannelHooks
- AppHelp.dll functions in kernel32.dll
- yet over 9000
Command Line Options
Common options:
-f logfile name
-k Process PID to kill
-ha - turn off hook analyzer
-wmi- report WMI entries
Process options:
-all - check all processes
-pid Process PID - check process with specific Process PID
-mods - dump loaded modules
-pp - dump print providers
-t - dump threads
-traces - dump all registered trace callbacks
-p N - number of threads to use for processes check
-uem - check for Unknown Executable Memory
-wnf - check WNF notifiers
System options:
-acpi - check
some ACPI tables
-alldrv - check all (known to me) drivers
-alpc - dump clients of RPC ALPC ports
-dump_patched - dump patched sections
-dsdt - dump SDT
-dssdt - dump SSDT
-dext - dump driver extensions
-emp - dump EMP callbacks
-ext - dump tables registered with ExRegisterExtension
-fm - dump FltMgr callback nodes
-full - add kernel checks (except RPC & WMI)
-gahti - dump win32k!gahti table
-hal - check HAL tables
-idt - check IDT
-kdmask - dump KD masks set
-kopts - dump kernel options (CmControlVector)
-kshims - dump registered kernel
shims (w8 only)
-kt - dump KTIMERs
-ndis - check NDIS
-nopads - check that all code located only in section content
-npo - dump RPC Named Pipes Owner
-obcb - dump object types callbacks
-pofx - check PoFxPlugins
-rdata - check .rdata sections too
-rdbss to dump
rdbss registered devices
-rpc - report RPC interfaces
-sched - dump threads from scheduler
-sdt - check SSDT for all threads
-shutntfy - check for drivers shutdown notificators
-sockets - dump tcpip sockets
-sockets6 - dump tcpip6 sockets
-st - check system threads
-timp - dump threads with impersonation token
-usbport - check USB ports
-wdf - check WdfFunctions for KMDF-based drivers