[Original] NT System Information viewing tool: NtInfoGuy

[Original] NT System Information viewing tool: NtInfoGuy

Original article: [original] NT System Information viewing tool: NtInfoGuy

 

For windows, we have too many things to understand and recognize. Our extraordinary, unsatisfied nature drives us to open the fog and see the sky. Too many Trojans, viruses, and Rootkit are hidden in the system, which requires us to investigate and gain insight. For some system programmers, it is also very useful and important to understand the internal status of the current NT System.

 

Although there are many such gadgets, they only involve different subsets of system information. In this context, it is very necessary to have a tool that can view the complete status information of the NT System, so NtInfoGuy came into being. This stuff did not pop out of the stone, but gradually emerged from the giant panda's mind. This tool is developed on the console. If you have the energy, it may be converted into a GUI. Program compatible systems: Win2k (sp4), Winxp (sp3), Win2k3 (sp2), Vista, and Windows7.

 

NtInfoGuy has implemented the following functions:

 

 

 

 

 

1. display the system SSDT table and SSDT Shadow table, and try to find the possible service table item hooks. Red indicates the possible hooks;

 

 

2. display the system GDT table and the attributes of each table item;

 

 

3. displays the system IDT table and the attributes of each portal;

 

 

4. display information about the current system load module and identify the windows trusted module;

The red letter indicates untrusted modules or modules not found on the disk.

 

 

5. directly obtain information about the system loaded modules from the kernel, which is displayed in DbgView;

 

 

6. display the kernel variable values of the main components of the system.

 

Of course, this is far from enough. The following are the functions to be added:

 

1. Prepare to add the Inline Hook identification and the function of restoring the Hook;

 

2. Map the kernel address to a region, such as a driver, page feed pool, and non-page feed pool;

 

3. display the disassembly of kernel code at the specified position;

 

4. added the GUI, which may be written in sdks, VB, C #, and other languages;

 

5. More comprehensive display of kernel variables. Currently, only kernel variables of the Memory Manager are displayed.

 

Hope you can join in with your children's shoes. If you have been a single programmer, not even a professional programmer, but you are enthusiastic about programming and want to have fun with programming, contact pandatv. If you do not understand system programming, but you have a good experience in interface design, you can also join. This tool is just a prototype, hoping to be more mature.

 

Program description:

 

1 first, pandatv uses its personality to guarantee that the Code contains no Trojans, viruses, RootKit, and other boring things;

2. The code I wrote is ntinfoguy.exe and NtInfoGuy. dll, which are less than 60 kb in total. The other two Dll files are officially debugged by Microsoft.
And symbol service library, which must be used during runtime. If the new WinDbg version is installed in your system
You can use the new version in the WinDbg directory.

3. The program needs to load the driver and enter the kernel to obtain information;

4. The program automatically connects to the official Microsoft symbolic website to download the symbolic file of the kernel. Otherwise, some kernel symbols cannot be obtained.
It is the same as downloading a symbolic file with WinDbg.

5. The program may have bugs and vulnerabilities that may cause system crashes. Run the program on non-critical systems. Everything this program brings
The loss has nothing to do with pandatv.

6 For more information about the program see: http://blog.csdn.net/mydo/archive/2010/0/17/5742188.aspx

 

7. During the first running of the program, it may be slow to download the NT symbol file. Once the symbol download is completed, the program will run quickly in the future.

The download location of the symbol file is in the syms folder of the current path of the program.

 

Http://hopy.bokee.com/inc/NtInfoGuy.7z: NtInfoGuy

NtInfoGuy source code please see snow download: http://bbs.pediy.com/showthread.php? T = 117432