System Process, Thread And Module Information Extractor

There are often cases when some unwanted program (mostly spyware and worms) try to hide their activity by hiding themselves using kernel level techniques.
So, to uncover these processes/modules/threads we have a driver which is compiled with Microsoft Windows DDK. The Driver is compatible with windows xp sp2 and sp3.

Downloads Section
The Driver(Zip File)

So what we have to do is just run the InstDrv.exe (bundled along in the zip file). As With all the drivers we have to install my driver(TheOne.sys).

To Do This Start Install Drv by double clicking on it. Type in the path to TheOne.sys and click Install.

And when it says Operation Successfull click on Start to Start Our Driver
Ok .. So we have Our Driver Up And Running….

To Interface With the driver we also have a Usermode Program (Enlist.exe Bundled In Zip) in Microsoft Visual C++.
Run it to get the results from our driver. We get the following message on running it.

Now the output on the console will not be desirable so enlist.exe outputs the results to a LISTING.txt File created in the working directory.

Lets See What have we got in our LISTING.txt

As You can see that this also gives you the base address of the module loaded so if you are viewing memory its easy for you to locate them…


One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *