matousec.com (site map)

Poll

On Windows 7 (or Vista) I use

  unlimited administrator's account (58.03%)

  limited administrator's account (16.5%)

  common user's account (13.68%)

  nothing (I do not use Win 7/Vista) (14.06%)

more

results

BSODhook

About the tool

BSODhook (aka Kernel hooks probing tool) helps finding improper validation bugs in drivers that implement kernel mode hooks. Its first version supported the native SSDT calls only, the second version (codenamed ShadowHook) added support for the GDI SSDT calls. The tool calls system services and attempts to produce a system crash (bugcheck). BSODhook comes with a kernel driver, which intercepts certain system functions to catch these bugchecks. Instead of crashing the system, an invalid memory access or other faulty behaviour that invoke the bugcheck will be caught, the calling thread will be terminated and the application will report that the tested system service is improperly validated. Moreover, BSODhook writes out the exact parameters of the function call that caused the crash. This allows software developers to find bugs in their drivers very quickly and efficiently.

You can download this application below and test software you use to see whether it implements hooks of the system services correctly. BSODhook contains a driver, which is used to enumerate all SSDT and SSDT GDI hooks and to catch BSODs. The application can work entirely from user-mode and does not need the driver, but in that case you would need to enter all tested functions manually and BSODs will not be catched if they occur. Once you have all the functions you want to probe in so called Probe list, you need to agree to the application's warning, then by pressing the 'Go' button the testing of the specified functions will start. The probing has two modes: Fuzzer and Bruteforce. The Bruteforce mode goes through each parameter of the tested function and incrementally tries values from the whole specified ranges (see information about the ranges below). All other parameters are set to valid values (they point somewhere to the application's stack). On the other hand, the Fuzzer mode changes all the parameters at once, also respecting the specified ranges. You might find 'I am happy' button useful too. With just one click you load the driver, disable BSODs, find SSDT and SSDT GDI hooks and start default probing with both Fuzzer and Bruteforcer.

Every system service call has different arguments, but since they are all 32-bit values (BSODhook was coded for IA-32 compatible architectures) and the most common vulnerabilities are present only for a few types of arguments, we narrowed the parameters of the tested functions to the following list:

The database of known functions' prototypes is stored in the external file "functions.db". You can either edit this file and add more functions to it or manually type the calling convention into the GUI. Note that defining a correct number of arguments in the database is crucial for the stability of BSODhook.
BSODhook utility BSODhook utility

Note that this application and its driver cannot be stable or safe to use by its nature. The hooked function might put the system into an inconsistent state before invoking the bugcheck and the thread cannot be terminated in this situation without breaking the functionality of the hooking driver or the whole system. In other cases, the function call might not cause a bugcheck but instead make a write into the kernel memory, which will corrupt some kernel structure. The BSODhook application can crash the hooking driver, crash or freeze the system or itself, or can cause any other unspecified behavior including data lost. Note that this is not a bug of BSODhook, once you start probing, the behaviour is undefined. Because of this, DO NOT USE IT ON PRODUCTION SYSTEMS! However, for most hooks of most software we have tested, BSODhook was able to do its job and catch BSODs correctly.

BSODhook uses unexported and undocumented Windows kernel functions, because there is no documented way to provide the same functionality. The application will work on all NT-based Windows, but the mechanism of catching the bugchecks is supported only on a few specific kernel versions of Windows 2000 SP4 and Windows XP SP2. Currently supported are the following kernels:

If your kernel is not supported by the current version of BSODhook, please contact us. Be sure to include a full information about your kernel version.

Download

Warning: This software is used for testing of security products and should never be used on production machines. Using this software may damage or erase your data. This software is provided "as is" and without warranty of any kind.

Download BSODhook.

Related work

BSODhook was firstly introduced in our article Plague in (security) software drivers. With BSODhook, we have tested many security products that implement kernel hooks and found more than 60 validation bugs in their drivers.