On Windows 7 (or Vista) I use
About the tool
BSODhook (aka Kernel hooks probing tool) helps finding improper validation bugs in drivers that implement kernel mode hooks. Its first version supported the native SSDT calls only, the second version (codenamed ShadowHook) added support for the GDI SSDT calls. The tool calls system services and attempts to produce a system crash (bugcheck). BSODhook comes with a kernel driver, which intercepts certain system functions to catch these bugchecks. Instead of crashing the system, an invalid memory access or other faulty behaviour that invoke the bugcheck will be caught, the calling thread will be terminated and the application will report that the tested system service is improperly validated. Moreover, BSODhook writes out the exact parameters of the function call that caused the crash. This allows software developers to find bugs in their drivers very quickly and efficiently.
You can download this application below and test software you use to see whether it implements hooks of the system services correctly. BSODhook contains a driver, which is used to enumerate all SSDT and SSDT GDI hooks and to catch BSODs. The application can work entirely from user-mode and does not need the driver, but in that case you would need to enter all tested functions manually and BSODs will not be catched if they occur. Once you have all the functions you want to probe in so called Probe list, you need to agree to the application's warning, then by pressing the 'Go' button the testing of the specified functions will start. The probing has two modes: Fuzzer and Bruteforce. The Bruteforce mode goes through each parameter of the tested function and incrementally tries values from the whole specified ranges (see information about the ranges below). All other parameters are set to valid values (they point somewhere to the application's stack). On the other hand, the Fuzzer mode changes all the parameters at once, also respecting the specified ranges. You might find 'I am happy' button useful too. With just one click you load the driver, disable BSODs, find SSDT and SSDT GDI hooks and start default probing with both Fuzzer and Bruteforcer.
Every system service call has different arguments, but since they are all 32-bit values (BSODhook was coded for IA-32 compatible architectures) and the most common vulnerabilities are present only for a few types of arguments, we narrowed the parameters of the tested functions to the following list:
- V, valid pointer – pointer to the stack, no testing is performed for this parameter type
- D, any DWORD – argument is in range 0x00000000 – 0xFFFFFFFF
- P, local (process/thread) handle – argument is in range 0x00000001 – 0xFFFFFF00
- B, no user-mode memory – argument is in range 0x7FFF0000 – 0xFFFFFFFF
- O, OBJECT_ATTRIBUTES pointer – argument is OBJECT_ATTRIBUTES, which ObjectName part is any DWORD
- Q, OBJECT_ATTRIBUTES pointer with invalid Buffer – argument is OBJECT_ATTRIBUTES, which ObjectName.Buffer part is any DWORD
- U, UNICODE_STRING pointer – argument is UNICODE_STRING, which Buffer is any DWORD
The database of known functions' prototypes is stored in the external file "functions.db". You can either edit this file
and add more functions to it or manually type the calling convention into the GUI. Note that defining a correct number of arguments
in the database is crucial for the stability of BSODhook.
Note that this application and its driver cannot be stable or safe to use by its nature. The hooked function might put the system into an inconsistent state before invoking the bugcheck and the thread cannot be terminated in this situation without breaking the functionality of the hooking driver or the whole system. In other cases, the function call might not cause a bugcheck but instead make a write into the kernel memory, which will corrupt some kernel structure. The BSODhook application can crash the hooking driver, crash or freeze the system or itself, or can cause any other unspecified behavior including data lost. Note that this is not a bug of BSODhook, once you start probing, the behaviour is undefined. Because of this, DO NOT USE IT ON PRODUCTION SYSTEMS! However, for most hooks of most software we have tested, BSODhook was able to do its job and catch BSODs correctly.
BSODhook uses unexported and undocumented Windows kernel functions, because there is no documented way to provide the same functionality. The application will work on all NT-based Windows, but the mechanism of catching the bugchecks is supported only on a few specific kernel versions of Windows 2000 SP4 and Windows XP SP2. Currently supported are the following kernels:
- Windows XP SP3 5.1.2600.5657
- Windows XP SP3 5.1.2600.5512
- Windows XP SP2 5.1.2600.3093
- Windows XP SP2 5.1.2600.2180
- Windows 2000 SP4 5.00.2195.7133
- Windows 2000 SP4 5.00.2195.7045
- Windows 2000 SP4 5.00.2195.6717
If your kernel is not supported by the current version of BSODhook, please contact us. Be sure to include a full information about your kernel version.
Warning: This software is used for testing of security products and should never be used on production machines. Using this software may damage or erase your data. This software is provided "as is" and without warranty of any kind.
BSODhook was firstly introduced in our article Plague in (security) software drivers. With BSODhook, we have tested many security products that implement kernel hooks and found more than 60 validation bugs in their drivers.