                        ntoskrnl.exe Hook scan                        
                                     deroko/ARTeam
                                
Scans for hooks and int3h set in exported procedures from ntoskrnl.exe

Concept:
        1. retrieve base of ntoskrnl.exe using ZwQuerySystemInformation
        2. map ntoskrnl.exe into my address space and apply fixups 
           because some procedures in ntoskrnl.exe start with
           mov eax, [address]
        3. get VA of certain API and first 4 bytes of it
        4. check if procedure is stored in INIT section, if so, skip it
           (why are exports located in INIT section I have no idea, trust me
           there are some)
        5. call driver to check if certain address has same byte pattern
           as one in mapped ring3 ntoskrnl.exe
        6. driver checks addresses but it will also check if some procedure
           is "hooked" with int3h
        7. return to my code in ring3
        
There are some variables exported by ntoskrnl.exe, to distinguish variable
from procedure I use one lame trick. Exported variables are initialized
during system startup, so in image stored on disk those are set to 0.
I simply check if export has 1st 4 bytes set to 0, if so, we have variable.
Smarter would be to walk trough relocs but this lame check is faster to
implement.

Output:
C:\>hookscan
scanhook       - (c) 2006 deroko/ARTeam
Int3h  : DbgBreakPoint
Hooked : RtlPrefetchMemoryNonTemporal

C:\>

Of course, DbgBreakPoint has int3h because it is only int3h at entry
of procedure, run this with active SoftICE and watch what softice is
taking care of in ntoskrnl.exe with "silent" int3h hook.

RtlPrefetchMemoryNonTemporal is not hooked due to this:

.text:804D44F0 @RtlPrefetchMemoryNonTemporal@8 proc near
.text:804D44F0                 retn
.text:804D44F1                 mov     eax, ds:_KePrefetchNTAGranularity
.text:804D44F6 loc_804D44F6:                          
.text:804D44F6                 prefetchnta byte ptr [ecx+0]
.text:804D44FA                 add     ecx, eax
.text:804D44FC                 sub     edx, eax
.text:804D44FE                 ja      short loc_804D44F6
.text:804D4500                 retn

...

INIT:806A6E0E        >>>>     mov     eax, offset @RtlPrefetchMemoryNonTemporal@8 
INIT:806A6E13                 mov     ds:_KeZeroPage, offset @KiXMMIZeroPage@4 
INIT:806A6E1D                 mov     ds:_KeZeroPageFromIdleThread, offset @KiXMMIZeroPageNoSave@4 
INIT:806A6E27        >>>>     mov     byte ptr [eax], 90h


retn is changed during initialization of ntoskrnl.exe to nop, have
no idea why, but those two procedures are ok.

When TheMida is loaded:

C:\>hookscan
scanhook       - (c) 2006 deroko/ARTeam
Int3h  : DbgBreakPoint
Hooked : KeAttachProcess
Hooked : RtlPrefetchMemoryNonTemporal
Hooked : vsprintf

C:\>

ps. This tool can be changed to take care of hal.dll also, but I will deal 
    with it later.
    
    
                                        S verom u Boga, deroko/ARTeam
