A free and practical toolkit for Windows, PCHunter anti-rootkit has a number of potent tools for inspecting and manipulating kernel structures.
It gives you a broad view of the kernel and gives you the greatest level of rights so you can identify, examine, and restore different kernel alterations.
You may quickly find and eliminate malware that is hidden from standard detectors with its help.

The latest version supports:

  • Windows 2000 SP4 (32-bit only)
  • Windows XP (32-bit only)
  • Windows Server 2003 (32-bit only)
  • Windows Vista (32-bit only)
  • Windows Server 2008 (32-bit only)
  • Windows 7 (32/64)
  • Windows 8 (32/64)
  • Windows 8.1 (32/64)
  • Windows 10 (32/64)

 

FEATURES

Process Manager

  • View the fundamental details of the system process and thread.
  • Find hidden threads, processes, and process modules.
  • Processes and threads can be stopped, suspended, and resumed.
  • View and alter memory regions, windows, and process handles.

https://i.ibb.co/StJBLzJ/process-manager.png

 

Kernel Module Viewer

  • Information about the kernel module, such as the ImageBase, Size, Driver Object, ImagePath, ServiceName, and Load Order, are displayed.
  • Find kernel modules that are hidden.
  • Delete the kernel module (dangerous).
  • Delete the kernel's image memory.
  • Information about system driver services is displayed and deleted.

https://i.ibb.co/M2wrxtX/kernel.png

 

Hook Detector

  • SSDT, Shadow SSDT, Sysenter, and int2e hooks can be viewed and restored.
  • FSD and keyboard detach hooks can be viewed and restored.
  • View and restore kernel code hooks, including IAT, EAT, and kernel inline hooks.
  • View and recover usermode process hooks, such as inline hooks, patches, IAT hooks, and EAT hooks.
  • Check out and fix message hooks (both global and local).
  • examine and fix kernel ObjectType hooks.
  • Display Interrupt Descriptors Table (IDT).

https://i.ibb.co/3swmyJs/image.png

 

System Callback viewer

Kernel Notifications (Process/Thread/Image/Registry/Lego/Shutdown/Bugcheck/FileSystem/Logon) can be displayed and deleted.

https://i.ibb.co/6PCNbTD/image.png

 

Other useful features includes:

  • Filters for common devices like disc, volume, keyboard, and network devices can be viewed and removed.
  • Edit the system registry and view it.
  • Utilize live registry hive analysis to find hidden registry entries.
  • Disk analysis and driver techniques can both be used to find hidden files.
  • Locked files and folders can be viewed and deleted.
  • View the fundamental data about a file, including NTFS Alternate Data Streams.
  • Option to protect against the installation of message hooks, threads, and processes.
  • Option to protect against the creation of files and registry keys.
  • Option to avoid system shutdown, logoff, and reboot.
  • Option to avoid shutting off and locking the workstation.
  • Option to stop the clock from setting.
  • Check out and fix common filetype associations.
  • View hijacked images and fix them.
  • List all DPC Timer objects and remove them.
  • Provide Win32 service details (for Ring0 modules,it is included in Kernel Module Viewer), etc.

 

You can get your copy of tool from HERE