windows rootkits file-hiding vulnerabilities ;)

[Joanna Rutkowska <joanna () mailsnare net>]

It's gonna be very simple, but somebody needs to bring it the public for
the goodness of the mankind... or at least the rootkit community;)

When researching some new techniques for files hiding, I came across the
very common bug in many (all?) publicly available windows rootkits (both
user and kernel mode)...

The problem can be noticed when using well known ZwQueryDirectoryFile() 
function, with ReturnSingleEntry argument set to TRUE. All tested
rootkits (see paper) failed to hide properly the files or directories
which should have been hidden...

As usual the very simple proof-of-concept code is provided:

http://invisiblethings.org/tools/flister.zip

read more:

http://invisiblethings.org/tools/flister.txt

regards,
joanna.



_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave