Dailydave mailing list archives
windows rootkits file-hiding vulnerabilities ;)
From: Joanna Rutkowska <joanna () mailsnare net>
Date: Mon, 24 Jan 2005 23:52:20 +0100
It's gonna be very simple, but somebody needs to bring it the public for the goodness of the mankind... or at least the rootkit community;) When researching some new techniques for files hiding, I came across the very common bug in many (all?) publicly available windows rootkits (both user and kernel mode)...The problem can be noticed when using well known ZwQueryDirectoryFile() function, with ReturnSingleEntry argument set to TRUE. All tested
rootkits (see paper) failed to hide properly the files or directories which should have been hidden... As usual the very simple proof-of-concept code is provided: http://invisiblethings.org/tools/flister.zip read more: http://invisiblethings.org/tools/flister.txt regards, joanna. _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- windows rootkits file-hiding vulnerabilities ;) Joanna Rutkowska (Jan 24)