Full Disclosure mailing list archives
Re: Full-Disclosure Digest, Vol 43, Issue 20
From: Mary and Glenn Everhart <Everhart () gce com>
Date: Sat, 13 Sep 2008 15:14:07 -0400
f
5. Re: "Zero-day catcher" for Windows available for sell (Probably Shadowgamers)
The guy who posted this did reveal much of what was needed to know. Sounds like his premise is that any 0day will have to patch one or more kernel modules, inside the code (to avoid being noticed). To do this they would likely read the module headers. I presume there are only a few "normal" places where such headers would be read, so reads from elsewhere might be possible to trap. Sounds too like he (/she?) may be getting control on a timer basis; this would need to be kept working to avoid the system very noticeably hanging. There is probably some more but this sounds like some rootkits would be picked up this way. If your kernel function searches through memory, or perhaps follows trap vectors in the hardward, to figure where some target is, it might avoid looking at PE headers but could have to work harder. A more open discussion of the product's features and capabilities would however be preferable. We might all learn something (including the original poster). The method of description used suggests it could be an attempt at trapping some accesses but which may or may not be competently or even safely done. (I might also point out that talks at places like Blackhat and Defcon have been published which discuss malware that requires only a few bytes of data to be altered to change functions. These may not all be within PE headers. Whoever you are, "zerodaycatcher", how about some more technical discussion here? Glenn C. Everhart _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Full-Disclosure Digest, Vol 43, Issue 20 Mary and Glenn Everhart (Sep 13)