Re: Full-Disclosure Digest, Vol 43, Issue 20

[Mary and Glenn Everhart <Everhart () gce com>]

f
>    5. Re: "Zero-day catcher" for Windows available for        sell
>       (Probably Shadowgamers)
>   
The guy who posted this did reveal much of what was needed to know.
Sounds like his premise is that any 0day will have to patch one or more 
kernel
modules, inside the code (to avoid being noticed). To do this they would 
likely
read the module headers. I presume there are only a few "normal" places 
where
such headers would be read, so reads from elsewhere might be possible
to trap. Sounds too like he (/she?) may be getting control on a timer 
basis; this
would need to be kept working to avoid the system very noticeably hanging.

There is probably some more but this sounds like some rootkits would be
picked up this way. If your kernel function searches through memory,
or perhaps follows trap vectors in the hardward, to figure where some target
is, it might avoid looking at PE headers but could have to work harder.

A more open discussion of the product's features and capabilities would 
however be preferable. We might all learn something (including the 
original poster). The method of description used suggests it could be an 
attempt at trapping some accesses but which may or may not be 
competently or even safely done. (I might also point out that talks at 
places like Blackhat and Defcon have been published which discuss 
malware that requires only a few bytes of data to be altered to change 
functions. These may not all be within PE headers.

Whoever you are, "zerodaycatcher", how about some more technical discussion
here?

Glenn C. Everhart

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/