[prev in list] [next in list] [prev in thread] [next in thread] 

List:       dailydave
Subject:    [Dailydave] windows rootkits file-hiding vulnerabilities ;)
From:       Joanna Rutkowska <joanna () mailsnare ! net>
Date:       2005-01-24 22:52:20
Message-ID: 41F57C24.8060002 () mailsnare ! net
[Download RAW message or body]

It's gonna be very simple, but somebody needs to bring it the public for
the goodness of the mankind... or at least the rootkit community;)

When researching some new techniques for files hiding, I came across the
very common bug in many (all?) publicly available windows rootkits (both
user and kernel mode)...

The problem can be noticed when using well known ZwQueryDirectoryFile() 
function, with ReturnSingleEntry argument set to TRUE. All tested
rootkits (see paper) failed to hide properly the files or directories
which should have been hidden...

As usual the very simple proof-of-concept code is provided:

http://invisiblethings.org/tools/flister.zip

read more:

http://invisiblethings.org/tools/flister.txt

regards,
joanna.




[prev in list] [next in list] [prev in thread] [next in thread]