Re: Inspiration

Just another great Utility from sysinternals !!!

http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml

:-)))

Thanks Bryce and Mark.

Norbert.

“Only those who attempt the absurd can achieve the impossible.”
---- snip ----

There are other potentially very dangerous techniques, such as determining
the addresses of internal kernel synhronization objects
and using them in your code to accomplish black magic. I had to use
such techniques in past

On the other hands, there are cases in which you simply cant accomplish
what you want whithout performing dangerous things. My position on
this is that you always should use the less instrusive technique, and
always inform your customer about what you did to make their request
possible. Debugging and analysis tools are just a example. There are others.

About such identifying, I maintain my statement that a debugger is your best
friend. You should be able with minimal effort to determine most used
method of hooking, if you know where you should look for them.
As for the product which so far to my knowledge has the biggest number of
hooks installed, it;s Numega NTICE.

Use educated guesses to determine whatever a third party driver you
installed uses hooking, and a debugger and a minimal analysis will reveal
more than you think.

Norbert, dont grow paranoid. Its futile =)

Dan

----- Original Message -----
From: “Norbert Kawulski”
> To: “Windows System Software Devs Interest List”
> Sent: Friday, December 17, 2004 12:30 PM
> Subject: Re:Inspiration

>> Thanks to John Alderson and Marco Peretti
>> for pointing out these sites.
>> Yes Peter, it is scary. My paranoia grows…
>> But because modifying the SDT is only one form of hooking and there
>> are many more forms of patching at runtime my proposed utility seems
>> to be impossible (imperfect).
>> Norbert.
>> --------
>> “A professor is one who talks in someone else’s sleep.”
>> ---- snip ----
>>
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
>> To unsubscribe send a blank email to xxxxx@lists.osr.com

> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256

> You are currently subscribed to ntdev as: xxxxx@stollmann.de
> To unsubscribe send a blank email to xxxxx@lists.osr.com

---- snip ----

The webpage for rootkitreveal mentions doing “raw reads” of the
filesystem (and registry hive) for comparison to the data returned by
normal reads. Please forgive the naive question, but how are raw reads
done?

I ask because yesterday I was trying to read something from a CdRom and
found that all my read requests were blocked by a lower filter driver
called “pfc.sys”. (This was during a rip with DiscJuggler.) I think
this is the Patin-Couffin ASPI-type driver, which apparently offers an
“exclusive access” mode where it blocks all other read requests.

I don’t know whether a raw read mechanism could bypass such filter
manipulations, but it seems like it would be a good thing to know how to do.

Thanks,

David

Norbert Kawulski wrote:

Just another great Utility from sysinternals !!!

http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml

:-)))

Thanks Bryce and Mark.

Norbert.

“Only those who attempt the absurd can achieve the impossible.”