lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <001601c40011$a0c781d0$0b0010ac@Casa.Local>
From: thalm at netcabo.pt (Tiago Halm)
Subject: Looking for a tool

Paul,
 
Run FileMon and RegMon (both from SysInternals) while you do those delete
actions you mention, then examine the log file and you may find something.
FileMon makes use of "NTFS Change Journal" which I think may be behind those
process and file/directory re-creations. "NTFS Change Journal" tracks every
action in a NTFS file system. Just google for it for more info.
 
Hope it helps,
Tiago Halm

-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Schmehl, Paul L
Sent: segunda-feira, 1 de Mar?o de 2004 23:37
To: full-disclosure@...ts.netsys.com
Subject: RE: [Full-Disclosure] Looking for a tool



-----Original Message-----
From: Nick Jacobsen [mailto:nick@...icsdesign.com] 
Sent: Monday, March 01, 2004 5:31 PM
To: Schmehl, Paul L; full-disclosure@...ts.netsys.com
Subject: RE: [Full-Disclosure] Looking for a tool


Well, I usually use *sysinternals* Process Exporer, and have yet to see it
fail to list a process...  how do you know the process exists, if you can't
list it?
 
Real simple.  I have randomly named processes (like gk5odre.exe) popping up,
and when I kill them, another one takes their place.  *Something* has to be
the parent than controls this.  I can delete an entire registry key and
watch it be recreated in less than a second.  I can delete a directory with
three dlls in it and watch it be recreated right before my eyes.  I can kill
the randomly named process and watch it reappear using the same name or a
completely different name.  I can delete the executable after killing the
process, and it will be recreated in no time.  So *something* has to be
controlling it, yet when I look at the process tree, the randomly named
process appears to be the parent.
Paul Schmehl (pauls@...allas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040302/e6f8d1be/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ