| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1111136366.15952.6.camel@firenze.zurich.ibm.com> From: jeroen at unfix.org (Jeroen Massar) Subject: Microsoft GhostBuster Opionions On Thu, 2005-03-17 at 11:28 -0700, Dave King wrote: > Several months ago I came upon a research project some people at >Microsoft had been working on called Strider GhostBuster to help find >rootkits. The original paper can be found here >http://research.microsoft.com/research/pubs/view.aspx?type=Technical%20Report&id=775 >. Basically what it comes down to is you flush the disks, then run "dir >/a /s" and send the output to a file. On NTFS there is this very cool concept called 'Alternate Data Streams'(*1), afaik "dir /a /s" does not include the filesizes of the other streams. ADS's are btw mentioned in the paper though only shortly in the conclusion. Anyhow if you log keystrokes into a file on the disk, store them in a stream and nothing in the two outputs changes and you won't be noticed by the diff. Thus if you want to hide your stuff, stick it in an alternate stream as you can stick executables in there and actually anything you want. I wonder how many virus checkers support and chek NTFS streams... Greets, Jeroen *1 = google "ntfs streams" http://win32.mvps.org/ntfs/streams.html http://www.cknow.com/vtutor/vtntfsads.htm etc... -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 240 bytes Desc: This is a digitally signed message part Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050318/7eb64bca/attachment.bin
Powered by blists - more mailing lists