lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sat, 13 Sep 2008 15:14:07 -0400
From: Mary and Glenn Everhart <Everhart@....com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Full-Disclosure Digest, Vol 43, Issue 20

f
>    5. Re: "Zero-day catcher" for Windows available for	sell
>       (Probably Shadowgamers)
>   
The guy who posted this did reveal much of what was needed to know.
Sounds like his premise is that any 0day will have to patch one or more 
kernel
modules, inside the code (to avoid being noticed). To do this they would 
likely
read the module headers. I presume there are only a few "normal" places 
where
such headers would be read, so reads from elsewhere might be possible
to trap. Sounds too like he (/she?) may be getting control on a timer 
basis; this
would need to be kept working to avoid the system very noticeably hanging.

There is probably some more but this sounds like some rootkits would be
picked up this way. If your kernel function searches through memory,
or perhaps follows trap vectors in the hardward, to figure where some target
is, it might avoid looking at PE headers but could have to work harder.

A more open discussion of the product's features and capabilities would 
however be preferable. We might all learn something (including the 
original poster). The method of description used suggests it could be an 
attempt at trapping some accesses but which may or may not be 
competently or even safely done. (I might also point out that talks at 
places like Blackhat and Defcon have been published which discuss 
malware that requires only a few bytes of data to be altered to change 
functions. These may not all be within PE headers.

Whoever you are, "zerodaycatcher", how about some more technical discussion
here?

Glenn C. Everhart

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ