| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <8EE2F8AA-D068-4977-AA17-FF8F61DB0A43@phocean.net> Date: Wed, 11 Jul 2012 22:42:42 +0200 From: phocean <0x90@...cean.net> To: full-disclosure@...ts.grok.org.uk Subject: suspicion of rootkit Hi list, I am having a strange issue. I have a lab virtual machine that behaves as if it was owned by a rootkit: weird behavior with system certificates and keyboard driver. I first thought that with this knowledge it would be easy to spot the culprit: find some malicious driver or some kernel hook. But I failed... The problem is I have tried both live and RAM analysis (Volatility) and found absolutely nothing unusual. I am not an expert of Windows internals, so I am probably missing something. Could you please give me some hint or point me to some resource? (I have the book Windows Internals, but still I don't see how to start with this mess). More details are on my blog. Thanks, --- phocean Content of type "text/html" skipped Download attachment "signature.asc" of type "application/pgp-signature" (842 bytes) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists