lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CANJpe10JigHmgpRoW8Mk5JJtO0EqTKd93PvtMYmRDZdNjLRAFA@mail.gmail.com>
Date: Sun, 20 Mar 2016 16:44:19 +0200
From: 0x3d5157636b525761 iddqd <0x3d5157636b525761@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] A novel persistent injection to Windows machines

A novel persistent injection to Windows machines:
- By abusing "Dos Devices" registry key, a user could redefine the "C:"
symlink to an arbitrary value.
- smss.exe, which is responsible for mapping Dos devices, later maps "known
DLLs" as sections. These DLLs are typically loaded from
"C:\Windows\System32" (e.g. kernel32.dll) and will henceforth be loaded to
any usermode process by the Windows loader.
- This means that a malicious kernel32 could be created and injected
automatically to any process, after boot.
- In order to not screw things up, the malicious kernel32 must remap "C:"
as the original symlink.

Blog post: http://securitygodmode.blogspot.com

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ