At 00.42 03/05/2002, you wrote: > > which, when run connects to an IRC server in Moscow, > > loads an > > auto-rooter with a list of servers to attack, and > > hides the processes > > from netstat, Program Manager, etc. It was pretty > > slick. >This is interesting. First off, neither netstat nor Program Manager show >process information, so hiding process info from them isn't tough. I'm >going to assume you mean Task Manager...but again, that's an API call to >hide a process from TM. unlikely. The Task Manager obtains the full process list directly from the kernel, then filters it depending on the user's settings (only processes in the current session, only my processes, etc.). You cannot absolutely hide from it like you did in Windows 95 with RegisterServiceProcess (that didn't hide processes at all, BTW, it was just the task manager that sucked), unless you crack it (like this rootkit does) or you intercept the system call NtQuerySystemInformation (the latter is extremely harder, but it takes care of any kind of process enumeration). An interesting all-kernel rootkit for Windows NT was available from rootkit.com some time ago, but the site has been dead for months now ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon May 06 2002 - 11:08:42 PDT