Oliver, > Here's a code snippet that injects code directly > into a running process > without the need for a DLL etc. Just for clarification...I'm trying to understand what you mean...you say "without the need for a DLL", but the code relys on three DLLs. > Demonstrates that process boundaries > under NT mean very little within the context of a > given UID. > > This allows PFWs to be bypassed, as well as making > it very easy to hide > running malicious code on a system. The example is a > 'sploit that makes a > connection from within IE, and slips under the radar > of all PFWs I've tested. How does this code conceptually and significantly differ from similar code that accesses IE as a COM server, and makes the same request? > Having briefly discussed this with PFW vendors, it > doesn't appear to be > much of a concern to them. I think it illustrates > that OpenProcess, > ptrace, and the like should really enforce > filesystem priviledges on the > processes they can modify. I think we're back to the old adage of running code on a system. For this to execute, thermite.exe will have to execute on the system...so once you get the code on the system, in many cases, it's all over with at that point. Perhaps that's the larger issue here. __________________________________________________ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/
This archive was generated by hypermail 2b30 : Fri Feb 21 2003 - 12:12:25 PST