PDA

View Full Version : attack vector or just stupid?


BanMe
July 19th, 2009, 03:29
http://msdn.microsoft.com/en-us/library/ms793184.aspx

looking around vista and seeing how much modification I will need, I came accross that while looking for my subsystem key..I found that, but this seems like a valid malware attack vector ..that could potentially load a driver from a website..looks fishy to me..hates vista more..lol

regards BanMe

disavowed
July 19th, 2009, 14:54
how could this usermode program (which doesn't come with windows, fwiw) load a driver from a website?
and fyi, tracepdb has been around long before vista.

BanMe
July 19th, 2009, 15:42
well that is a valid question..Im not sure how i got the idea to load a driver from a website..but I bet its possible in someway...

but one could use Driver PE infection(daMouse comes to mind and rustock) to hijack TraceDrv knowing that "driver" developers use this tool in this fashion

tracelog -start TestTracedrv -guid d58c126f-b309-11d1-969e-0000f875a5bc -f tracedrv.etl -flags 0x1

this should activate loading of the infected Driver..

admittedly not the easiest or the most reliable vector but if your in the machine and user is logged on as Administrator this would be trivial to accomplish :d

I was up way to late last night, I think I just got stupid from lack of sleep..

here is the source for daMouse(Driverless Kernel mode rootkit)

http://www.rohitab.com/discuss/index.php?showtopic=28440&st=0

no source for Rustock (sorry)..

regards BanMe

disavowed
July 19th, 2009, 19:15
if a malware author already has their code running in kernel-mode on a victim's computer, why would they care about exploiting a usermode program like tracelog?