View Full Version : o0 user mode rootkit for the blind o0

January 10th, 2011, 13:05
eh its not a rootkit but it sure has enough hooks o0..good lcations to look into attached is m rku list.

very nice code.

January 10th, 2011, 18:24
Wonder if there's a brail translation? :P

January 10th, 2011, 19:33
Actualy in most cases a blind person reading this would have a 'screen' reader,and if you're refering to the report as needing the translation, tools such as the pac-mate by freedom scientific have dynamic braile displays, as well which update according to line your reading.Also other hardware like daisy can interpret documents into brail and print them... :d

regards BanMe

January 11th, 2011, 13:38

Any mechanism to change the code sections, calling directly syscalls and etc. can not be named a rootkit.

January 11th, 2011, 13:52
It's not a 'rootkit', but the time investigating the hooks and coding them to be able to 'react' to a 'users' location in real time,and have a 'audio' to read whats going on.hmm?
where you see the physical literal aspect of it, I see the variations and abstract uses.

January 11th, 2011, 14:25
hooks and coding them to be able to 'react' to a 'users' location in real time

For these purposes, there are advanced techniques such as IDP.

January 11th, 2011, 14:44
I mean the 'Window'(the word control comes to mind) location and current 'text' that is displayed by that control o0,you speak of code location.words..damn them all ..

January 12th, 2011, 05:28
[1408]explorer.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C915CD3 [STSAH32.dll]
[1408]explorer.exe-->kernel32.dll+0x0000232D, Type: Inline - RelativeJump 0x7C80232D [STSAH32.dll]
[1408]explorer.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802332 [kernel32.dll]
[1408]explorer.exe-->kernel32.dll-->ExitThread, Type: Inline - RelativeJump 0x7C80C068 [STSAH32.dll]
[1408]explorer.exe-->kernel32.dll+0x0001CF30, Type: Inline - RelativeJump 0x7C81CF30 [STSAH32.dll]
[1408]explorer.exe-->kernel32.dll-->WriteConsoleA, Type: Inline - RelativeJump 0x7C81CF35 [kernel32.dll]

Intercept of these functions through an inline patch or hot patch is the height of stupidity

January 12th, 2011, 18:36
I do agree.. The author(s) went a little overboard with hooks. But 'where and why' they chose to hook the 'other' locations is what I 'find' interesting.