PDA

View Full Version : o0 user mode rootkit for the blind o0


BanMe
January 10th, 2011, 13:05
eh its not a rootkit but it sure has enough hooks o0..good lcations to look into attached is m rku list.
http://www.satogo.com/en/

very nice code.

digdugg
January 10th, 2011, 18:24
Wonder if there's a brail translation? :P

BanMe
January 10th, 2011, 19:33
Actualy in most cases a blind person reading this would have a 'screen' reader,and if you're refering to the report as needing the translation, tools such as the pac-mate by freedom scientific have dynamic braile displays, as well which update according to line your reading.Also other hardware like daisy can interpret documents into brail and print them... :d

regards BanMe

Indy
January 11th, 2011, 13:38
Infancy.

Any mechanism to change the code sections, calling directly syscalls and etc. can not be named a rootkit.

BanMe
January 11th, 2011, 13:52
It's not a 'rootkit', but the time investigating the hooks and coding them to be able to 'react' to a 'users' location in real time,and have a 'audio' to read whats going on.hmm?
where you see the physical literal aspect of it, I see the variations and abstract uses.

Indy
January 11th, 2011, 14:25
BanMe
Quote:
hooks and coding them to be able to 'react' to a 'users' location in real time

For these purposes, there are advanced techniques such as IDP.

BanMe
January 11th, 2011, 14:44
I mean the 'Window'(the word control comes to mind) location and current 'text' that is displayed by that control o0,you speak of code location.words..damn them all ..

Indy
January 12th, 2011, 05:28
BanMe
Quote:
[1408]explorer.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C915CD3 [STSAH32.dll]
[1408]explorer.exe-->kernel32.dll+0x0000232D, Type: Inline - RelativeJump 0x7C80232D [STSAH32.dll]
[1408]explorer.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802332 [kernel32.dll]
[1408]explorer.exe-->kernel32.dll-->ExitThread, Type: Inline - RelativeJump 0x7C80C068 [STSAH32.dll]
[1408]explorer.exe-->kernel32.dll+0x0001CF30, Type: Inline - RelativeJump 0x7C81CF30 [STSAH32.dll]
[1408]explorer.exe-->kernel32.dll-->WriteConsoleA, Type: Inline - RelativeJump 0x7C81CF35 [kernel32.dll]
...

Intercept of these functions through an inline patch or hot patch is the height of stupidity

BanMe
January 12th, 2011, 18:36
I do agree.. The author(s) went a little overboard with hooks. But 'where and why' they chose to hook the 'other' locations is what I 'find' interesting.