Results 1 to 4 of 4

Thread: attack vector or just stupid?

  1. #1
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4

    attack vector or just stupid?

    http://msdn.microsoft.com/en-us/library/ms793184.aspx

    looking around vista and seeing how much modification I will need, I came accross that while looking for my subsystem key..I found that, but this seems like a valid malware attack vector ..that could potentially load a driver from a website..looks fishy to me..hates vista more..lol

    regards BanMe
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  2. #2
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    how could this usermode program (which doesn't come with windows, fwiw) load a driver from a website?
    and fyi, tracepdb has been around long before vista.

  3. #3
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4
    well that is a valid question..Im not sure how i got the idea to load a driver from a website..but I bet its possible in someway...

    but one could use Driver PE infection(daMouse comes to mind and rustock) to hijack TraceDrv knowing that "driver" developers use this tool in this fashion

    tracelog -start TestTracedrv -guid d58c126f-b309-11d1-969e-0000f875a5bc -f tracedrv.etl -flags 0x1

    this should activate loading of the infected Driver..

    admittedly not the easiest or the most reliable vector but if your in the machine and user is logged on as Administrator this would be trivial to accomplish :d

    I was up way to late last night, I think I just got stupid from lack of sleep..

    here is the source for daMouse(Driverless Kernel mode rootkit)

    http://www.rohitab.com/discuss/index.php?showtopic=28440&st=0

    no source for Rustock (sorry)..

    regards BanMe
    Last edited by BanMe; July 19th, 2009 at 15:52.
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  4. #4
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    if a malware author already has their code running in kernel-mode on a victim's computer, why would they care about exploiting a usermode program like tracelog?

Similar Threads

  1. vector capital (safenet) buys aladdin
    By Sab in forum Off Topic
    Replies: 1
    Last Post: February 4th, 2009, 04:12
  2. I have a stupid question..
    By Woodmann in forum Off Topic
    Replies: 25
    Last Post: April 29th, 2006, 13:33
  3. its a stupid question but..
    By THEcB in forum OllyDbg Support Forums
    Replies: 2
    Last Post: October 22nd, 2005, 03:14
  4. still trouble. me stupid.
    By NchantA in forum Advanced Reversing and Programming
    Replies: 3
    Last Post: November 12th, 2000, 06:48

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •