|
Posted by Geoff on June 30, 2008, 9:50 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>
>
>| Well, if you have specific info I'd like to see it. If it has a PID, it can
>| be seen. Rootkit Revealer found it. Not sure if Mark was using PE at the
>| same time when he found the Sony rootkit.
>
>| As for ADS, a process is not a file,to which part of PE are you referring
>| to about hiding a process in an ADS?
>
>This is an area where I fall off the ledge. I still have much to learn.
However it is my
>understanding the following are used to hide processes...
>
>ZwCreateThread
>ZwOpenProcess
>ZwOpenThread
>ZwTerminateProcess
>ZwWriteVirtualMemory
>
>The PID would be hidden from normal scrutiny and thus NOT shown in Process
Explorer.
>
>You are correct in that ADS refers to how a file is stored and not a process.
However,
>you can not tell from Process Explorer if a file is executed from an Alternate
Data
>Stream. SVCHOST.EXE executed as an ADS is most certainly malware.
Yes, kernel mode functions can get you places, but I am googling for how a
PID can be hidden and have not found it yet. It was my understanding that
PE used a KM technique to make it difficult for KM processes to hide from
it but I could be wrong. One of the first examples I found in a google
search for ZwOpenProcess had a sample that resisted process info probes
from PE but was not invisible to it.
ADS had to be one of the worst ideas ever. I still encounter ADS stripping
messages when I copy files from my company laptop to non-ntfs media.
Corporate IT insisted on using CA Antivirus and it tagged every file with
an ADS signature. What a waste.
| 
XML site map