Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Microsoft GhostBuster Opionions

From: Jeroen Massar <jeroen () unfix org>
Date: Fri, 18 Mar 2005 09:59:26 +0100
On Thu, 2005-03-17 at 11:28 -0700, Dave King wrote:

   Several months ago I came upon a research project some people at 
Microsoft had been working on called Strider GhostBuster to help find 
rootkits.  The original paper can be found here 
http://research.microsoft.com/research/pubs/view.aspx?type=Technical%20Report&id=775 
.  Basically what it comes down to is you flush the disks, then run "dir 
/a /s" and send the output to a file.


On NTFS there is this very cool concept called 'Alternate Data
Streams'(*1), afaik "dir /a /s" does not include the filesizes of the
other streams. ADS's are btw mentioned in the paper though only shortly
in the conclusion. Anyhow if you log keystrokes into a file on the disk,
store them in a stream and nothing in the two outputs changes and you
won't be noticed by the diff.

Thus if you want to hide your stuff, stick it in an alternate stream as
you can stick executables in there and actually anything you want.
I wonder how many virus checkers support and chek NTFS streams...

Greets,
 Jeroen

*1 = google "ntfs streams" 
 http://win32.mvps.org/ntfs/streams.html
 http://www.cknow.com/vtutor/vtntfsads.htm
etc...

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: