Re: "Vista DRM could hide malware" (ZD Net)

["C Q" <kyle.c.quest () gmail com>]

We talked about that a bit in the "Vista Protected Bypassed" thread where I
gave an overview of what it does and how (I accidently deleted a couple of
lines in my description when I talked about how that program extracted its
driver... it's not just a decomress call... there are also calls to
CreateFile,WriteFile,and CloseHandle, of course). But the bottom line is
that that driver gets a pointer to a protected process EPROCESS structure
and then clears the "ProtectedProcess" flag. You can do the opposite... your
driver can set the "ProtectedProcess" flag on for your processes...

Just to make it clear... the released program would only work on the 32-bit
version
of Vista. Alex claims to have a version that would also works on the 64-bit
version
of Vista where driver signing is suppose to be enforced to prevent
unauthorized
kernel code. It looks like he found a whole during the booting process or
something
like that to trick Vista into thinking that everything is good.


Kyle
**

On 4/12/07, Paul Vixie <paul () vix com> wrote:
> A security researcher has released a proof-of-concept program that hackers
> could use to exploit Windows Vista digital rights management processes to
> hide
> malware.
>
> Alex Ionescu claims to have developed the program -- D-Pin Purr v1.0 --
> that
> will arbitrarily enable and disable protected processes in Vista,
> Microsoft's
> latest operating system.
>
> ...
>
> http://news.zdnet.co.uk/security/0,1000000189,39286677,00.htm
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.