funsec mailing list archives
Re: "Vista DRM could hide malware" (ZD Net)
From: "C Q" <kyle.c.quest () gmail com>
Date: Thu, 12 Apr 2007 20:43:00 -0400
We talked about that a bit in the "Vista Protected Bypassed" thread where I gave an overview of what it does and how (I accidently deleted a couple of lines in my description when I talked about how that program extracted its driver... it's not just a decomress call... there are also calls to CreateFile,WriteFile,and CloseHandle, of course). But the bottom line is that that driver gets a pointer to a protected process EPROCESS structure and then clears the "ProtectedProcess" flag. You can do the opposite... your driver can set the "ProtectedProcess" flag on for your processes... Just to make it clear... the released program would only work on the 32-bit version of Vista. Alex claims to have a version that would also works on the 64-bit version of Vista where driver signing is suppose to be enforced to prevent unauthorized kernel code. It looks like he found a whole during the booting process or something like that to trick Vista into thinking that everything is good. Kyle ** On 4/12/07, Paul Vixie <paul () vix com> wrote:
A security researcher has released a proof-of-concept program that hackers could use to exploit Windows Vista digital rights management processes to hide malware. Alex Ionescu claims to have developed the program -- D-Pin Purr v1.0 -- that will arbitrarily enable and disable protected processes in Vista, Microsoft's latest operating system. ... http://news.zdnet.co.uk/security/0,1000000189,39286677,00.htm _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- "Vista DRM could hide malware" (ZD Net) Paul Vixie (Apr 12)
- Re: "Vista DRM could hide malware" (ZD Net) C Q (Apr 12)