Vulnerability Development mailing list archives

Re: BACKSTEALTH reverse engineered

From: Shaun Clowes <shaun () securereality com au>
Date: Sat, 04 May 2002 12:29:51 +1000


> I've reverse engineered the backstealth program that's been going around,
> with the original info found at
> http://piorio.supereva.it/backstealth.htm?p

Just incase you're interested, the general technique you've reversed here is
very popular and well known. It's usually referred to as 'injecting a dll' and
was first documented by Jeffrey Richter in a 1994 Windows System Journal
article. His original source code (InjLib) is still around but a number of
(open and closed source) tools use it, e.g fport and pwdump. As you've found,
the ability to have code executed in the context of another process is very
useful and many security schemes can be subverted this way (hell, when you
think about it, kernel backdoors and viruses are really just souped up forms of
this).

Incidentally, injectso does pretty much the same thing on Solaris and
Linux systems.

Cheers,
Shaun

~
~

Current thread:

BACKSTEALTH reverse engineered Stephen J. Friedl (May 02)
- <Possible follow-ups>
- Re: BACKSTEALTH reverse engineered Paolo Iorio (May 03)
- Re: BACKSTEALTH reverse engineered Shaun Clowes (May 04)