SteveI know your IP addressConsultant
Yorba Linda, CA
reply to jvmorris
Re: Analysis of Backstealth technology -- How big is BackStealth.exe? 58,368 bytes
-- How big is BackDLL.dll? 55,808 bytes
quote: I'm looking at the disassembled code, not strings in the binary: this is all it looks for. But in general, it's not in concept looking for "firewall processes" as it is "processes known to be trusted". My guess is that it could inject itself into IE with the same ease - most of the time IE is trusted as well, and this hidden worker thread would not likely go through all the security setup imposed by the browser.
Re FindWindow(), now are you saying you KNOW it only searches for these signature windows or are you assuming that?
quote: This is true in any case. On an operating system with no real hardware protection of memory (as you have on the Win 9x/ME), there is next to nothing you can do to keep really mal-intentioned code from behaving badly. It may be a lot of work, but once bad code gets the CPU, you're finished.
Re AdjustTokenPriviileges(), effectively Win 9X/ME users would consequently have no protection against this call (assuming it works on those OSs)
Edit: - typos
Stephen J. Friedl Security Consultant Tustin, California USA »www.unixwiz.net
[text was edited by author 2002-05-02 14:44:07]