| TIP: Click on subject to list as thread! | ANSI |
| echo: | |
|---|---|
| to: | |
| from: | |
| date: | |
| subject: | Re: Bad developers whine over Windows kernel security |
From: "Rich"
This is a multi-part message in MIME format.
------=_NextPart_000_0785_01C6B800.E07A9AC0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Then it's not kernel mode and not relevant. Unlikely it patched =
explorer. More likely it created a thread in the explorer process which =
ran its code within the existing process. This only obscures the = trojan.
It doesn't hide the presence of the trojan on disk or in = memory.
Rich
"Geo" wrote in message
news:44d3e18f$1{at}w3.nls.net...
The one I remember reading the writeup on, patched explorer to hide.
Geo.
"Rich" wrote in message news:44d34e36$1{at}w3.nls.net...
Not that I can think of. The ones I know of patch the kernel to =
intercept APIs which they then return incorrect or filtered results.
Rich
"Geo" wrote in message =
news:44d2c0b8$2{at}w3.nls.net...
Don't some of the rootkits use an API to hide themselves?
Geo.
------=_NextPart_000_0785_01C6B800.E07A9AC0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Then it's
not kernel mode =
and not=20
relevant. Unlikely it patched explorer. More likely it
= created a=20
thread in the explorer process which ran its code within the existing=20
process. This only obscures the trojan. It doesn't hide
the = presence=20
of the trojan on disk or in memory.
Rich
* Origin: Barktopia BBS Site http://HarborWebs.com:8081 (1:379/45)SEEN-BY: 633/267 270 @PATH: 379/45 1 106/2000 633/267 |
|
| SOURCE: echomail via fidonet.ozzmosis.com | |
Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.