| View previous topic :: View next topic |
| Author |
Message |
SKAN
Joined: 26 Dec 2005
Posts: 5574
|
 Posted: Mon Aug 13, 2007 8:02 am Post subject: |
 |
|
| Sean wrote: | | Where did you perform the scan from? |
E:\ XP! All the partitions are FAT32 and so all files are accessible in all OS.
 |
|
| Back to top |
|
 |
Sean
Joined: 12 Feb 2007
Posts: 1240
|
| Posted: Mon Aug 13, 2007 8:33 am Post subject: |
|
|
| corrupt wrote: | | I may have missed a detail somewhere but, out of curiosity, why would you guess D:\ when the screenshot posted looks like it's from XP? |
There wasn't any particular reason. It was just a consequence of the assumption that RKR behaved correctly. And, I didn't pay attention to the window's frame. |
|
| Back to top |
|
|
Sean
Joined: 12 Feb 2007
Posts: 1240
|
| Posted: Mon Aug 13, 2007 8:40 am Post subject: |
|
|
| Skan wrote: | | E:\ XP! All the partitions are FAT32 and so all files are accessible in all OS. |
OK, looks like there really is a glitch in RKR. I found two threads on it, one for FAT and one for NTFS.
Could you upload a (partition) boot sector of E: ? You can obtain it using FileHelper.ahk:
http://www.autohotkey.com/forum/topic19608.html
| Code: | #Include FileHelper.ahk
If !(1 + hVol := CreateFile("\\.\E:", 3, 0x80000000, 3)) || !(1 + hFile := CreateFile(A_ScriptDir . "\pbs.bin", 2))
ExitApp
VarSetCapacity(PBS, 512)
ReadFile( hVol, &PBS, 512)
WriteFile(hFile, &PBS, 512)
CloseHandle(hVol)
CloseHandle(hFile)
|
|
|
| Back to top |
|
|
SKAN
Joined: 26 Dec 2005
Posts: 5574
|
| Posted: Mon Aug 13, 2007 9:24 am Post subject: |
|
|
| Sean wrote: | | Could you upload a (partition) boot sector of E: ? You can obtain it using FileHelper.ahk: |
Here: pbs.bin
Thanks for your efforts Sean.  |
|
| Back to top |
|
|
Sean
Joined: 12 Feb 2007
Posts: 1240
|
| Posted: Mon Aug 13, 2007 10:19 am Post subject: |
|
|
Oops, not here, obviously I'm not the author of RKR.
But thanks for the PBS anyway, it was interesting.
I forgot to post the link, sorry.
http://forum.sysinternals.com/forum_posts.asp?TID=5279
BTW, if D: is also FAT32 and could be detected by RKR, might try to compare the PBSs of D: and E: and tweak that of E: accordingly to that of D:, but there exists a risk with that of course. |
|
| Back to top |
|
|
SKAN
Joined: 26 Dec 2005
Posts: 5574
|
| Posted: Mon Aug 13, 2007 2:36 pm Post subject: |
|
|
| Sean wrote: | | Oops, not here, obviously I'm not the author of RKR. |
Sorry!  |
|
| Back to top |
|
|
widow
Guest
|
| Posted: Tue Apr 15, 2008 2:26 am Post subject: Re: Spyware DLL ? |
|
|
| SKAN wrote: |
Can anybody throw some light on what this DLL could be ?.. and whether it is safe ?
Regards. |
I can not guarantee for 100% because there some assembler code i didnt follow. I took alook in 15m in assembler mode and it doesnt seems like a mal/spy ware to me. I have seem alot of them.
No weird func's/modules and it isnt crypted either.
But safe i dont know, there is probably some bugs worst case schenario is like your parent+the process you hiding hungs. |
|
| Back to top |
|
|
m^2
Joined: 28 Feb 2008
Posts: 40
Location: Krk, PL
|
| Posted: Tue Apr 15, 2008 7:46 am Post subject: Re: Spyware DLL ? |
|
|
| widow wrote: | | SKAN wrote: |
Can anybody throw some light on what this DLL could be ?.. and whether it is safe ?
Regards. |
I can not guarantee for 100% because there some assembler code i didnt follow. I took alook in 15m in assembler mode and it doesnt seems like a mal/spy ware to me. I have seem alot of them.
No weird func's/modules and it isnt crypted either.
But safe i dont know, there is probably some bugs worst case schenario is like your parent+the process you hiding hungs. |
Nope. The worst case is another process crash. Does anybody here have Thinstall? I guess that Thinstalled programs may have problems.
I wonder how does it work...did anybody find out? Quick look:
1. It's not the codeproject thing, because it cheats all processes, not only Windows Task Manager.
2. Rootkit Unhooker finds such process, but marks as visible, so it's not detached from processes list.
3. It injects itself to all processes.
4. No code hooks.
I have to spend more time on it later.
_________________
Waiting for Windows 8...
Last edited by m^2 on Tue Apr 15, 2008 8:15 am; edited 1 time in total |
|
| Back to top |
|
|
Guest
|
| Posted: Tue Apr 15, 2008 8:13 am Post subject: Re: Spyware DLL ? |
|
|
| m^2 wrote: |
Nope. The worst case is another process crash. Does anybody here have Thinstall? I guess that Thinstalled programs may have problems. |
Not if you dont do anything wrong with the parameters to the dll from the script, and even then its a long shot. |
|
| Back to top |
|
|
m^2
Joined: 28 Feb 2008
Posts: 40
Location: Krk, PL
|
| Posted: Tue Apr 15, 2008 8:18 am Post subject: Re: Spyware DLL ? |
|
|
| Anonymous wrote: | | m^2 wrote: |
Nope. The worst case is another process crash. Does anybody here have Thinstall? I guess that Thinstalled programs may have problems. |
Not if you dont do anything wrong with the parameters to the dll from the script, and even then its a long shot. |
It injects itself to all processes, so if it's buggy, it can crash anyone.
_________________
Waiting for Windows 8... |
|
| Back to top |
|
|
Guest
|
| Posted: Tue Apr 15, 2008 8:23 am Post subject: Re: Spyware DLL ? |
|
|
| m^2 wrote: | | Anonymous wrote: | | m^2 wrote: |
Nope. The worst case is another process crash. Does anybody here have Thinstall? I guess that Thinstalled programs may have problems. |
Not if you dont do anything wrong with the parameters to the dll from the script, and even then its a long shot. |
It injects itself to all processes, so if it's buggy, it can crash anyone. |
missed that. obv you right if its true |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Register
Profile
Log in to check your private messages
Log in
