Which processes are legitimate?

D

David H. Lipman

Guest
From: "Geoff" <geoff@invalid.invalid>

| Well, if you have specific info I'd like to see it. If it has a PID, it can

| be seen. Rootkit Revealer found it. Not sure if Mark was using PE at the

| same time when he found the Sony rootkit.

| As for ADS, a process is not a file,to which part of PE are you referring

| to about hiding a process in an ADS?

This is an area where I fall off the ledge. I still have much to learn. However it is my

understanding the following are used to hide processes...

ZwCreateThread

ZwOpenProcess

ZwOpenThread

ZwTerminateProcess

ZwWriteVirtualMemory

The PID would be hidden from normal scrutiny and thus NOT shown in Process Explorer.

You are correct in that ADS refers to how a file is stored and not a process. However,

you can not tell from Process Explorer if a file is executed from an Alternate Data

Stream. SVCHOST.EXE executed as an ADS is most certainly malware.

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

 
G

Geoff

Guest
On Mon, 30 Jun 2008 20:11:32 -0400, "David H. Lipman"

<DLipman~nospam~@Verizon.Net> wrote:

<span style="color:blue">

>From: "Geoff" <geoff@invalid.invalid>

>

>

>| Well, if you have specific info I'd like to see it. If it has a PID, it can

>| be seen. Rootkit Revealer found it. Not sure if Mark was using PE at the

>| same time when he found the Sony rootkit.

>

>| As for ADS, a process is not a file,to which part of PE are you referring

>| to about hiding a process in an ADS?

>

>This is an area where I fall off the ledge. I still have much to learn. However it is my

>understanding the following are used to hide processes...

>

>ZwCreateThread

>ZwOpenProcess

>ZwOpenThread

>ZwTerminateProcess

>ZwWriteVirtualMemory

>

>The PID would be hidden from normal scrutiny and thus NOT shown in Process Explorer.

>

>You are correct in that ADS refers to how a file is stored and not a process. However,

>you can not tell from Process Explorer if a file is executed from an Alternate Data

>Stream. SVCHOST.EXE executed as an ADS is most certainly malware.</span>

Yes, kernel mode functions can get you places, but I am googling for how a

PID can be hidden and have not found it yet. It was my understanding that

PE used a KM technique to make it difficult for KM processes to hide from

it but I could be wrong. One of the first examples I found in a google

search for ZwOpenProcess had a sample that resisted process info probes

from PE but was not invisible to it.

ADS had to be one of the worst ideas ever. I still encounter ADS stripping

messages when I copy files from my company laptop to non-ntfs media.

Corporate IT insisted on using CA Antivirus and it tagged every file with

an ADS signature. What a waste.

 
D

David H. Lipman

Guest
From: "Geoff" <geoff@invalid.invalid>

< snip >

| Yes, kernel mode functions can get you places, but I am googling for how a

| PID can be hidden and have not found it yet. It was my understanding that

| PE used a KM technique to make it difficult for KM processes to hide from

| it but I could be wrong. One of the first examples I found in a google

| search for ZwOpenProcess had a sample that resisted process info probes

| from PE but was not invisible to it.

| ADS had to be one of the worst ideas ever. I still encounter ADS stripping

| messages when I copy files from my company laptop to non-ntfs media.

| Corporate IT insisted on using CA Antivirus and it tagged every file with

| an ADS signature. What a waste.

I think ADS was added for Macintosh file support.

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

 
J

jen

Guest
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message

news:Oo4XZAy2IHA.5024@TK2MSFTNGP03.phx.gbl...<span style="color:blue">

> From: "Geoff" <geoff@invalid.invalid>

> < snip >

> | Yes, kernel mode functions can get you places, but I am googling for

> how a

> | PID can be hidden and have not found it yet. It was my understanding

> that

> | PE used a KM technique to make it difficult for KM processes to hide

> from

> | it but I could be wrong. One of the first examples I found in a

> google

> | search for ZwOpenProcess had a sample that resisted process info

> probes

> | from PE but was not invisible to it.

> | ADS had to be one of the worst ideas ever. I still encounter ADS

> stripping

> | messages when I copy files from my company laptop to non-ntfs media.

> | Corporate IT insisted on using CA Antivirus and it tagged every file

> with

> | an ADS signature. What a waste.

> I think ADS was added for Macintosh file support.</span>

File system forks are traditionally associated with Apple's Hierarchical

File System (HFS), but are also available in other file systems. In

Microsoft's NTFS they are known as Alternate Data Streams (ADS). Other

filesystems such as Novell's Novell Storage Services (NSS) and NetWare

File System (NWFS), Solaris's UFS (in Solaris 9 and later) and ZFS, and

Veritas Software's Veritas File System (VxFS) also support file system

forks. In Solaris they are known as extended attributes, although they

can be as large as a file and are accessed in the same way a file's data

is and thus behave like a fork. UDF, being a universal file system for

general data exchange, supports forks as well.

In 1993, Microsoft released the first version of the Windows NT

operating system which introduced the NTFS filesystem. This filesystem

includes support for multiple named forks as alternate data streams for

compatibility with pre-existing operating systems that support forks.

With Windows 2000, Microsoft started using alternate data streams in

NTFS to store things such as author or title file attributes and image

thumbnails. With Service Pack 2 for Windows XP, Microsoft introduced the

Attachment Execution Service that stores details on the origin of

downloaded files in alternate data streams attached to files, in an

effort to protect users from downloaded files that may present a risk.

http://en.wikipedia.org/wiki/Fork_(filesystem)

-jen

 
You must log in or register to reply here.
Top Bottom