Appdefend monitoring

I saw that app defend is searching for strange system pathes look:

http://i2.tinypic.com/sno49k.png

 

oh good to know, thanks for the info, incredible that you can see armadillo activity just by these few path informations..

 

Actually it's just a wild guess.
Now I think i am wrong

It look like gss is looking for system folder.
Open a command prompt and type "path"


PATH=
C:\WINDOWS\system32;
C:\WINDOWS;
C:\WINDOWS\System32\Wbem;
C:\Program Files\Common Files\A Files\Support Tools\;
C:\Program Files\IDM Computer Solutions\UltraEdit-32;
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322;

So when gss search for system folder it try
Path + "\system\"

Where Path[0] = Local folder of gss
Path[1] = C:\WINDOWS\system32
Path[2] = C:\WINDOWS


So i guess it's just a relative path that windows is trying to solve.
Forget about Armadillo ... I just don't like that protection.

 

but what about the C:\Windows\System\System, that´s the strange path,
beside these protectors make files 3-5 times as big, I think this is a fact why not using stuff like armadillo or themida. It might be a good protection but also a good anoyance.

 

It's a dumb algorythm
Probably used inside windows.

Path + "\System"

if Path[3] = "C:\Windows\System"

Path[3] + "\System" =
"C:\Windows\System" + "\System"

this is the why of the strange path


You are rigth there are many thing we can say about commercial packer.
However specialisation have it's advantage
Everyone do what they do best.

 

absolutely right everyone do what they do best, I have a very short off topic, do you know this key and why it is crypted:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count

crypt stuff like this is in it: HRZZ_PGYFRAFVBA

It is a kind of MRU right? Because it is rebuild with every restart from explorer, but why crypted?

Back to App defend monitoring: I noticed that in some combinations that sygate firewall and gss have sometimes problems, once windows stopped from working, then I stopped the gss autostart and it worked again, this was noticed especially while sygate installed´.

 

How do you came to that key ?
GSS is using it ?

It is a MRU and i beleive it have to do with the start menu:
http://blog.pointstone.com/?p=6

it look like a store of the most frequent command
it can be crypted so a malware do not know easily what program are the most used

 

but it´s easy to decrypt, the idea is very strange..

look here

Seems that Microsoft remains the biggest rootkit of all ;-)

 

Google is doing the same thing by collecting info about emails/search query/advertising etc...

However most of the time you'd have to trust them asn it may bring you a better user experience.

http://blogs.msdn.com/jensenh/archive/2005/10/31/487247.aspx
http://blogs.msdn.com/jensenh/archive/2005/11/07/489864.aspx