Appdefend monitoring

Discussion in 'Ghost Security Suite (GSS)' started by SystemJunkie, Mar 31, 2006.

Thread Status:
Not open for further replies.
  1. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
  2. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    oh good to know, thanks for the info, incredible that you can see armadillo activity just by these few path informations..
     
  3. f3x

    f3x Registered Member

    Joined:
    Feb 6, 2006
    Posts:
    311
    Location:
    Montreal, Quebec
    Actually it's just a wild guess.
    Now I think i am wrong ;)

    It look like gss is looking for system folder.
    Open a command prompt and type "path"


    PATH=
    C:\WINDOWS\system32;
    C:\WINDOWS;
    C:\WINDOWS\System32\Wbem;
    C:\Program Files\Common Files\A Files\Support Tools\;
    C:\Program Files\IDM Computer Solutions\UltraEdit-32;
    C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322;

    So when gss search for system folder it try
    Path + "\system\"

    Where Path[0] = Local folder of gss
    Path[1] = C:\WINDOWS\system32
    Path[2] = C:\WINDOWS


    So i guess it's just a relative path that windows is trying to solve.
    Forget about Armadillo ... I just don't like that protection.
     
  4. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    but what about the C:\Windows\System\System, that´s the strange path,
    beside these protectors make files 3-5 times as big, I think this is a fact why not using stuff like armadillo or themida. It might be a good protection but also a good anoyance.
     
  5. f3x

    f3x Registered Member

    Joined:
    Feb 6, 2006
    Posts:
    311
    Location:
    Montreal, Quebec
    It's a dumb algorythm
    Probably used inside windows.

    Path + "\System"

    if Path[3] = "C:\Windows\System"

    Path[3] + "\System" =
    "C:\Windows\System" + "\System"

    this is the why of the strange path


    You are rigth there are many thing we can say about commercial packer.
    However specialisation have it's advantage
    Everyone do what they do best.
     
  6. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    absolutely right everyone do what they do best, I have a very short off topic, do you know this key and why it is crypted:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count

    crypt stuff like this is in it: HRZZ_PGYFRAFVBA

    It is a kind of MRU right? Because it is rebuild with every restart from explorer, but why crypted?

    Back to App defend monitoring: I noticed that in some combinations that sygate firewall and gss have sometimes problems, once windows stopped from working, then I stopped the gss autostart and it worked again, this was noticed especially while sygate installed´.
     
  7. f3x

    f3x Registered Member

    Joined:
    Feb 6, 2006
    Posts:
    311
    Location:
    Montreal, Quebec
    How do you came to that key ?
    GSS is using it ?

    It is a MRU and i beleive it have to do with the start menu:
    http://blog.pointstone.com/?p=6

    it look like a store of the most frequent command
    it can be crypted so a malware do not know easily what program are the most used
     
  8. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    but it´s easy to decrypt, the idea is very strange..

    look here

    Seems that Microsoft remains the biggest rootkit of all ;-)
     
  9. f3x

    f3x Registered Member

    Joined:
    Feb 6, 2006
    Posts:
    311
    Location:
    Montreal, Quebec
Thread Status:
Not open for further replies.