From BlackHat...thought this might be of interest

Discussion in 'Ghost Security Suite (GSS)' started by budfox, Aug 15, 2006.

Thread Status:
Not open for further replies.
  1. budfox

    budfox Registered Member

    Joined:
    Apr 5, 2005
    Posts:
    103
  2. f3x

    f3x Registered Member

    Joined:
    Feb 6, 2006
    Posts:
    311
    Location:
    Montreal, Quebec
    This is a very interesting article.

    On one side i think this would be better suited into general hips forum
    (Other anti-malware)

    On the other side i'm very curious to heard Jason on the topic.
    Especially the registry and physical memory part.
    Can such an attack be used againt RegDefend ?

    This is in essence the content of the pdf
     
  3. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    For what its worth you can see that RegDefend protects against the target of a registry link, so RD customers don't have anything to worry about

    This can be seen most easily in the HKLM\System\CurrentControlSet that points to one of HKLM\System\ControlSet00#

    The rules that you create in Regdefend are for the ControlSeto_O part of the registry because that is the destination of the registry link, you can create rules for CurrentControlSet but because that is a link it will not match (in most cases)
     
  4. f3x

    f3x Registered Member

    Joined:
    Feb 6, 2006
    Posts:
    311
    Location:
    Montreal, Quebec
    hi gottadoit.
    Never tougth that this could be a proof.
    because you define the rule as *controlset*
    wich englobe controset000 as well as currentcontrolset.

    Also one can be puzzled if the rule is not shown correctly in the alert windows. I guess i need to do some more try to convince myself ;)

    One thing i know for sure is that gss do not process ntfs symlink, or have a strange way of handling it. I have both "C:/Programs Files" and "E:/Program Files" that point to the same thing and GSS alternate from one or the other.
     
  5. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    That's something I could do as well I guess, but weren't you using VmWare or something similar? .. Cause buying two, three or sometimes/maybe four licences (triple/quadriple bootsystem *puppy*) I would buy immediately a VmWare licence .. on the long run I guess this would save us some money ..

    I see simply the difference between us (you and me and I think probably around 90% of the other members @ WSF) and guys/gals like Gottadoit, Techno, Jason, Kevin, .. .. lol (a battle that cannot be won imho but don't worry (I wouldn't) cause we are the rest 90% * and my nephew is also not in the same league as those experts .. but he knows some Karate :D He'll cover us :p .. .. When one of the more serious questions (technical, mostly it is API-related, things happening deep in system (hooking, ring0,.. ..) and can sometimes only be seen with reverse engineering or with the same rootkit techniques but used in a good manner or something * another fascinating area / topic (Rev.Eng.) ... I don't expect to get answers always anymore cause imho without some decent school / learning / diploma on such topics .. it is sometimes hard to understand correctly even **IF** Experts are willing to explain (like Kevin, Jason, SSM sometimes does and when they do ... and I understand it, it still feels like magic!!) .. ..
    and magic is a fine thing ;)

    :thumb: take care,

    Inf.
     
  6. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    f3x, If I had referred to the rule as *controlset* you would be correct that it would not have been a suitable example to refer to, however I referred to the rule as controlseto_O which doesn't match currentcontrolset. A lot of the created rules do use *controlset* because there used to be one instance where the link would match and matching on both the link (currentcontrolset) and the actual hive keys (controlset###) just makes it simpler to maintain the rules and saves having to worry about the border cases
    I guess Jason will have to handle this in the filename normalisation code, it already caters for short name to long name conversions, it just needs an extra step to save us from having to create 2 rules instead of just 1 (where links are concerned). So its more of an annoyance than a security hole because we need to have 2 entries for a program instead of a single one assuming that we run the same executable from both paths on a regular enough basis so that it is an issue
     
    Last edited: Aug 18, 2006
  7. f3x

    f3x Registered Member

    Joined:
    Feb 6, 2006
    Posts:
    311
    Location:
    Montreal, Quebec
    @Gottadoit, thanks for the clarification ;)

    @Infinity: it's not a matter of dual boot.
    It's a matter of having the less thing as possible on my c:/ drive so i can image / restore / format /reinstall it without affecting to much my system.

    "Program Files" and "Documents and Settings" are on my special E:User drive while only windows stay on the C:/
     
  8. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287
    Does anyone know how these are modified? is a file? Is it easy to modify? Coz i didn't know you this could be done.
     
Thread Status:
Not open for further replies.