Stability test ?

Discussion in 'Ghost Security Suite (GSS)' started by f3x, Feb 28, 2006.

Thread Status:
Not open for further replies.
  1. f3x

    f3x Registered Member

    Feb 6, 2006
    Montreal, Quebec
    A user kindly proposed to do that on PG, so i tried it on GSS ;)
    We want it at least as good as GP don't we ?

    The idea is from Sysinternal
    It was done to test sonny rootkit and "proove" it can be non stable.
    NtCrash2 test each api of NTOSKERNEL and throw random data to them.
    On a normal system, nothing happen and the program only receive an error saying the demand is badly formulated. When the system is hooked by sonny rootkit, their driver fail to process randoom data and crash.

    So for the sake of science i crashed my computer ;)
    Basicly all test go well until about 0X28 and then it just force-reboot
    Maybe i have my compluter configured to reboot instead of BSOD, anyone know how to change that ?

    So i went in calculator and 0X28 is 40 in decimal.
    Using the "RootKit Analyser" tools i found nothing at 40 but 41 is
    NTCreateKey with ghostSec.sys attached to it !!!

    At the moment it's too soon to conclude at anything
    As kernel modification is done in chain and Rootkit Analyser only show the first of them. The only other kernel modifier i have is alhohol120%.
    Yet, this is suspect enought to post this thread as NTCreateKey really sound like regdefend to me. (But the driver concern the whole GSS so i had difficulty in choosing wich forum i'd post this)

    Basicly i am asking if anyone else (maybee even Jason) try the torture of sending randoom data to windows api and see if a GSS crash occurs.
  2. tonyjl

    tonyjl Registered Member

    May 25, 2004
    Hi f3x.

    Thanks for that article,i may give that a go as i've only done a full system backup this morning.

    As for the BSOD...

    System Key: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl]

    Value Name: AutoReboot

    Data Type: REG_DWORD (DWORD Value)

    Value Data: (0 = disabled, 1 = enabled)
  3. tonyjl

    tonyjl Registered Member

    May 25, 2004

    I have both PG and AD/GSS installed and up and running,all options enabled. I don't have the Sony rootkit installed,just did the test outta curiosity.

    So i ran the test with the following results:-

    Started getting alerts from both about 'ntcrash2.exe' either starting or modifying (can't remember which now) another process. No info was given about this other process by either of them at all (name,path,cmd line etc.)

    I tried telling PG to 'allow always',but it either didn't remember,or it was new process each time,so i disabled PG at 0x35,cause i got fed up with 'allow' every second or two.

    I checked GSS's logs for AD,and at around the time of PG playing up,the logs were blank,as in,there were 'events' recorded,but no info was given. The logs went back to normal a little after PG was disabled...

    The test then carried on untill 0x40 when i got the BSOD,info follows-

    STOP: 0x0000008E (0xC0000005,0xEE344602,0xEE40BC24,0x00000000)

    ghostsec.sys - Address EE344602 base at EE342000, DateStamp 438fc76b

    I don't understand stop errors so wait for someone else can explain.
  4. Jason_R0

    Jason_R0 Developer

    Feb 16, 2005
    Hi guys,

    That is odd because we have tested against NTCrash before and everything was ok. Since input is validated across all functions I will have to look into why this one in particular is occuring. It might have been something which "slipped" by in the build you are using.

    BTW Which builds of GSS did you test this on?
  5. tonyjl

    tonyjl Registered Member

    May 25, 2004
    Hi Jason.

    I'm using the beta GSS v1.110,AD/RD combo. I can do the test again if you'd like,as i only did that one out of curiosity.

    Do you know what that error code means? Is there a way of working out what they mean? cause i search them on the net,and the answer are always very vague.
  6. TheQuest

    TheQuest Registered Member

    Jun 9, 2003
    Kent. UK by the sea
    Hi, Tonyjl

    The ErrorDesc tool, [it one of now 25 tools in the zip] might help you find out what the error means:- 4 more free console tools added

    You might get a VIRUS warning on downloading the zip, but if you read further down the posts in the tread you will see it is a FP.

    Take Care.
    TheQuest :cool:
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.