|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Dailydave] modGREPER - hidden kernel modules detector
From: James Butler (james.butler
hbgary.com)
Date: Tue Jun 07 2005 - 09:32:25 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Joanna,
We (Sherri and I) had already defeated this detection mechanism before
you released it. Perhaps you should see:
http://www.blackhat.com/html/bh-usa-05/bh-usa-05-speakers.html#Sparks
See I knew you or someone was going to do this, but thanks for giving our
presentation even more motivation. It is kinda non-climactic to create
"solutions" for problems that don't exist yet. Now the problem exists
because of you.
Thanks for advancing the discussion on rootkit.com. I was getting bored.
Jamie aka Fuzen
>modGREPER is a hidden module detector for Windows 2000/XP/2003. It
>searches through whole kernel memory in order to find structures which
>looks like a valid module description objects. Currently two most
>important objects type are recognized well known _DRIVER_OBJECT and
>_MODULE_DESCRIPTION. GREPER has some sort of artificial intelligence
>built in, which allows it recognize if the given bytes actually
>>describe a module-specific object. The term AI for this algorithm is
>probably a little bit exaggerated, since it is just a few bunches of
>logical rules which should be satisfied by the potential fields of the
>structure in question...
>read more and get the tool:
>http://invisiblethings.org/tools.html#modgreper
>regards,
>joanna.
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
https://lists.immunitysec.com/mailman/listinfo/dailydave
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]