RFH: winetest testing
Shachar Shemesh
wine-devel at shemesh.biz
Wed Apr 28 08:51:08 CDT 2004
Kevin Koltzau wrote:
>GINA runs on a completely dedicated, secure windows station, there are 2 such
>window stations, the one displayed at login (which is also the one shown when you
>hit ctrl-alt-del), the other is used by the screen saver
>the only windows that can be displayed on these are generated by the Messenger
>service, which simply displays a popup window on the current window station that
>is attached to user input
>
>
At a demo in Black Hat Windows 2001, in Las Vegas, a guy from the
rootkit project was demoing their stuff. Amazing stuff.
One of the things he was demoing was fresh out of the oven. A
kernel-mode rootkit launching a user-mode process. They were taking
another process, and copying it's process information for their newly
created process. He was running cmd, IIRC.
The thing is, he was demoing how he was telneting (to a fake IP), and
issued a command to run CMD, and nothing happened. And the guy says "oh
well, I said it was experimental".
Then, a couple of minutes later, the guy presses CTRL+ALT+DEL for an
unrelated reason, and guess what? There is his CMD Window, functional
and all. They were cloning the information of the wrong Win32 process.
Not entirely relevant, and obviously once your'e in kernel mode, you can
do anything. Still, that's where my info comes from. Sorry about the
distraction. Just thought you may enjoy the story.
Shachar
p.s.
http://www.rootkit.com, in case anyone is interested.
--
Shachar Shemesh
Lingnu Open Source Consulting
http://www.lingnu.com/
More information about the wine-devel
mailing list