RFH: winetest testing

Shachar Shemesh wine-devel at shemesh.biz
Wed Apr 28 08:51:08 CDT 2004


Kevin Koltzau wrote:

>GINA runs on a completely dedicated, secure windows station, there are 2 such
>window stations, the one displayed at login (which is also the one shown when you
>hit ctrl-alt-del), the other is used by the screen saver
>the only windows that can be displayed on these are generated by the Messenger
>service, which simply displays a popup window on the current window station that
>is attached to user input
>  
>
At a demo in Black Hat Windows 2001, in Las Vegas, a guy from the 
rootkit project was demoing their stuff. Amazing stuff.

One of the things he was demoing was fresh out of the oven. A 
kernel-mode rootkit launching a user-mode process. They were taking 
another process, and copying it's process information for their newly 
created process. He was running cmd, IIRC.

The thing is, he was demoing how he was telneting (to a fake IP), and 
issued a command to run CMD, and nothing happened. And the guy says "oh 
well, I said it was experimental".

Then, a couple of minutes later, the guy presses CTRL+ALT+DEL for an 
unrelated reason, and guess what? There is his CMD Window, functional 
and all. They were cloning the information of the wrong Win32 process.

Not entirely relevant, and obviously once your'e in kernel mode, you can 
do anything. Still, that's where my info comes from. Sorry about the 
distraction. Just thought you may enjoy the story.

             Shachar
p.s.
http://www.rootkit.com, in case anyone is interested.

-- 
Shachar Shemesh
Lingnu Open Source Consulting
http://www.lingnu.com/




More information about the wine-devel mailing list