mailing list archives
Re: Full-Disclosure Digest, Vol 43, Issue 20
From: Mary and Glenn Everhart <Everhart () gce com>
Date: Sat, 13 Sep 2008 15:14:07 -0400
5. Re: "Zero-day catcher" for Windows available for sell
The guy who posted this did reveal much of what was needed to know.
Sounds like his premise is that any 0day will have to patch one or more
modules, inside the code (to avoid being noticed). To do this they would
read the module headers. I presume there are only a few "normal" places
such headers would be read, so reads from elsewhere might be possible
to trap. Sounds too like he (/she?) may be getting control on a timer
would need to be kept working to avoid the system very noticeably hanging.
There is probably some more but this sounds like some rootkits would be
picked up this way. If your kernel function searches through memory,
or perhaps follows trap vectors in the hardward, to figure where some target
is, it might avoid looking at PE headers but could have to work harder.
A more open discussion of the product's features and capabilities would
however be preferable. We might all learn something (including the
original poster). The method of description used suggests it could be an
attempt at trapping some accesses but which may or may not be
competently or even safely done. (I might also point out that talks at
places like Blackhat and Defcon have been published which discuss
malware that requires only a few bytes of data to be altered to change
functions. These may not all be within PE headers.
Whoever you are, "zerodaycatcher", how about some more technical discussion
Glenn C. Everhart
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Re: Full-Disclosure Digest, Vol 43, Issue 20 Mary and Glenn Everhart (Sep 13)