Which processes are legitimate?

  • Thread starter Thread starter SANTANDER
  • Start date Start date
On Mon, 30 Jun 2008 20:11:32 -0400, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>From: "Geoff" <geoff@invalid.invalid>
>
>
>| Well, if you have specific info I'd like to see it. If it has a PID, it can
>| be seen. Rootkit Revealer found it. Not sure if Mark was using PE at the
>| same time when he found the Sony rootkit.
>
>| As for ADS, a process is not a file,to which part of PE are you referring
>| to about hiding a process in an ADS?
>
>This is an area where I fall off the ledge. I still have much to learn. However it is my
>understanding the following are used to hide processes...
>
>ZwCreateThread
>ZwOpenProcess
>ZwOpenThread
>ZwTerminateProcess
>ZwWriteVirtualMemory
>
>The PID would be hidden from normal scrutiny and thus NOT shown in Process Explorer.
>
>You are correct in that ADS refers to how a file is stored and not a process. However,
>you can not tell from Process Explorer if a file is executed from an Alternate Data
>Stream. SVCHOST.EXE executed as an ADS is most certainly malware.

Yes, kernel mode functions can get you places, but I am googling for how a
PID can be hidden and have not found it yet. It was my understanding that
PE used a KM technique to make it difficult for KM processes to hide from
it but I could be wrong. One of the first examples I found in a google
search for ZwOpenProcess had a sample that resisted process info probes
from PE but was not invisible to it.

ADS had to be one of the worst ideas ever. I still encounter ADS stripping
messages when I copy files from my company laptop to non-ntfs media.
Corporate IT insisted on using CA Antivirus and it tagged every file with
an ADS signature. What a waste.
 
From: "Geoff" <geoff@invalid.invalid>

< snip >

| Yes, kernel mode functions can get you places, but I am googling for how a
| PID can be hidden and have not found it yet. It was my understanding that
| PE used a KM technique to make it difficult for KM processes to hide from
| it but I could be wrong. One of the first examples I found in a google
| search for ZwOpenProcess had a sample that resisted process info probes
| from PE but was not invisible to it.

| ADS had to be one of the worst ideas ever. I still encounter ADS stripping
| messages when I copy files from my company laptop to non-ntfs media.
| Corporate IT insisted on using CA Antivirus and it tagged every file with
| an ADS signature. What a waste.

I think ADS was added for Macintosh file support.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:Oo4XZAy2IHA.5024@TK2MSFTNGP03.phx.gbl...
> From: "Geoff" <geoff@invalid.invalid>
> < snip >
> | Yes, kernel mode functions can get you places, but I am googling for
> how a
> | PID can be hidden and have not found it yet. It was my understanding
> that
> | PE used a KM technique to make it difficult for KM processes to hide
> from
> | it but I could be wrong. One of the first examples I found in a
> google
> | search for ZwOpenProcess had a sample that resisted process info
> probes
> | from PE but was not invisible to it.
> | ADS had to be one of the worst ideas ever. I still encounter ADS
> stripping
> | messages when I copy files from my company laptop to non-ntfs media.
> | Corporate IT insisted on using CA Antivirus and it tagged every file
> with
> | an ADS signature. What a waste.
> I think ADS was added for Macintosh file support.

File system forks are traditionally associated with Apple's Hierarchical
File System (HFS), but are also available in other file systems. In
Microsoft's NTFS they are known as Alternate Data Streams (ADS). Other
filesystems such as Novell's Novell Storage Services (NSS) and NetWare
File System (NWFS), Solaris's UFS (in Solaris 9 and later) and ZFS, and
Veritas Software's Veritas File System (VxFS) also support file system
forks. In Solaris they are known as extended attributes, although they
can be as large as a file and are accessed in the same way a file's data
is and thus behave like a fork. UDF, being a universal file system for
general data exchange, supports forks as well.

*In 1993, Microsoft released the first version of the Windows NT
operating system which introduced the NTFS filesystem. This filesystem
includes support for multiple named forks as alternate data streams for
compatibility with pre-existing operating systems that support forks.
With Windows 2000, Microsoft started using alternate data streams in
NTFS to store things such as author or title file attributes and image
thumbnails. With Service Pack 2 for Windows XP, Microsoft introduced the
Attachment Execution Service that stores details on the origin of
downloaded files in alternate data streams attached to files, in an
effort to protect users from downloaded files that may present a risk.
http://en.wikipedia.org/wiki/Fork_(filesystem)

-jen
 
Back
Top