On Thu, 2005-03-17 at 11:28 -0700, Dave King wrote: > Several months ago I came upon a research project some people at >Microsoft had been working on called Strider GhostBuster to help find >rootkits. The original paper can be found here >http://research.microsoft.com/research/pubs/view.aspx?type=Technical%20Report&id=775 > >. Basically what it comes down to is you flush the disks, then run "dir >/a /s" and send the output to a file. On NTFS there is this very cool concept called 'Alternate Data Streams'(*1), afaik "dir /a /s" does not include the filesizes of the other streams. ADS's are btw mentioned in the paper though only shortly in the conclusion. Anyhow if you log keystrokes into a file on the disk, store them in a stream and nothing in the two outputs changes and you won't be noticed by the diff. Thus if you want to hide your stuff, stick it in an alternate stream as you can stick executables in there and actually anything you want. I wonder how many virus checkers support and chek NTFS streams... Greets, Jeroen *1 = google "ntfs streams" http://win32.mvps.org/ntfs/streams.html http://www.cknow.com/vtutor/vtntfsads.htm etc...
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://www.secunia.com/