Hidden in registry !!

Joined
24 Feb 2004
Messages
4,046
Reaction score
1
Location
Somerset
Country
United Kingdom
This looked a little scary :-
http://forums.net-integration.net/index.php?s=b603684766f66fa14694b04be5a5c313&showtopic=24912&st=0&

He appears to have mostly solved that blighter !

Interesting point, in Win98se, if old fashioned explorer Winfile.exe, is used then all the files in ....C:\Windows\Downloaded Program Files\ are seen as in any other directory, whereas in 'Explorer.exe' these files are not listed in the standard manner
Also ALL the Index.dat files are searchable and plainly visible in Winfile, doesn't support long filenames tho'.
regdat.exe from http://people.freenet.de/h.ulbrich/ ... allows one to view a Win98se saved registry file (hives) eg. system.dat.

I guess we are talking RootKit exploit in Ribbell's case above ??
Any cloaking techniques used by a rootkit will become ineffective if you start your system from a boot CD. Is this a fact ??

P
 
pipme said:
I guess we are talking RootKit exploit in Ribbell's case above ??

I suppose it could be classed as RootKit, but this was originally the term used for gaining Root access on UNIX systems and hiding the fact that it was happening. More like a Rootkit mutant.

pipme said:
Any cloaking techniques used by a rootkit will become ineffective if you start your system from a boot CD. Is this a fact ??

Not necessarily. It depends on what the Rootkit is doing to stealth itself. If, like in this case, the registry editor does not display all the data, then I would suggest it is the editor application that is being fooled/exploited. If none of them work, then some common component is being hit.

I hope registry technology goes away quickly, as apart from being extremely inefficient, it isn't that secure, especially in the password area.
 
Apparently, items in the Widows registry can be set invisible to any viewer.
I think that is why Ribbell saved a hive, then viewed the saved file. Whilst running a clean backed up registry.
Have been reading a little about the RootKit and Windows ... pretty dodgy.
P
 
Yes, they use very low level hooks to achieve this, effectively 'extending' Windows functionality (Good old OO technology). If a machine is suspected as coming under this type of attack, the only way to be sure of fixing it is to reload it. It's getting a bit like Terminator 3, Rise of the Machines. One machine changing the core programming of another. Now that is a scarey thought.

I found this, which is a good bedtime read
 
Back
Top