Wednesday, 9 May 2007



Worms and anti-virus: The fight


Today I have been approached by a challenge to intercept and control win32 file system operations at the file system level. I have been roughly thinking about it and have so far come accross a few resources to help me refresh the scenario, that I will expose here:

The now defunct Phrack site is a good resource to look at. This article shows a way of hooking into the native api from kernel space. In this other article techniques are explained on how to install malicious code from userland space. This other one details techniques on how to surpass registry and file system operations by mangling with kernel land code. Fooling stack backtrace detectors (used in some intrussion detection systems) is exlained here.

No comments: