Recent Posts
Recent Comments
Link
관리 메뉴

NaggingMachine

Bug-fix of the BASIC ROOTKIT source code that hides processes 본문

Season 1

Bug-fix of the BASIC ROOTKIT source code that hides processes

naggingmachine 2008. 2. 5. 12:48

"루트킷, 윈도우 커널 조작의 미학"이라는 책을 읽다가 소스 코드에 버그가 있는듯 싶어 변경해봤습니다.

아직 답변은 없네요~



Dear Greg Hoglund,

I am a big fan of you and your book, "Subverting the Windows Kernel, ROOTKITS". Your book gave me a map to be a hacker. I mean not a cracker. I love it! ;-)
BTW, I am writing email to you regarding a bug of the BASIC ROOTKIT source code that hides processes, basic_mdl_flags.c file.

You considered the situation that total kernel time and total user time is not 100% because the code hides "_root_*" processes. That's good.
But the problem is that you assume that "_root_*" processes are always followed by Idle process. Is it true? What if the Idle process is followed by "_root_*" processes? (Of course, it might not happen)
In that case, you cannot make up the time because when you add the kernel and user times of "_root_*" processes, m_UserTime.QuadPart and m_KernelTime.QuadPart are both 0 (Zero).
To fix this problem, I am suggesting the following code. The modified code doesn't depend on the sequence of processes.

I attached the modified version.

Best regards,
Woo.