[funsec] Administrator Accounts

Matthew Murphy mattmurphy at kc.rr.com
Thu Feb 23 11:12:09 CST 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

James Kehl wrote:
[snip]
> For instance, check out the Win64 file system redirector - needed because
> somehow System32 is now the province of 64-bit DLLs. Funny, I would have
> thought those would really suit a System64 directory...
> 
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/win64/win64/file_system_redirector.asp
> 
> (Sounds like Win64's got a built-in rootkit! 32-bit virus scanners? Why
> on earth would they want to see the filesystem as it really is?)

Let's be careful not to start throwing around the term "rootkit" for
everything that hooks into the system -- the purpose of a rootkit is
stealth.  At best, this technology is rootkit-like.

First of all, why you'd run a 32-bit virus scanner on a 64-bit OS is
beyond me.  There's no support for the on-access component of that type
of scanner -- typically a kernel-mode driver -- so you'd be lacking a
key component of their protection.

Secondly, there's an exposed API to shut it off if for some reason you
want to be able to run a 32-bit on-demand virus scanner.  It's called
Wow64DisableWow64FsRedirection().

Thirdly, thunking will make a 32-bit AV rather slow on the x64, if it
works at all.  AV scanners tend to make some pretty deep assumptions
about how the system works, so they may not even run in the "fake"
32-bit environment of an x64.

- --
"Social Darwinism: Try to make something idiot-proof,
nature will provide you with a better idiot."

                                -- Michael Holstein

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB5444D38

iD8DBQFD/ezofp4vUrVETTgRA/ZTAKDPsUucD7nOl6Aw9k5+Jfp4E554cQCgwOES
Z8IQAvjP1j451vVDUXq4W9I=
=7joH
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3436 bytes
Desc: S/MIME Cryptographic Signature
Url : http://linuxbox.org/pipermail/funsec/attachments/20060223/184ab392/smime.bin


More information about the funsec mailing list