Kayaker
September 4th, 2007, 18:23
An interesting idea to detect hidden files by a string comparison of VM snapshots:
Find out hidden files comparing VMware’s snapshots
http://zairon.wordpress.com/2007/08/31/find-out-hidden-files-comparing-vmwares-snapshots/
Hope you don't mind me bringing this up here for discussion Zairon. I'm curious, in the examples you've worked on do you have any idea *where* the exposed strings of hidden files/processes originated from?
Say for example a malware has hidden its driver through some DKOM technique such as unlinking from the PsLoadedModuleList. It's hidden from normal API routines and manual tracing of the linked list of loaded modules. However at some point it still has to load so there may be a rogue string buffer on the heap somewhere that was used by LoadDriver, or perhaps when it was extracted as a resource from an exe file.
I assume that's where some of these "traces" of the hidden file presence comes from, various string buffers that haven't yet been purged from memory. That's what makes this technique so clever. Following the preys spoor like a hunter, I love it
I wonder if there's a way of mapping the string back to its original location in memory in what would be the active VM?
Regards,
Kayaker
Find out hidden files comparing VMware’s snapshots
http://zairon.wordpress.com/2007/08/31/find-out-hidden-files-comparing-vmwares-snapshots/
Hope you don't mind me bringing this up here for discussion Zairon. I'm curious, in the examples you've worked on do you have any idea *where* the exposed strings of hidden files/processes originated from?
Say for example a malware has hidden its driver through some DKOM technique such as unlinking from the PsLoadedModuleList. It's hidden from normal API routines and manual tracing of the linked list of loaded modules. However at some point it still has to load so there may be a rogue string buffer on the heap somewhere that was used by LoadDriver, or perhaps when it was extracted as a resource from an exe file.
I assume that's where some of these "traces" of the hidden file presence comes from, various string buffers that haven't yet been purged from memory. That's what makes this technique so clever. Following the preys spoor like a hunter, I love it

I wonder if there's a way of mapping the string back to its original location in memory in what would be the active VM?
Regards,
Kayaker