Previous Thread
Next Thread
Print Thread
Rate Thread
Joined: Dec 2005
Posts: 5
E
ecko Offline OP
Junior Member
OP Offline
Junior Member
E
Joined: Dec 2005
Posts: 5
I've spent the last several days investigating a specific topic and have hit a lot of dead ends. I've been reading a lot of articles and forums at sites such as UGN Sec, Packet Storm Security, and Insecure.org and really have not come up with much. I hope someone can help me, here's what I've been looking for:

As part of a research project I've been investigating how to intercept System Messages. More specifically, I'm looking for a program that can reside in memory outside of the Windows environment while retaining the potential to intercept and alter any messages passed back and forth between windows and hardware. In essence, it acts like a wrapper, or VM ware, with windows running inside it. (The key is that windows would be unaware of its existance.)

It's possible something like this at one point existed and is now obsolete, but if anyone's heard of something like this, or anything fairly similar, I'd love to know. Even if it is really old and out-of-date. Thanks in advance.

Joined: Feb 2002
Posts: 7,203
Likes: 11
Community Owner
Offline
Community Owner
Joined: Feb 2002
Posts: 7,203
Likes: 11
I'm not sure if it's possible with recent versions of window$ as it's had "dos" irraticated; in older versions (95/98 and prior) you could just imbed a program like you're looking for in the autoexec.bat and it'd run like a choo choo...

However in modern versions of window$ i believe that any running applications are purged once windows starts up (thus allowing you to still run programs on startup through autoexec.bat for error testing and stuff like that, but maintaining a secure enviroment).

What it would look like you'd need after all would be a keylogger of sorts (perhaps something designed to capture strings of data vs just inputed data) which would hide from the task manager (which is technically possible on some level) however most keyloggers are found by antivirus programmes now adays, including the little one that Neo and I designed and never really released publicly lol...


Donate to UGN Security here.
UGN Security, Back of the Web, and VNC Web Services Owner
Joined: Dec 2005
Posts: 5
E
ecko Offline OP
Junior Member
OP Offline
Junior Member
E
Joined: Dec 2005
Posts: 5
Thanks for the info, it's been helpful. It does bring me to other questions though.

When a typical Master Boot Record program fires up it gets dumped into memory address 0000:7c00. It then copies itself into address 0000:0600 and then load the windows boot partion into address 0000:7c00.

The MBR program at 0000:0600 is about 86 bytes, and the partition table resides at 0000:07be to 0000:07fd. This leaves 226 bytes to play with in the MBR program, (0000:06db to 0000:07bd.) I've 'altered and expanded' the MBR program in the past for specific needs.

So here's my question: When Windows XP, Win Server 2003, etc boot-up they start at 0000:7c00. Does the boot sequence wipe the memory at the lower address spaces thus stopping my alterations? Also, any 'keylogger' applications running within windows would be locked out of the 'ctrl+alt+del' login screen. That's why I need something running outside of the Win Enviornment. Any thoughts?

THanks in advance. You've been very helpful.

Joined: Mar 2002
Posts: 1,041
I
UGN Elite Poster
Offline
UGN Elite Poster
I
Joined: Mar 2002
Posts: 1,041
I think that you already hit on a decent way to go about it. Something like vmware or Xen sounds like the way to go. Xen is even opensource so you can potentially modify it to dump the info you are looking for.

Quote:
So here's my question: When Windows XP, Win Server 2003, etc boot-up they start at 0000:7c00. Does the boot sequence wipe the memory at the lower address spaces thus stopping my alterations?
I'm a little outta my element here, but I would theorize the way to go about it would be to write a "bootloader" or simple OS that sits there, and then runs windows on top of itself in higher memory addresses... I have no idea if this is even possible.

Joined: Dec 2005
Posts: 5
E
ecko Offline OP
Junior Member
OP Offline
Junior Member
E
Joined: Dec 2005
Posts: 5
Hey, thanks for the information. I've been busy reading through most of the Xen documentation. (I've also been pouring into VMWare too.) For what I plan on building though these two have a lot of overhead, (ie they have way too much functionality for what I'm looking for.)

I think what I'm going to do is build my own custom VM Application. I'll be referencing a lot of books along with Xen and VMWare (withOUT stealing/using their code or intelectual property.) So would you happen to know of any other good sources I might look into?

For instance, WinXP on Xen has a cost metric of over 4600 (and growing) lines for the porting comodity. I'd hate to have to discover and deal with each issues one at a time. So I'm looking for anything that could help expidite this process. Got any ideas?

And thanks so much, you both have been very helpful.

Joined: Oct 2002
Posts: 955
UGN Super Poster
Offline
UGN Super Poster
Joined: Oct 2002
Posts: 955
To start off, more specifically, what do you mean by systems messages?

There are several applications that can monitor windows behavior inside the operating system, and ways to get around a program showing up in the Task Manager such as using a rootkit method that Sony has recently made headlines with.

Even VMware has a host operating system that is was developed for. I would find the attempt to develop a similar program, let alone one that isn't noticeable to an end user, to be an enormously challenging task.

Joined: Dec 2005
Posts: 5
E
ecko Offline OP
Junior Member
OP Offline
Junior Member
E
Joined: Dec 2005
Posts: 5
By system messages I mean the communication between hardware and the OS, (such as scancodes from the keyboard.) And you're right, taking on that task would be enormous.

Rootkits seem likely but they do run within the OS environment. Maybe I should spend more time looking into them. Basically here's what I've been researching: I'm looking for as many ways theoretically possible, (a proof of concept,) to capture the "ctrl+alt+del" login sequence for Windows. I don't need to capture keystrokes in a web browser, that's been done to death. Something that runs stealthly would be a nice feature but is not manditory on all concepts.

If I remember correctly, the loging seqence is locked down by Windows so most keyloggers, (the ones I looked into and studied,) don't work. So, would you have any other possible methods/sugestions/theories of how this capture could be acheived?

Thanks again for your time and Good article about Sony's rootkit too. I remember reading about it back in early Nov.

Joined: Feb 2002
Posts: 7,203
Likes: 11
Community Owner
Offline
Community Owner
Joined: Feb 2002
Posts: 7,203
Likes: 11
Completely possible, in PcAnywhere if you hit Control Alt Delete you get a popup "Would you like to execute this command on the local or remote pc?"


Donate to UGN Security here.
UGN Security, Back of the Web, and VNC Web Services Owner
Joined: Dec 2005
Posts: 5
E
ecko Offline OP
Junior Member
OP Offline
Junior Member
E
Joined: Dec 2005
Posts: 5
Excellent information guys. I also found a whitepaper published eEye, Remote Windows Kernel Exploitation , that I found to be very useful too. Worth checking out.


Link Copied to Clipboard
Member Spotlight
Phatal
Phatal
Houston, TX
Posts: 298
Joined: April 2004
Forum Statistics
Forums41
Topics33,840
Posts68,858
Average Daily Posts1
Members2,176
Most Online3,253
Jan 13th, 2020
Latest Postings
Where and how do you torrent?
by danni75 - 03/01/24 05:58 AM
Animation,
by JohanKaariainen - 08/15/19 01:18 AM
Blackbeard.....
by Gremelin - 10/03/18 07:02 PM
my old account still exists!
by Crime - 08/10/18 02:47 PM
Okay WTF?
by HenryMiring - 09/27/17 01:45 AM
The History Thread...
by Gremelin - 08/11/17 12:11 PM
My friend NEEDS your HELP!
by Lena01 - 07/21/17 12:06 AM
I'm having fun with this guy.
by gabithompson730 - 07/20/17 01:50 AM
I want to upgrade my phone
by gabithompson730 - 07/20/17 01:49 AM
Doom 3
by Cyrez - 09/11/14 08:58 PM
Amazon Gift Card Generator/KeyGen?te
by Gecko666 - 08/22/14 09:21 AM
AIM scene 99-03
by lavos - 09/02/13 08:06 AM
Planetside 2
by Crime - 03/04/13 07:10 AM
Beta Testers Wanted
by Crime - 03/04/13 06:55 AM
Hello Everyone
by Gremelin - 02/12/12 06:01 PM
Tracfone ESN Generator
by Zanvin Green - 01/18/12 01:31 PM
Python 3 issue
by Testing - 12/17/11 09:28 PM
tracfone airtime
by Drache86 - 07/30/11 03:37 AM
Backdoors and the Infinite
by ZeroCoolStar - 07/10/11 03:52 AM
HackThisZIne #12 Releaseed!
by Pipat2 - 04/28/11 09:20 PM
gang wars? l33t-wars?
by Gremelin - 04/28/11 05:56 AM
Consolidate Forums
by diggin2deep - 04/21/11 10:02 AM
LAN Hacking Noob
by Gremelin - 03/12/11 12:42 AM
Top Posters
UGN Security 41,392
Gremelin 7,203
§intå× 3,255
SilentRage 1,273
Ice 1,146
pergesu 1,136
Infinite 1,041
jonconley 955
Girlie 908
unreal 860
Top Likes Received
Ghost 2
Cyrez 1
Girlie 1
unreal 1
Crime 1
Powered by UBB.threads™ PHP Forum Software 7.7.5