Author Topic: Prevention of driver dropping/loading...  (Read 7593 times)

0 Members and 1 Guest are viewing this topic.

October 12, 2007, 01:09:01 pm
Read 7593 times

sowhat-x

  • Guest
...Until now,I've came across 2 tools that implement something similar...
ie.stopping "in cold" the dropping/loading of drivers from malware executables...
first one I think I had found it via CastleCops' Wiki,not sure about that...
it's called "Samurai",it's released as freeware semi-standalone tool,
and it uses a driver to do it's trick...
http://turbotramp.fre3.com/

Second tool I've found is called "DrvHunter":
it's an open source tool,and once again,it uses a driver to get the work done...
Note though that this tool though is written by some Spanish vxers...
http://www.7a69ezine.org/node/52
I've only checked the sources included,
haven't bothered analyzing deeper the precompiled executable/driver,meaning...
/me knows it's tedious to repeat such warnings... ;-)
"Do NOT run the executable in the above link unless you...blah-blah...what you're doing."
I repeat it/you've been warned...if you still don't get it,in very simple terms:
driver -> kernel access = system pawned.

Now,you might be wondering...why I post this in the Programming section,
instead say of the Links section...reason is that I am interested,
in any other kind of similar implementation that you might have encountered,
either it be closed-source standalone tools ment for daily use by end-users,
and of course,by far more preferable,
open-source code programs/snippets,using similar techniques...you get the idea...
And to be honest,I got even more curious,
if anyone knows if this could somehow be done successfully,
by using a non-driver based implementation...