 |
|
|
|
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 01/11/2012 08:13 PM, Urs Holzer wrote:
> Some of them actually write something into the gap behind the master
> boot record.
Surely you can't actually do that in a protected-mode operating system.
(I.e., anything less ancient than Windows NT, circa 1993.)
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Am 01.11.2012 22:30, schrieb Orchid Win7 v1:
> On 01/11/2012 08:13 PM, Urs Holzer wrote:
>> Some of them actually write something into the gap behind the master
>> boot record.
>
> Surely you can't actually do that in a protected-mode operating system.
> (I.e., anything less ancient than Windows NT, circa 1993.)
Protected mode doesn't automatically protect your hard drive. I very
much suspect that everything up to (and including) Windows XP can be
coaxed into messing with the hard drive at sector level without too much
effort.
(Oh, and by the way, protected mode has been in use ever since Windows 3.1.)
Antivirus software should protest at such an event though.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On Thu 01/11/12 21:30, Orchid Win7 v1 wrote:
> On 01/11/2012 08:13 PM, Urs Holzer wrote:
>> Some of them actually write something into the gap behind the master
>> boot record.
>
> Surely you can't actually do that in a protected-mode operating system.
> (I.e., anything less ancient than Windows NT, circa 1993.)
Surely you shouldn't be able to install a rootkit from an audio CD
without the user knowing :-)
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On Thu, 01 Nov 2012 21:30:53 +0000, Orchid Win7 v1 wrote:
> On 01/11/2012 08:13 PM, Urs Holzer wrote:
>> Some of them actually write something into the gap behind the master
>> boot record.
>
> Surely you can't actually do that in a protected-mode operating system.
> (I.e., anything less ancient than Windows NT, circa 1993.)
Protected mode operating systems don't have anything to do with
preventing I/O operations from happening....
Jim
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 11/1/2012 2:30 PM, Orchid Win7 v1 wrote:
> On 01/11/2012 08:13 PM, Urs Holzer wrote:
>> Some of them actually write something into the gap behind the master
>> boot record.
>
> Surely you can't actually do that in a protected-mode operating system.
> (I.e., anything less ancient than Windows NT, circa 1993.)
Step #1: Get a thumb drive with one of those stupid utilities that can
secure/format your thumb drive.
Step #2: Run the utility.
Step #3: Without closing it, remove the thumb drive.
Step #4: Watch the utility misidentify your main drive as a thumb drive,
and tell you that its some crazy drive number, and that it needs to be
formatted.
Step #5: Actually make the stupid mistake of doing this.
What the system start generating messes of error, and when you reboot,
discover that your partition table, boot loader, and MBR are all hosed,
and somehow this has monkeyed with the OS badly enough that you also
can't use the install disk for it, to get into the OS, and repair the
MBR. Heck, I found a utility to recover the partitions, so, in theory, I
can get all the files off, but even Linux doesn't seem to want to let me
fix the MBR on the thing now (it keeps complaining that its the wrong
type, or something, so.. guessing something is marked in there, which
prevents it being mounted in a way that will allow you to write to it
correctly, to fix the problem).
So, yeah, all the stuff intended to prevent more general access issues,
does jack all to prevent malicious disk writes. :p
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
>> Surely you can't actually do that in a protected-mode operating system.
>> (I.e., anything less ancient than Windows NT, circa 1993.)
>
> Surely you shouldn't be able to install a rootkit from an audio CD
> without the user knowing :-)
Ah.
I haven't personally tested this, but I *presume* it's only possible for
administrative users to do this. Unfortunately, Windows XP lets you run
with full admin privileges by default. I'd imagine that a limited user
wouldn't be able to do this.
Then again, I haven't checked...
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
>> Surely you can't actually do that in a protected-mode operating system.
>> (I.e., anything less ancient than Windows NT, circa 1993.)
>
> Protected mode operating systems don't have anything to do with
> preventing I/O operations from happening....
Yes it does.
It means your program can't just casually access the underlying hardware
directly. It has to convince the OS to do that for you. (Or install
itself as a device driver - which again requires convincing the OS.)
So, yes, if it's a protected mode OS, you can't just hit the metal
directly. Whether the OS will refuse to do the operation on your behalf
is still up for debate, however... :-(
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Le 03/11/2012 10:34, Orchid Win7 v1 nous fit lire :
> (Or install itself as a device driver - which again requires convincing
> the OS.)
Until recently, and even now, a driver did not had to be signed to be
installed on a 32 bits window system (everyone praise the backward
compatibility). Same goes for installing a service.
So, convincing the OS is pretty easy.
64 bits window is harder, but until recently it was not mainstream.
(and service installation is still less secure than driver)
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 03/11/2012 09:46 AM, Le_Forgeron wrote:
> Le 03/11/2012 10:34, Orchid Win7 v1 nous fit lire :
>> (Or install itself as a device driver - which again requires convincing
>> the OS.)
>
> Until recently, and even now, a driver did not had to be signed to be
> installed on a 32 bits window system (everyone praise the backward
> compatibility). Same goes for installing a service.
> So, convincing the OS is pretty easy.
Doesn't it pop up a warning telling you the driver is unsigned though?
Or is there some way to turn that off? (I imagine there are still plenty
of users who would just click "OK" anyway, of course...)
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On Sat, 03 Nov 2012 09:34:25 +0000, Orchid Win7 v1 wrote:
>>> Surely you can't actually do that in a protected-mode operating
>>> system.
>>> (I.e., anything less ancient than Windows NT, circa 1993.)
>>
>> Protected mode operating systems don't have anything to do with
>> preventing I/O operations from happening....
>
> Yes it does.
https://en.wikipedia.org/wiki/Protected_mode
Drivers run in ring 0. If you access a driver, you can access hardware
directly in real mode. Protected mode has to do primarily with
preventing programs from accessing each others' memory.
> It means your program can't just casually access the underlying hardware
> directly. It has to convince the OS to do that for you. (Or install
> itself as a device driver - which again requires convincing the OS.)
>
> So, yes, if it's a protected mode OS, you can't just hit the metal
> directly. Whether the OS will refuse to do the operation on your behalf
> is still up for debate, however... :-(
True.
Jim
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
