Lockdown.co.uk - The Home Computer Security Centre

LockDown is the source for security information and resources for the home computer user.

Features

Categories

About


Google
Web www.lockdown.co.uk   

0wning Vista from the boot

Filed under: April 27, 2007

From The Register:

“Just after vbootkit takes control, it hijacks the interrupt 13, then searches for Signature for Vista OS. After detecting Vista, it starts patching Vista, meanwhile hiding itself (in smaller chunks at different memory locations). The patches includes bypassing several protections such as checksum, digital signature verification etc, and takes steps to keep itself in control, while boot process continues to phase 2.

Phase 2 includes patching vista kernel, so as vbootkit maintains control over the system till the system reboots. Several protection schemes of Vista were analyzed such as the famous PE header checksum (every Windows EXE contains it), the Digital Signature of files.”


Read the full article at The Register