Minister promises that Part III is coming
John Brazier
ukcrypto at chiark.greenend.org.uk
Sun, 14 May 2006 11:40:28 +0100
This is a multi-part message in MIME format.
------=_NextPart_000_0194_01C6774B.333EE410
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Igor stated:
> Sure - all you need is a loader that fits into one page. Have the loader
> allocate locked memory, load the worm into the locked memory and exec it,
> passing the address of the page that the loader was using. Then have the
worm
> write any noise to the page that the loader was using and force a swapout
for
> that page. Voila!
> The only difficulty with this method is having to conceal the actual worm
so
> that if the loader is ever disassembled, you still won't be able to find
the
> actual worm... This might be difficult but I don't think it's impossible.
Alas, under Windows there is no page lock function that truly locks a page
into physical memory - at
least none that are documented by Microsoft. You can lock pages into the
process' working set,
but the OS can still swap out the entire working set if it decides to.
Of course, you can disable paging under Windows, but that will require a
reboot (although so many
Windows updates require reboots the user probably wouldn't notice).
JB
------=_NextPart_000_0194_01C6774B.333EE410
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<META content=3D"MSHTML 6.00.2900.2873" name=3DGENERATOR></HEAD>
<BODY=20
style=3D"WORD-WRAP: break-word; khtml-nbsp-mode: space; =
khtml-line-break: after-white-space">
<DIV dir=3Dltr align=3Dleft><FONT face=3DArial color=3D#0000ff =
size=3D2><SPAN=20
class=3D171082410-14052006>Igor stated:</SPAN></FONT></DIV>
<DIV dir=3Dltr align=3Dleft><FONT face=3DArial color=3D#0000ff =
size=3D2><SPAN=20
class=3D171082410-14052006></SPAN></FONT> </DIV>
<DIV dir=3Dltr align=3Dleft><FONT face=3DArial color=3D#0000ff =
size=3D2>> Sure - all=20
you need is a loader that fits into one page. Have the loader<BR>> =
allocate=20
locked memory, load the worm into the locked memory and exec it,<BR>> =
passing=20
the address of the page that the loader was using. Then have the =
worm<BR>>=20
write any noise to the page that the loader was using and force a =
swapout=20
for<BR>> that page. Voila!</FONT></DIV>
<DIV> </DIV>
<DIV dir=3Dltr align=3Dleft><FONT face=3DArial color=3D#0000ff =
size=3D2><BR>> The only=20
difficulty with this method is having to conceal the actual worm =
so<BR>> that=20
if the loader is ever disassembled, you still won't be able to find =
the<BR>>=20
actual worm... This might be difficult but I don't think it's=20
impossible.</FONT></DIV>
<DIV><BR><SPAN class=3D171082410-14052006><FONT face=3DArial =
color=3D#0000ff=20
size=3D2>Alas, under Windows there is no page lock function that truly =
locks a=20
page into physical memory - at</FONT></SPAN></DIV>
<DIV><SPAN class=3D171082410-14052006><FONT face=3DArial color=3D#0000ff =
size=3D2>least=20
none that are documented by Microsoft. You can lock pages into the =
process'=20
working set,</FONT></SPAN></DIV>
<DIV><SPAN class=3D171082410-14052006><FONT face=3DArial color=3D#0000ff =
size=3D2>but=20
the OS can still swap out the entire working set if it decides=20
to.</FONT></SPAN></DIV>
<DIV><SPAN class=3D171082410-14052006><FONT face=3DArial color=3D#0000ff =
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D171082410-14052006><FONT face=3DArial color=3D#0000ff =
size=3D2>Of=20
course, you can disable paging under Windows, but that will require a =
reboot=20
(although so many</FONT></SPAN></DIV>
<DIV><SPAN class=3D171082410-14052006><FONT face=3DArial color=3D#0000ff =
size=3D2>Windows updates require reboots the user probably wouldn't=20
notice).</FONT></SPAN></DIV>
<DIV><SPAN class=3D171082410-14052006><FONT face=3DArial color=3D#0000ff =
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D171082410-14052006><FONT face=3DArial color=3D#0000ff =
size=3D2>JB</FONT></SPAN></DIV></BODY></HTML>
------=_NextPart_000_0194_01C6774B.333EE410--