Fantastik
11-05-2002, 10:07 AM
Let me preface this by saying I'm an experienced unix programmer, but have NO windows experience.
Ok, that said, after analyzing code for a sniffer, I can get around the following problems:
1) Process name
2) Proces Fingerprint
3) Memory address fingerprint in the sniffer
4) Config files
5) Udp output.
The problem I hae is the memory being flagged as read by EQ. I dont know enough about windows to know the pitfalls here. If I was Sony, this is where I would concentrate detection.
1) How can EQ detect if some of its memory is being read?
2) Can EQ know which process read that memory?
3) If not, then memory optimizers and virus scanners would be setting of alarms left and right? Maybe not virus scanners cause they prolly only scan memory when the program is first run, but memory optimzers?
4) Don't know crap about memory optimzers. No need for them in linux. Do they jsut shift paged memory around, or do they scan stuff byte per byte?
5) Shifting memory pages around cant possibly set off any callbacks, ect cause the OS does it all the time?
6) If so, is it possible to make a small kernel module (dont know what its called in Windows) to literally watch for the page that the address needed falls into, Copy the whole damn page somewhere else, then we can scan that page all we want without any callbacks going off?
7) If so, what would the code look like?
Ok, that said, after analyzing code for a sniffer, I can get around the following problems:
1) Process name
2) Proces Fingerprint
3) Memory address fingerprint in the sniffer
4) Config files
5) Udp output.
The problem I hae is the memory being flagged as read by EQ. I dont know enough about windows to know the pitfalls here. If I was Sony, this is where I would concentrate detection.
1) How can EQ detect if some of its memory is being read?
2) Can EQ know which process read that memory?
3) If not, then memory optimizers and virus scanners would be setting of alarms left and right? Maybe not virus scanners cause they prolly only scan memory when the program is first run, but memory optimzers?
4) Don't know crap about memory optimzers. No need for them in linux. Do they jsut shift paged memory around, or do they scan stuff byte per byte?
5) Shifting memory pages around cant possibly set off any callbacks, ect cause the OS does it all the time?
6) If so, is it possible to make a small kernel module (dont know what its called in Windows) to literally watch for the page that the address needed falls into, Copy the whole damn page somewhere else, then we can scan that page all we want without any callbacks going off?
7) If so, what would the code look like?