Musings tagged as windows

Using Windows? The art of process doppelgänging can now be yours no matter your flavour of Windows. Security researchers presented their work at BlackHat and according to their presentation they are able to circumvent detection by AV (another nail in the coffin for those) by using NTFS operations to write to a file, turn part of the file into a transaction section, and create a process from it. Afterwards they roll back the transaction and there is no trace left of what they did.

Even better, apparently this attack is unpatchable as it “exploits fundamental features and core design of the process loading mechanism in Windows”. It does rely on undocumented functions which bleepingcomputer lists as something positive. I’d say it’s just a matter of time before this stuff will be documented for those who are interested in it. Since when has “Only a few people know about this” ever been a good defense?