GordonFreeman Posted August 31, 2017 Posted August 31, 2017 I want know if can a .sys file have dangerous code that will stole my information and send via internet? I think .sys file itself cannot access internet but are possible that a "infected" .sys file access internet through other file and steal my information? Ps.: my english are rusty Well, thanks in advance! Frabjous Installation
iamtheky Posted August 31, 2017 Posted August 31, 2017 idk if there is anything in the wild that exfiltrates via this method nor am i seeing any use after free ops. However, there a metric shit ton of ways to BSOD and affect availability, and they do store functions, so i would certainly give them a non-zero chance. Xandy 1 ,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-. |(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/ (_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_) | | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) ( | | | | |)| | \ / | | | | | |)| | `--. | |) \ | | `-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_| '-' '-' (__) (__) (_) (__)
Moderators JLogan3o13 Posted August 31, 2017 Moderators Posted August 31, 2017 I cannot think of much that can't have dangerous code nowadays, tbh. When I did my latest round of C|EH, we were hiding malicious code in the white space of a text documents, embedding code into jpg files, single-pixel exploits on web pages, etc. In short, if you aren't 100% sure on the source and authenticity of the file, never say never. Xandy 1 "Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball How to get your question answered on this forum!
GordonFreeman Posted September 1, 2017 Author Posted September 1, 2017 Well i instaled a game for my cousin and i get an error when launch then i searched on google and this tell to replace this file to work, i replaced and game works, the (new) file are small than the original file. I scanned on virustotal and get (0/All) for the original file and (1/All) for the modified file. Probably a false positive, theres a way to check more deeply (Only with basic knowledge in the area that i have)? And i also think theres no effect blocking an sys file in Windows firewall, right? Thanks in advance ! Frabjous Installation
iamtheky Posted September 1, 2017 Posted September 1, 2017 (edited) Also be mindful that there are files where the extension does not technically matter. If I rename my .hta payload to .sys, its still going to fire as long as the MIME type is "application/hta". edit: this may tread a line of being non-autoit and aiding circumvention, understood if it has to disappear. Edited September 1, 2017 by iamtheky ,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-. |(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/ (_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_) | | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) ( | | | | |)| | \ / | | | | | |)| | `--. | |) \ | | `-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_| '-' '-' (__) (__) (_) (__)
RestrictedUser Posted March 4, 2019 Posted March 4, 2019 Yeah, it can be dangerous Some Trojans like Neshta.A loads last infected file by "directx.sys" named file
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now