Sign in to follow this  
Followers 0
GordonFreeman

Can a .sys file have dangerous code

5 posts in this topic

#1 ·  Posted

I want know if can a .sys file have dangerous code that will stole my information and send via internet?

I think .sys file itself cannot access internet but are possible that a "infected" .sys file access internet through other file and steal my information?

Ps.: my english are rusty

Well, thanks in advance!

Share this post


Link to post
Share on other sites



#2 ·  Posted

idk if there is anything in the wild that exfiltrates via this method nor am i seeing any use after free ops.

However, there a metric shit ton of ways to BSOD and affect availability, and they do store functions, so i would certainly give them a non-zero chance.

1 person likes this

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites

#3 ·  Posted

I cannot think of much that can't have dangerous code nowadays, tbh. When I did my latest round of C|EH, we were hiding malicious code in the white space of a text documents, embedding code into jpg files, single-pixel exploits on web pages, etc.

In short, if you aren't 100% sure on the source and authenticity of the file, never say never.

1 person likes this

√-1 2^3 ∑ π, and it was delicious!

Share this post


Link to post
Share on other sites

Well i instaled a game for my cousin and i get an error when launch then i searched on google and this tell to replace this file to work, i replaced and game works, the (new) file are small than the original file. I scanned on virustotal and get (0/All) for the original file and (1/All) for the modified file. Probably a false positive, theres a way to check more deeply (Only with basic knowledge in the area that i have)?

 

And i also think theres no effect blocking an sys file in Windows firewall, right?

 

Thanks in advance !

Share this post


Link to post
Share on other sites

#5 ·  Posted (edited)

Also be mindful that there are files where the extension does not technically matter.  If I rename my .hta payload to .sys, its still going to fire as long as the MIME type is "application/hta".

edit: this may tread a line of being non-autoit and aiding circumvention, understood if it has to disappear.

Edited by iamtheky

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0