Sign in to follow this  
Followers 0
GordonFreeman

Can a .sys file have dangerous code

5 posts in this topic

I want know if can a .sys file have dangerous code that will stole my information and send via internet?

I think .sys file itself cannot access internet but are possible that a "infected" .sys file access internet through other file and steal my information?

Ps.: my english are rusty

Well, thanks in advance!

Share this post


Link to post
Share on other sites



idk if there is anything in the wild that exfiltrates via this method nor am i seeing any use after free ops.

However, there a metric shit ton of ways to BSOD and affect availability, and they do store functions, so i would certainly give them a non-zero chance.

1 person likes this

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites

I cannot think of much that can't have dangerous code nowadays, tbh. When I did my latest round of C|EH, we were hiding malicious code in the white space of a text documents, embedding code into jpg files, single-pixel exploits on web pages, etc.

In short, if you aren't 100% sure on the source and authenticity of the file, never say never.

1 person likes this

√-1 2^3 ∑ π, and it was delicious!

Share this post


Link to post
Share on other sites

Well i instaled a game for my cousin and i get an error when launch then i searched on google and this tell to replace this file to work, i replaced and game works, the (new) file are small than the original file. I scanned on virustotal and get (0/All) for the original file and (1/All) for the modified file. Probably a false positive, theres a way to check more deeply (Only with basic knowledge in the area that i have)?

 

And i also think theres no effect blocking an sys file in Windows firewall, right?

 

Thanks in advance !

Share this post


Link to post
Share on other sites

#5 ·  Posted (edited)

Also be mindful that there are files where the extension does not technically matter.  If I rename my .hta payload to .sys, its still going to fire as long as the MIME type is "application/hta".

edit: this may tread a line of being non-autoit and aiding circumvention, understood if it has to disappear.

Edited by iamtheky

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0