Jump to content
Sign in to follow this  
GordonFreeman

Can a .sys file have dangerous code

Recommended Posts

I want know if can a .sys file have dangerous code that will stole my information and send via internet?

I think .sys file itself cannot access internet but are possible that a "infected" .sys file access internet through other file and steal my information?

Ps.: my english are rusty

Well, thanks in advance!

Share this post


Link to post
Share on other sites

idk if there is anything in the wild that exfiltrates via this method nor am i seeing any use after free ops.

However, there a metric shit ton of ways to BSOD and affect availability, and they do store functions, so i would certainly give them a non-zero chance.


,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites

I cannot think of much that can't have dangerous code nowadays, tbh. When I did my latest round of C|EH, we were hiding malicious code in the white space of a text documents, embedding code into jpg files, single-pixel exploits on web pages, etc.

In short, if you aren't 100% sure on the source and authenticity of the file, never say never.


"Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball

How to get your question answered on this forum!

Share this post


Link to post
Share on other sites

Well i instaled a game for my cousin and i get an error when launch then i searched on google and this tell to replace this file to work, i replaced and game works, the (new) file are small than the original file. I scanned on virustotal and get (0/All) for the original file and (1/All) for the modified file. Probably a false positive, theres a way to check more deeply (Only with basic knowledge in the area that i have)?

 

And i also think theres no effect blocking an sys file in Windows firewall, right?

 

Thanks in advance !

Share this post


Link to post
Share on other sites

Also be mindful that there are files where the extension does not technically matter.  If I rename my .hta payload to .sys, its still going to fire as long as the MIME type is "application/hta".

edit: this may tread a line of being non-autoit and aiding circumvention, understood if it has to disappear.

Edited by iamtheky

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...