[Code-Crunchers] detecting blue pill and BH challege
Peter Ferrie
pferrie at symantec.com
Mon Jul 2 11:20:29 CDT 2007
>>The problem is: if she is right and she can make it 100% invisible,
>>how will she proove that she indeed installed a rootkit?
>>A 100% invislble rootkit is useless. Its the NULL-rootkit.
>>Its pure math, you cannot win ;-)
>
>Only if you want proof. Then, the rootkit can prove it is there. :)
Right. It can display a message or something, though that proves only that something is running. It might be just a little TSR that displays a message. We would have have to trust her on that.
>The on ething that bugs me through-out all of this: this is never 100%.
Which is exactly our claim - it cannot be done 100% in hardware. Software, of course, is another matter entirely, but no-one is even close to that yet.
More information about the Code-Crunchers
mailing list