Kevin Koltzau wrote:
GINA runs on a completely dedicated, secure windows station, there are 2 such window stations, the one displayed at login (which is also the one shown when you hit ctrl-alt-del), the other is used by the screen saver the only windows that can be displayed on these are generated by the Messenger service, which simply displays a popup window on the current window station that is attached to user input
At a demo in Black Hat Windows 2001, in Las Vegas, a guy from the rootkit project was demoing their stuff. Amazing stuff.
One of the things he was demoing was fresh out of the oven. A kernel-mode rootkit launching a user-mode process. They were taking another process, and copying it's process information for their newly created process. He was running cmd, IIRC.
The thing is, he was demoing how he was telneting (to a fake IP), and issued a command to run CMD, and nothing happened. And the guy says "oh well, I said it was experimental".
Then, a couple of minutes later, the guy presses CTRL+ALT+DEL for an unrelated reason, and guess what? There is his CMD Window, functional and all. They were cloning the information of the wrong Win32 process.
Not entirely relevant, and obviously once your'e in kernel mode, you can do anything. Still, that's where my info comes from. Sorry about the distraction. Just thought you may enjoy the story.
Shachar p.s. http://www.rootkit.com, in case anyone is interested.