Beefy Boxes and Bandwidth Generously Provided by pair Networks
good chemistry is complicated,
and a little bit messy -LW
 
PerlMonks  

win32-process-hide infected with mal/packer?

by LanX (Canon)
on Feb 02, 2013 at 19:39 UTC ( #1016743=perlquestion: print w/ replies, xml ) Need Help??
LanX has asked for the wisdom of the Perl Monks concerning the following question:

Hi guys

Sorry I'm pretty ignorant about Win and it's parasites ... I'm trying to avoid this OS as much as possible.

Anyway there are occasions where I need to boot Win and so I decided to run a file check with Sophos.

To my surprise while scanning an old instance of mini-cpan it reported Hide_Others.dll in Win32::Process::Hide to be infected with "Mal/Packer" !?!

From my understanding of older discussions of Win32::Process::Hide hiding processes is considered suspicious ... but does that really mean that this DLL is infected?

Maybe a dumb question from a Win viewpoint, but as said, I invested into Linux for the privilege to not having to deal with M$ ... so surely others know better.

Should I care and/or should anyone be informed?

Cheers Rolf

Comment on win32-process-hide infected with mal/packer?
Re: win32-process-hide infected with mal/packer?
by bulk88 (Priest) on Feb 02, 2013 at 20:24 UTC
    Read the description of what the module does. Then ask what would any antivirus maker do?

    edit: after more research the problem is the injected DLL is included as a binary blob, GCC compiled, but that DLL was packed (why???). Ask the author why the DLL isn't built at perl compile/install time. The DLL is intended I guess for injecting into non perl processes, so an XS DLL wouldn't work to inject into a process without an interp.

    edit: it appears not all the code in the DLL is in the included main.c file
      > Read the description of what the module does.

      As mentioned I already did!

      But Mal-Packer seems to be another beast.

      Cheers Rolf

Re: win32-process-hide infected with mal/packer? (nope, but it is malware)
by Anonymous Monk on Feb 02, 2013 at 22:53 UTC
Re: win32-process-hide infected with mal/packer?
by BrowserUk (Pope) on Feb 02, 2013 at 23:06 UTC

    Is this ability, that is exposed by the OS to any language that can dynamically load dlls, and is subject to all the usual fine grained permissions controls the OS offers (ie. You can only hide your own processes; or those you have the explicit rights to access.), really so different from the following which is available on many (most?) variants of *nix, and is documented in the perl docs?

    $PROGRAM_NAME $0

    Contains the name of the program being executed.

    On some (read: not all) operating systems assigning to $0 modifies the argument area that the ps program sees. On some platforms you may have to use special ps options or a different ps to see the changes. Modifying the $0 is more useful as a way of indicating the current program state than it is for hiding the program you're running. (Mnemonic: same as sh and ksh.)


    With the rise and rise of 'Social' network sites: 'Computers are making people easier to use everyday'
    Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
    "Science is about questioning the status quo. Questioning authority".
    In the absence of evidence, opinion is indistinguishable from prejudice.
      Sigh, I will certainly not participate in an OS flame!

      I just reported what I saw and asked if anyone more proficient with Win can have a look into it.

      Thats it.

      Cheers Rolf

        I will certainly not participate in an OS flame!

        If my asking a question and quoting the Perl POD constitutes "an OS flame" in your eyes, there's no more to be said.


        With the rise and rise of 'Social' network sites: 'Computers are making people easier to use everyday'
        Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
        "Science is about questioning the status quo. Questioning authority".
        In the absence of evidence, opinion is indistinguishable from prejudice.

      really so different from the following which is available on many (most?) variants of *nix, and is documented in the perl docs?

      Yes it is, changing $0 doesn't hide the process from ps -- hiding a process is purely rootkit territory

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://1016743]
Approved by ww
Front-paged by ww
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others scrutinizing the Monastery: (5)
As of 2014-07-31 22:53 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    My favorite superfluous repetitious redundant duplicative phrase is:









    Results (255 votes), past polls