Re: Does anyone recognize this?
From: nemo_outis (abc_at_xyz.com)
Date: 05/28/05
- Next message: Ziggi: "Problems with Stunnel, Freecap, and Tor"
- Previous message: NonDisputandum.com: "t('Re: Europe going open source?"
- In reply to: David H. Lipman: "Re: Does anyone recognize this?"
- Next in thread: Ashp: "Re: Does anyone recognize this?"
- Reply: Ashp: "Re: Does anyone recognize this?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 28 May 2005 01:34:32 GMT
Ok, heads up all, including (especially) sysadmins:
I'm going to reveal one of my magician's tricks. And like all magician's
tricks it will seem really simple once you know it (but a deep mystery
otherwise). So don't scoff at its simplicity (I've **never** met a
sysadmin who realized the implications of this, although some were dimly
aware of it in terms of Dell, etc. having a "special" area on the HD).
This method is one of the chief hidey-holes I use for rootkits (but it
can be used to hide a lot of other things). I'm not going to reveal how
to use it for a rootkit, but I am going to disclose the underlying
mechanisms and a magnificent (but dangerous!) tool for dealing with them.
The key buzzword (buzzphrase?) is "host protected area," abbreviated as
HPA.
What is it? It's an area of the HD that is not accessible (or even
detectable) by ordinary operating systems or applications or even by many
low-grade forensic tools. High-grade forensic tools (e.g., Encase) WILL
detect it, however.
In a nutshell, you can send a very-low-level command to an ATA drive to
cause it to permanently (until you change it again) under-report its size
to the BIOS, operating system, etc. The remaining area is inaccessible
by any OS (except using the little-known and less-used direct ATA command
set). Some manufacturers (Dell, Compaq) sometimes use this area and
some Gigabyte motherboards support a variant where they clone a whole
boot partition there!
So, your 32 Gb drive reports to any OS (and even the BIOS) that it is,
say, a 31.5 Gb drive (you can make the hidden area any size, even a very
large size, but it's unwise to be too greedy). The hidden .5 Gb can then
be used to store data (in some cases, rootkit files!).
Now that you know the principle, I'll give you the real gem, the tool to
manipulate this with. (Warning: This tool is very powerful and you can
blitz not just one drive but multiple drives if you mishandle it!)
The tool is MHDD and it is available (free!) at:
Have fun, but be careful - it's easy to trash your drive(s)!
Regards,
PS Now you know why I recommended using manufacturers' low-level
zeroizing software. And that's why I posted this as a followup in this
thread. But be warned: not all manufacturers' zeroizing software will
overwrite the HPA. Use MHDD - but use it carefully!
PPS Some BIOSs now do support the HPA (i.e., make it visible/changeable)
PPPS You can even password-protect the HPA!
- Next message: Ziggi: "Problems with Stunnel, Freecap, and Tor"
- Previous message: NonDisputandum.com: "t('Re: Europe going open source?"
- In reply to: David H. Lipman: "Re: Does anyone recognize this?"
- Next in thread: Ashp: "Re: Does anyone recognize this?"
- Reply: Ashp: "Re: Does anyone recognize this?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
