In this case, the regulatory board is Microsoft, and there’s nothing telling us (yet) that there isn’t a partnership in which they gave them certification knowing about some of their dirty tricks.
>the Bruteforcing Processes code doesn’t make sense, are Trend Micro developers not aware of enumerating processes via ZwQuerySystemInformation?
As someone whose work involves screwing around with Windows' internal, whenever I see codes like this, I immediately think that the developer doesn't trust Windows' API. I guess that Trend Micro believes there's a chance that ZwQuerySystemInformation has been hooked by a malicious process and its data is unreliable, and they would rather retrieve the information themselves by scanning the memory manually.
So Trend Micro cheats to get Microsoft certified, and my employer then uses Trend Micro virus scanning to get certified for HITRUST. It's turtles all the way down.
In the early screenshot where it shows the directory listing for "%TEMP%\RootKitBuster", three entries jump out (to me) as immediately interesting:
* sqlite3.dll
* scan_db.sql
* DB <-- a folder name
That scan_db.sql is likely full of SQL statements.
And SQLite can have user defined C functions added.
Depending on when those SQL statements are run (just for initial DB creation? during every run? etc), it could be a cheap and easy way to get your code running in a high privilege context. :)
17 comments
[ 2.6 ms ] story [ 56.4 ms ] threadAs someone whose work involves screwing around with Windows' internal, whenever I see codes like this, I immediately think that the developer doesn't trust Windows' API. I guess that Trend Micro believes there's a chance that ZwQuerySystemInformation has been hooked by a malicious process and its data is unreliable, and they would rather retrieve the information themselves by scanning the memory manually.
[1] https://github.com/volatilityfoundation/volatility/wiki/Comm...
A good rootkit would certainly exclude itself from the info returned by ZwQuerySystemInformation
Surely Trend Micro should be penalised in some way by Microsoft?
Oouch!
The comment about the end, about the code looking like Proof of Concept garbage would be in line with that. ;)
And SQLite can have user defined C functions added.
Depending on when those SQL statements are run (just for initial DB creation? during every run? etc), it could be a cheap and easy way to get your code running in a high privilege context. :)