«

"Roger Parks" <> wrote in message
news: ups.com...
> RootkitRevealer, Adinf, and other single-OS integrity checkers compare
> logical I/O from the OS, with physical I/O via the BIOS.

I'm pretty certain RKR compares logical I/O via the OS with physical I/O via
the OS (not BIOS).

In some circumstances physical I/O via the OS might just call the BIOS but
normally this won't be the case.

--

Brian Gregory. (In the UK)

To email me remove the letter vee.

"Brian Gregory [UK]" <> wrote in
news:

> "Roger Parks" <> wrote in message
> news: ups.com...
>> RootkitRevealer, Adinf, and other single-OS integrity checkers
>> compare logical I/O from the OS, with physical I/O via the BIOS.
>
> I'm pretty certain RKR compares logical I/O via the OS with physical
> I/O via the OS (not BIOS).
>
> In some circumstances physical I/O via the OS might just call the BIOS
> but normally this won't be the case.
>


FWIW a new version of Rootkit Revealer (1.70) was released yesterday.

http://www.sysinternals.com/Utilitie...tRevealer.html

Regards,

"nemo_outis" <> wrote in message
news:Xns975FD9AC762CDabcxyzcom@204.153.244.170...
> FWIW a new version of Rootkit Revealer (1.70) was released yesterday.

Thanks.

I'll try it.
I had problems with V1.6.

--

Brian Gregory. (In the UK)

To email me remove the letter vee.

Brian Gregory [UK] wrote:
> "Roger Parks" <> wrote in message
> news: ups.com...
> > RootkitRevealer, Adinf, and other single-OS integrity checkers compare
> > logical I/O from the OS, with physical I/O via the BIOS.
>
> I'm pretty certain RKR compares logical I/O via the OS with physical I/O via
> the OS (not BIOS).
>
> In some circumstances physical I/O via the OS might just call the BIOS but
> normally this won't be the case.
>

IIRC, Adinf directly uses Bios int-13 to get disk data, and does its
own formating (to avoid, as much as possible, the OS), and I (wrongly)
presumed that Russinovich would do the same.

Adinf has been around for a while; could it be that XP blocks pio!? Or
perhaps Russinovich did not want to invest the significant effort into
writing lio routines!?

--
Vista error#4711: TCPA / RIAA / NGSCP VIOLATION: Microsoft optical
mouse detected Linux patterns on mousepad. Partition scan in progress
to remove offending, unapproved products. Request permission, and
apply for a new key to reactivate MS software at www.ms.com

..

nemo_outis wrote:
> "Brian Gregory [UK]" <> wrote in
> news::
>
>
>>"nemo_outis" <> wrote in message
>>news:Xns97586462423ADabcxyzcom@127.0.0.1...
>>
>>>No, the problem is considerably more serious than that. For instance,
>>>if I install a custom rootkit in the BIOS I can, in principle,
>>>completely pass over the input of the key, whether by keyboard, token
>>>or whatever, and sniff the key directly in RAM!
>>
>>Normally once Windows has loaded the BIOS is doing very little, proper
>>drivers designed for a multi-tasking environment take over.
>>
>
>
>
> Yes, the usual sequence is BIOS itself, in-memory image of BIOS, and then
> a handoff to Windows 32-bit drivers, etc. However, a compromised BIOS
> could subvert this handoff leaving itself still hooked in.
>
> Not that it need do so, of course. A compromised BIOS targeting the OTFE
> HD password entered at boottime could have performed its capture and
> stashed the data long before the 32-bit portion of Windows was running. It
> would gracefully relinquish control to Windows well-satisfied with its
> accomplishment
>
> Regards,
>
> PS. Compromising other BIOSs, such as the video BIOS, also remains a
> possibility.
>

I use an ATI All in Wonder 9600 and it has something running called a
BIOS poller. I'll watch cable TV at times on my computer and after
several hours of use it will just quit, most times freezing
everything else in XP that only a reboot will fix. When I reboot,
watching the BIOS post screen, I always see an "[ESD?] Update
Success!," line as if I'd went in and changed the BIOS settings
myself. What could be made of this? I cannot find anything changed
in the BIOS that is available to my access.

Cornpone <> wrote in
news:43e52d06$0$1836$:

....snip...
>> PS. Compromising other BIOSs, such as the video BIOS, also remains
>> a possibility.
>>
>
> I use an ATI All in Wonder 9600 and it has something running called a
> BIOS poller. I'll watch cable TV at times on my computer and after
> several hours of use it will just quit, most times freezing
> everything else in XP that only a reboot will fix. When I reboot,
> watching the BIOS post screen, I always see an "[ESD?] Update
> Success!," line as if I'd went in and changed the BIOS settings
> myself. What could be made of this?


The overwhelming likelihood is that you are the unfortunate victim of the
"ordinary strange **** and bugs" that plague computer systems rather than
of a deliberate compromise of the video BIOS. That is, unless you are
close pals with Osama or chief bookkeeper for the mafia, in which case more
sinister suspicions are not entirely out of place

Regards,


PS To the best of my knowledge, compromises of the video BIOS are, at
this time, a purely theoretical possibility with no known "in the wild"
occurences.

"Roger Parks" <> wrote in message
news: oups.com...
> IIRC, Adinf directly uses Bios int-13 to get disk data, and does its
> own formating (to avoid, as much as possible, the OS), and I (wrongly)
> presumed that Russinovich would do the same.
>
> Adinf has been around for a while; could it be that XP blocks pio!? Or
> perhaps Russinovich did not want to invest the significant effort into
> writing lio routines!?

I would have thought it would be very complicated to do this if Windows was
using a proper driver for the disk I/O (as it normally would be) and not
calling the BIOS itself.

--

Brian Gregory. (In the UK)

To email me remove the letter vee.