Thinstall installs sans registry entries..subversion?

I posted a link deep within a thread to Sebastian that some of you may
be interested in knowing about.

http://www.thinstall.com/products/examples.php
one of the many stated uses could be:

"Internet Explorer ActiveX Controls Deploy Internet Explorer ActiveX
controls without system registration or installation. This demo shows
how Thinstall allows virtual registration for Macromedia Flash and
Shockwave within the web browser."

Now does this mean you could be sent a little download whilst browsing
that your spyware
scanner would not detect because no registry values were altered?
Java,Act-X are a effectively programs and are able to change preferences
and settings just like MS does when updating you silently right?
It would take a long time before it was picked up and flagged
right...especially if 'the good guys' were utilizing it?
look how long it took to find the SONY rootkits. they just have to learn
by that lesson...to be even more deceptive to avoid being caught. How
easy it would be to claim it must have been from mal-ware procurred
after the puter was purchased.

It is dismaying to what extent choice is being battled!
Warf.

warf

warf wrote:

> I posted a link deep within a thread to Sebastian that some of you may
> be interested in knowing about.
>
> http://www.thinstall.com/products/examples.php
> one of the many stated uses could be:
>
> "Internet Explorer ActiveX Controls Deploy Internet Explorer ActiveX
> controls without system registration or installation. This demo shows
> how Thinstall allows virtual registration for Macromedia Flash and
> Shockwave within the web browser."
>
> Now does this mean you could be sent a little download whilst browsing
> that your spyware scanner would not detect because no registry values were altered?

Yes. But I fail to see the connection to ActiveX. You don't need ActiveX to
execute arbitrary code with MSIE.

What it really means is that COM Component registration can be done on HKCU
only. Fine that these guys actually noticed that this is possible and a
good thing. If this would be adopted widely, we could stop hogging on such
tools like RegCap and RegSrvEx.

> Java,Act-X are a effectively programs and are able to change preferences
> and settings just like MS does when updating you silently right?

Not for Java. It's a sandbox.

Sebastian Gottschalk

warf <> wrote in news:2KOxh.37751$Y6.21528@edtnps89:

> I posted a link deep within a thread to Sebastian that some of you may
> be interested in knowing about.
>
> http://www.thinstall.com/products/examples.php
> one of the many stated uses could be:
>
> "Internet Explorer ActiveX Controls Deploy Internet Explorer ActiveX
> controls without system registration or installation. This demo shows
> how Thinstall allows virtual registration for Macromedia Flash and
> Shockwave within the web browser."


Thinstall does not do "kernel mode" installations.

FWIW Thinstall 3.035 has very recently been posted on the warez scene.
Worthwhile downloading (for experimentation only, of course because
Thisnstall is so filthy expensive (and its licencing scheme sucks hard).

My interest in it is quite circumscribed: as an aid in making programs
portable (since it virtualizes the registry).

Regards,

nemo_outis

nemo_outis wrote:

> warf <> wrote in news:2KOxh.37751$Y6.21528@edtnps89:
>
>> I posted a link deep within a thread to Sebastian that some of you may
>> be interested in knowing about.
>>
>> http://www.thinstall.com/products/examples.php
>> one of the many stated uses could be:
>>
>> "Internet Explorer ActiveX Controls Deploy Internet Explorer ActiveX
>> controls without system registration or installation. This demo shows
>> how Thinstall allows virtual registration for Macromedia Flash and
>> Shockwave within the web browser."
>
> Thinstall does not do "kernel mode" installations.
>
> FWIW Thinstall 3.035 has very recently been posted on the warez scene.
> Worthwhile downloading (for experimentation only, of course because
> Thisnstall is so filthy expensive (and its licencing scheme sucks hard).
>
> My interest in it is quite circumscribed: as an aid in making programs
> portable (since it virtualizes the registry).

Maybe I misread the description, but doesn't it basically just do the COM
Component Registration in HKCU (thus user-dependent registry)?

Sebastian Gottschalk

Sebastian Gottschalk <> wrote in news:52qco0F1p3b7tU1
@mid.dfncis.de:

> nemo_outis wrote:
>
>>
>> FWIW Thinstall 3.035 has very recently been posted on the warez scene.
>> Worthwhile downloading (for experimentation only, of course
because
>> Thisnstall is so filthy expensive (and its licencing scheme sucks
hard).
>>
>> My interest in it is quite circumscribed: as an aid in making programs
>> portable (since it virtualizes the registry).
>
> Maybe I misread the description, but doesn't it basically just do the
COM
> Component Registration in HKCU (thus user-dependent registry)?
>


I have not had a chance to work with it yet so I can say nothing
authoritative, just give my interpretation of the docs and what others
have done with the tool. But my understanding that it is possible to
package a program as a single executable with no registry entries.

FWIW, answers.com says,

"On Windows, Thinstall... essentially work[s] by intercepting filesystem
and registry requests by an application and redirecting those requests to
a preinstalled isolated sandbox, thus allowing the application to run
without installation or changes to the local PC."
....
"Thinstall works by packaging an application into a single EXE which
includes the runtime plus the application data files and registry.
Thinstall’s runtime is loaded by Windows as a normal Windows application,
from there the runtime replaces the Windows loader, filesystem, and
registry for the target application and presents a merged image of the
host PC as if the application had been previously installed. Thinstall
replaces all related API functions for the host application, for example
the ReadFile API supplied to the application must pass through Thinstall
before it reaches the operating system. If the application is reading a
virtual file, Thinstall handles the request itself otherwise the request
will be passed on to the operating system. Because Thinstall is
implemented in user-mode without device drivers and it does not have a
client that is preinstalled, applications can run directly from USB Flash
or network shares without previously needing elevated security
privileges."

Incidentally, for those who wish to download an experimental copy of the
latest Thinstall (complete with crack) nip on over to:

http://mikicun.blogsome.com/

Regards,

nemo_outis

nemo_outis wrote:
> Sebastian Gottschalk <> wrote in news:52qco0F1p3b7tU1
> @mid.dfncis.de:
>
>> nemo_outis wrote:
>>
>>> FWIW Thinstall 3.035 has very recently been posted on the warez scene.
>>> Worthwhile downloading (for experimentation only, of course
..........

My reason for the original posting is not yet obviated...but you are
getting there: If Thinstall is already Warez then the utility in Malware
aps is overtly apparent to more than just a helpless fop trying to
ascertain the vagueries of safe cyber surfin like me.......Right?

If the CIA was excited enough by the ability to manipulate software on
locked desktops then a little package hitchhiking on a 'legit' app would
enable the provider access to ...whatever they wanted on the recipients
puter. This in spite of the security settings I presume.

I am assuming that 'choice' is a beast that must subverted at any cost
becasue it sure looks to me like there is no end of development to
thwart it.

>
> Incidentally, for those who wish to download an experimental copy of the
> latest Thinstall (complete with crack) nip on over to:
>
> http://mikicun.blogsome.com/

I became aware of it about 6months ago by using REGEDIT to look for
hidden software entries. There was JITIT with "author 0" and no other
info available. The only thing I have not RE-downloaded and installed
since is WinMX. [p2p software]
So.....the suspicious person in me says "follow the money..." and it
points to the RIAA I suspect.

I expect the latest Russian rootkits available for sale are utilizing
technology or methodology perloined from thinstall???

I googled the developer of Thinstall ...he is obsessed with copyright
protection of media
and software. Ironic that his trojan is now Warez...unless that was the
plan?

Did I get this all wrong, Like "cookies, XML, Java and Javascripts are
for my enhanced browsing experience"?
Warf.

> Regards,

warf

warf wrote:

> My reason for the original posting is not yet obviated...but you are
> getting there: If Thinstall is already Warez then the utility in Malware
> aps is overtly apparent to more than just a helpless fop trying to
> ascertain the vagueries of safe cyber surfin like me.......Right?

Wrong. Malware doesn't need any third-party applications to behave in a way
that doesn't violate a system's policies. Never did, never will.

> If the CIA was excited enough by the ability to manipulate software on
> locked desktops then a little package hitchhiking on a 'legit' app would
> enable the provider access to ...whatever they wanted on the recipients
> puter. This in spite of the security settings I presume.

Everything on MSIE is in spite of security settings. Microsoft even
documented some of these issues.

> I expect the latest Russian rootkits available for sale are utilizing
> technology or methodology perloined from thinstall???

The latest and best rookit is Agobat/Goabot so far. It's Open Source and
has a very decent plugin interface with a big load of available plugins.

> Did I get this all wrong, Like "cookies, XML, Java and Javascripts are
> for my enhanced browsing experience"?

Java is for Applets. JavaScript is for both useful functions and annoyance.
Cookies are for establishing sessions without parameter passing. XML, in
case of XHTML, is essential for your browsing experience.

Sebastian Gottschalk

Sebastian Gottschalk wrote:
> warf wrote:
>
>> My reason for the original posting is not yet obviated...
snip....

I was referring to the subtrifuge and masquerading apps like thinstall
allow. Like For Eg; WINMX+thinstall

Granted p2p is no longer welcome here, but the illusion of internet
anonymity and puter saftey/privacy have been the focus of my dis-illusions
I defer to you for logical and didactic thwarts of stated premise;
IE, most of us non-pro admin types are phuked if we think we own our
puters and our information.
Warf..."is there a draft in here or are my pants still down"?

warf