Yes, there are services run all over the place. But Rootkits hide themselves from detection, purposely!

Have you read the links provided (especially the sysinternals one)? Yes, it literally modifies the OS kernel.

Rootkits that hide files, directories and Registry keys can either execute in user mode by patching Windows APIs in each process that applications use to access those objects, or in kernel mode by intercepting the associated kernel-mode APIs. A common way to intercept kernel-mode application APIs is to patch the kernels system service table, a technique that I pioneered with Bryce for Windows back in 1996 when we wrote the first version of Regmon. Every kernel service thats exported for use by Windows applications has a pointer in a table thats indexed with the internal service number Windows assigns to the API. If a driver replaces an entry in the table with a pointer to its own function then the kernel invokes the driver function any time an application executes the API and the driver can control the behavior of the API.

The "First 4 Internet" Rootkit used by Sony is a kernel-mode executable. And yes, it installs an executable and hides it from users (all users - except those who having expertise to detect such things). I believe it is also possible to intercept the installation if you run in a non-Administrator mode, but then who is that stupid. How can you run Windows in anything but Administrator mode (id est: with Adminstrator privileges)? Unlike MacOS, there is no 'super-user' command to temporarily elevate a user's privileges to administrator.

Message edited on: 11/05/2005 02:05

C makes it easy to shoot yourself in the foot. C++ makes it harder, but when you do, you blow your whole leg off.

 -- Bjarne Stroustrup

Contact Me | Kuroyume's DevelopmentZone