
How to Use Trend Micro's Rootkit Remover to Install a Rootkit - MikusR
https://d4stiny.github.io/How-to-use-Trend-Micro-Rootkit-Remover-to-Install-a-Rootkit/
======
guardiangod
>the Bruteforcing Processes code doesn’t make sense, are Trend Micro
developers not aware of enumerating processes via ZwQuerySystemInformation?

As someone whose work involves screwing around with Windows' internal,
whenever I see codes like this, I immediately think that the developer doesn't
trust Windows' API. I guess that Trend Micro believes there's a chance that
ZwQuerySystemInformation has been hooked by a malicious process and its data
is unreliable, and they would rather retrieve the information themselves by
scanning the memory manually.

~~~
dmitrygr
It is a tool to detect rootkits

A good rootkit would certainly exclude itself from the info returned by
ZwQuerySystemInformation

~~~
anotherepisode
That's exactly the reason.

------
MikusR
The main thing is that Trend Micro is basically doing the same thing
volkswagen did. Cheating in tests to get certified.

~~~
codezero
In this case, the regulatory board is Microsoft, and there’s nothing telling
us (yet) that there isn’t a partnership in which they gave them certification
knowing about some of their dirty tricks.

------
yborg
So Trend Micro cheats to get Microsoft certified, and my employer then uses
Trend Micro virus scanning to get certified for HITRUST. It's turtles all the
way down.

------
GordonS
Cheating in a driver qualification test is _not_ a good look.

Surely Trend Micro should be penalised in some way by Microsoft?

------
justinclift
In the early screenshot where it shows the directory listing for
"%TEMP%\RootKitBuster", three entries jump out (to me) as immediately
interesting:

    
    
      * sqlite3.dll
      * scan_db.sql
      * DB <-- a folder name
    

That scan_db.sql is likely full of SQL statements.

And SQLite can have user defined C functions added.

Depending on when those SQL statements are run (just for initial DB creation?
during every run? etc), it could be a cheap and easy way to get your code
running in a high privilege context. :)

------
ngcc_hk
Seems the installation still going without one agreeing to the license is very
odd

~~~
Semaphor
Maybe they thought that, as it’s essentially unenforceable in EU anyway, they
might as well not bother? ;)

------
maxmalysh
It always amazes me how using Windows never feels safe. It is literally a
sieve in terms of security.

------
Stierlitz
“Most of the driver feels like proof-of-concept garbage that is held together
by duck tape.”

Oouch!

------
fomine3
TrendMicro does too many BS things in Japan. Many devs getting recognizing it
but still their products are adopted many places.

