From: Solar Eclipse [solareclipse@PHREEDOM.ORG]
Sent: Wednesday, July 12, 2000 9:43 AM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Attacking Windows 9x with Loadable Kernel Modules

This article explains the basics of Windows 9x kernel modules development and
contains the full source of a loadable kernel module (LKM) that performs the
following functions:

1) it captures TCP connections traffic and extracts telnet/pop3/ftp passwords
2) it captures dial-up connections traffic (by capturing the raw data from the
   serial port) and extracts dial-up passwords
3) by accessing the TCP stack directly (bypassing the Winsock interface), it
   emails all the collected authentication information to an evil script
   kiddie sitting in a basement full of stolen hardware
4) it is virtually undetectable with any standard Windows tools
5) it is written entirely in assembly and the executable file size is
   only 7KB

It was first published in Phreedom Magazine - a Bulgarian h/c/p/a digest.
Check it out at http://www.phreedom.org

Your feedback will be appreciated.

Solar Eclipse
solareclipse@phreedom.org

key ID: 4096D/3B98D2E9 (DSS)  user ID: Solar Eclipse <solareclipse@phreedom.org>
fingerprint: E0FA 3B25 BDE5 9CC1 E67A  1E1D CEF6 9808 3B98 D2E9