GINA runs on a completely dedicated, secure windows station, there are 2 suchAt a demo in Black Hat Windows 2001, in Las Vegas, a guy from the rootkit project was demoing their stuff. Amazing stuff.
window stations, the one displayed at login (which is also the one shown when you
hit ctrl-alt-del), the other is used by the screen saver
the only windows that can be displayed on these are generated by the Messenger
service, which simply displays a popup window on the current window station that
is attached to user input
One of the things he was demoing was fresh out of the oven. A kernel-mode rootkit launching a user-mode process. They were taking another process, and copying it's process information for their newly created process. He was running cmd, IIRC.
The thing is, he was demoing how he was telneting (to a fake IP), and issued a command to run CMD, and nothing happened. And the guy says "oh well, I said it was experimental".
Then, a couple of minutes later, the guy presses CTRL+ALT+DEL for an unrelated reason, and guess what? There is his CMD Window, functional and all. They were cloning the information of the wrong Win32 process.
Not entirely relevant, and obviously once your'e in kernel mode, you can do anything. Still, that's where my info comes from. Sorry about the distraction. Just thought you may enjoy the story.
Shachar p.s. http://www.rootkit.com, in case anyone is interested.
-- Shachar Shemesh Lingnu Open Source Consulting http://www.lingnu.com/
