Comment by Someone1234

Comment by Someone1234 3 days ago

3 replies

View on Hacker News

I understand your point; but I'm struggling to see how this could be weaponized. Keep in mind, that these Dos compatible drive letters need to map to a real NT path endpoint (e.g. a drive/volume); so it isn't clear how the malware could both have a difficult to scan Dos tree while also not exposing that same area elsewhere for trivial scanning.

rwmj 3 days ago

I'm betting there's some badly written AV software out there which will crash on non-standard drive letters, allowing at least a bit of mayhem.

Reply View 0 replies
avidiax 3 days ago

Not sure if it is natively supported, but the malware can just decrypt a disk image to RAM and create a RAM disk mounted to +. Or it can maybe have a user space driver for a loop device, so the sectors of the drive are only decrypted on the fly.

It would likely break a lot of analysis tools and just generally make things very difficult.

Reply View 0 replies
buzer 3 days ago

The recovery partition might work if it exists.

Reply View 0 replies