Re: [unisog] Re: Port 109 Mystery

Hi,

Loki <loki@fatelabs.com> writes:

>This may have been something you tried, but looking at that path, it
...
>>On Wed, 2003-03-12 at 11:54, Douglas Brown wrote:
...
>> 220 winlogon -> 109 TCP \??\C:\WINNT\system32\winlogon.exe

According to "Developing Windows NT Device Drivers - A Programmer's Handbook", by Dekker and Newcomer: \??\ is "the directory of all named devices available for CreateFile". When a program tries to open C: \WINNT\system32\winlogon.exe, "C:" is translated to "\??\C:" by the Win32 subsystem.

Since fport normally does not display the "\??\" prefix, I am wondering if this might be a clue to how winlogon.exe was run.

B Cing U

Buck

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

<Pre>Lose another weekend managing your IDS? Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A> Received on Thu Mar 13 11:23:54 2003