Subject: [LINUX:12206] M$ sizi izliyor olabilir... (off-topic)
From: Alchemist The GREAT (altug@likom.com.tr)
Date: Fri 14 Jan 2000 - 22:48:38 EET
Uzun mesaj icin uzgunum fakat konu onemli geldi.
M$ ve IE'nin hizli ve guvenli oldugunu dusunen herkes bu yaziyi dikkatle
okusun. Sonra da "Big brother is watching you" sozunun yanlis oldugunu,
aslinda MS'in masum bi firma oldugunu iddia etmeye devam etsin...
Isterseniz kendiniz deneyin ve gozlerinizle gorun...
Orijinal URL:
http://nwo.net/osall/Methodology/Microsoft/Number_One/number_one.html
---------------------------------------
Microsoft Security -- Installment One
9/7/99
Krale
[Editorīs Note: OSAll has received comments from several individuals
claiming that parts of this article are plagiarized. One even asked if
we "hired JP as editor." Weīre looking into these accusations and will
have a verdict -- and possibly an apology -- shortly.]
First letīs talk about Windows 95 (specifically Win 95, not Win 98). It
seems kind of stable (other than the many general protection faults and
blue screens of death). But something is fishy. You feel it somewhere.
I felt it too and researched until I found many concealed files and
behaviors. The first one I found is the mm256.dat and mm2048.dat:
mm256.DAT and mm2048.DAT
I was snooping on my computer with some programs called filemon.exe ,
regmon.exe , and vxdmon.exe . Filemon reports all files accessed and
tells what and where accessed them. Regmon does the same with the
registry. Vxdmon does the same for VXD calls. I kept filemon running for
about three hours and saw nothing out of the ordinary...then comes a
file (mm256.dat) accessed by wininet.dll . At this time Iīm doing
absolutely nothing. I just left my computer on and logged all the file
reads and writes. All others (file logs) were acceses from the Explorer
shell. After finding this file (in very hidden directories) and did the
normal double click and it denied me from even opening it. This is how
it all started...
Lets first start out from a quote from MS headquarters themselves:
"The mm256.dat and mm2048.dat files are cache files used by Internet
Explorer. When you visit a Web page, Internet Explorer assigns the Web
address a unique identification number and searches the mm256.dat and
mm2048.dat files for that identification number. If the Web page's
identification number is found, the contents of the Web page are stored
locally on your computer's hard disk and Internet Explorer uses the
locally stored content instead of downloading the information from the
Internet. If the Web page's identification number is not found, the
contents of the Web page must be downloaded from the Internet. This
occurs if you have not visited the Web page before, the Web page has
changed, or the Web page's identification number has expired. When the
Web page's content has been downloaded to the hard disk, the mm256.dat
or mm2048.dat file is updated with the Web page's identification number.
The mm256.dat file is used to store the identification numbers of Web
pages whose Web addresses are equal to or less than 256 characters. The
mm2048.dat is used to store the identification numbers of Web pages
whose Web addresses are between 257 and 2048 characters.
First, assuming you know nothing about this, letīs gather the
information we DO know of these files. Now lets go what MS said and lets
take off Intenet Explorer. They say itīs just cache files -- so if we
take off IE, theyll just go away. If you went to the trouble to take it
off, youll notice they are still there. Hmmm... Just try running your
non-IE browser and opening it as a ascii file. It wont let you. Try
doing other tests of calling these files from other programs. Try
copying and pasting it. It still wonīt work. Since we cant open them,
lets see where the files are kept and how big they are. So I used a
non-Microsoft file finder, since MS cannot be trusted (or at least until
they prove they can be trusted), we cant use thier programs to snoop
their os.
FF-File Find, ZauberEdition 0.50
C:\WINDOWS\TEMPOR~1\CACHE1 mm256.dat 32.768 bytes 16:16
Fri27Aug99 -medium
C:\WINDOWS\TEMPOR~1\CACHE2 mm256.dat 40.960 bytes 16:16
Fri27Aug99 -medium
C:\WINDOWS\TEMPOR~1\CACHE3 mm256.dat 32.768 bytes 16:16
Fri27Aug99 -medium
C:\WINDOWS\TEMPOR~1\CACHE4 mm256.dat 32.768 bytes 16:16
Fri27Aug99 -medium
C:\WINDOWS\HISTORY mm256.dat 180.224 bytes 16:16
Fri27Aug99 -big
C:\WINDOWS\COOKIES mm256.dat 8.192 bytes 16:17
Fri27Aug99 -small
6 files found oh great master!
FF-File Find, ZauberEdition 0.50
C:\WINDOWS\TEMPOR~1\CACHE1 mm2048.dat 1.310.720 bytes 16:17
Fri27Aug99 -huge
C:\WINDOWS\TEMPOR~1\CACHE2 mm2048.dat 1.253.376 bytes 16:17
Fri27Aug99 -huge
C:\WINDOWS\TEMPOR~1\CACHE3 mm2048.dat 1.269.760 bytes 16:17
Fri27Aug99 -huge
C:\WINDOWS\TEMPOR~1\CACHE4 mm2048.dat 1.187.840 bytes 16:17
Fri27Aug99 -huge
C:\WINDOWS\HISTORY mm2048.dat 532.480 bytes 16:17
Fri27Aug99 -medium
C:\WINDOWS\COOKIES mm2048.dat 8.192 bytes 16:17
Fri27Aug99 -small
6 files found oh great master!
As I found out, the files come in 3 distinct sizes. Now search the
directories in the "My Computer" icon. Evidently you cant see the
directories so go turn off the "hide system files and folders". WHAT?!?
You still canīt see them? Now go through DOS and search "dir/w or /p" ..
This is assuming you know how to use DOS. It will give you the
directories hidden. Evidently MS didnt want you to even know of these
directories. Now try to think of a way to see the contents of these
files. Windows wonīt let you get near them. What about DOS? We cant go
through the normal Windows start up then F8 'it to dos because we dont
know what happens before that.
So go ahead and make a dos disk with a format on your disk drive. Select
"copy system files" and make your dos disk. Now restart your computer
and boot up with dos. Go to the locations where your files youre trying
to see and copy them to a different directory and rename them. If you
dont, Windows could take over those files and your work getting those
would be in vain. Go back to Windows and them view them with text
viewer. It has ALL my urls in it. Yep it has all sites with cookie
information in it. On the big mm2048.dat, it even holds your whole
directory structure in it. Now go back to dos and delete all of the
mm2048.dat and mm256.dat files . Then go back to Windows then search for
them. Theyīre still there! So they are also regenerative. So lets sum
all of the info on these files:
1) They have multiple copies of themselves
2) They are called by WININET.DLL for some reason
3) They are IMPOSSIBLE to get in to inside Windows
4) They hold all URL's and youre file structure inside
5) Each comes in 3 distinct sizes
6) They are regenerative if erased
7) They are hidden inside nearly impossible to find parts of your drive
8) They dont go away if IE is uninstalled (totally contradictory of what
MS said)
Why is there soo much secretiness surrounding these files and why did MS
lie? Possibly MS calls them up when you go to their websites (due to the
name of the calling file; wininet.dll) or if you register MS products. I
have not confirmed these possibilities but it might be true. Another
file like these is index.dat . It holds most (but not all) URL's that
you've gone to. It seems to be regenerative but not as jealously guarded
by Windows. You can actually copy and paste this file to another
directory and then view the contents. I would like all facts and
opionions sent to me at raistlin_majere@altavista.net . Keep on cracking
the secrets of Windows!!!
Krale
Note: OSAll staff has independantly reproduced the results of Kraleīs
work using similiar methods. We contacted Microsoft for comment but
they didnīt return our calls on this issue.
--,-~~-.___. / | ' \ ( ) 0 \_/-, ,----' ==== // / \-'~; _/~~~(O) / __/~| _/ | =( _____| (_________| ___________________________________ / \ /_____________Altug GUR_______________\ / \ /_____System & Network Administrator____\ / \ /___________Likom Software Inc.___________\ { } <_Kennedy Cad. No:144 G.O.P/ANKARA_| | TURKEY > {__________________________________| < } |_Phone : +90(312)466 33 00________| < } |_E-Mail: altug@likom.com.tr_______| _________ | > / ALTUG \ {__________________________________| /___________\ Listeden cikmak icin: unsub linux mesajini listeci@bilkent.edu.tr'a gonderiniz. Lutfen Listeci icin MIME / HTML / Turkce Aksan kullanmayin. Liste arsivinin adresi: http://listweb.bilkent.edu.tr/