this post was submitted on 20 Apr 2024
978 points (97.1% liked)
linuxmemes
21254 readers
1513 users here now
Hint: :q!
Sister communities:
- LemmyMemes: Memes
- LemmyShitpost: Anything and everything goes.
- RISA: Star Trek memes and shitposts
Community rules (click to expand)
1. Follow the site-wide rules
- Instance-wide TOS: https://legal.lemmy.world/tos/
- Lemmy code of conduct: https://join-lemmy.org/docs/code_of_conduct.html
2. Be civil
- Understand the difference between a joke and an insult.
- Do not harrass or attack members of the community for any reason.
- Leave remarks of "peasantry" to the PCMR community. If you dislike an OS/service/application, attack the thing you dislike, not the individuals who use it. Some people may not have a choice.
- Bigotry will not be tolerated.
- These rules are somewhat loosened when the subject is a public figure. Still, do not attack their person or incite harrassment.
3. Post Linux-related content
- Including Unix and BSD.
- Non-Linux content is acceptable as long as it makes a reference to Linux. For example, the poorly made mockery of
sudo
in Windows. - No porn. Even if you watch it on a Linux machine.
4. No recent reposts
- Everybody uses Arch btw, can't quit Vim, and wants to interject for a moment. You can stop now.
Please report posts and comments that break these rules!
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Any self-respecting malware writer will download and decompile the Powertools to find out what API calls are being used. Especially if they're calls to an undocumented API.
Having Powertools on your computer is thus not the security hole it might appear to be.
The fact they exist at all - well that's not really a security hole either. Their existence just more quickly dissolves any security-by-obscurity that might have existed. Someone would have found those calls another way.
One might suppose that they contain something special that's not in the stock OS, but then we're back to the malware writer's reverse engineering which would lead them to learn and implement their own versions of whatever it is that Powertools does.
PowerToys is open-source, so no need to decompile. https://github.com/microsoft/PowerToys.
This is the code that determines which processes are holding on to the specified files (or any files in the specified folders): https://github.com/microsoft/PowerToys/blob/a89f9f69768ace73de21dbf6020bd7fa2460bf4a/src/modules/FileLocksmith/FileLocksmithLibInterop/FileLocksmith.cpp#L18
Called from the UI code here: https://github.com/microsoft/PowerToys/blob/a89f9f69768ace73de21dbf6020bd7fa2460bf4a/src/modules/FileLocksmith/FileLocksmithUI/ViewModels/MainViewModel.cs#L112 which also has the code to kill the processes
I would not say
I’m not as familiar with mass-market malware, but APT-level gear generally doesn’t try to make use of such easily observed events. The more network traffic malware appropriates, the greater the probability that it’s caught.
Simply put, Powertools puts several functions within arms reach for malware looking to stay under the radar. Without it, malware needs to bring more of its own code which increases footprint. Living off the land exploits in particular love the presence of these kinds of programs