The Master File Table (MFT) is the core of the Windows NT file system. Within the MFT is a record for every file or directory on disk,beijing escort; including those file or directories that have been deleted. By simply manipulating these records one could cause any file on disk to run malicious software in place of the intended file. For example, imagine that one day you double-clicked your Mozilla Firefox desktop icon and instead of Mozilla Firefox running, your system installs a rootkit! The attacking program would start at ROOT (0x05) and read the MFT until the name of the file specified as target is found. Next, the attacking program must replace the records non-resident configurations with the configurations of another file,Google Spiders - Understand Exactly What the Critt. If the attack was done successfully, the result would be a 'digital explosion' triggered literally by movement. In the record, in which we chose to alter, we find an attribute and in this attribute we discover what are called Data Runs. These Data Runs point to a list of Virtual Cluster Numbers (VCN). These VCNs tell Windows were to find the $DATA of that record. By changing those bytes in the MFT record one can force Windows to run any malicious process on disk in place of any other process on disk almost like a virus but one that can not be detected by any currently developed Anti-Virus software,beijing massage. The results of such an attack may be to force Windows to make illegal moves and crash, start malicious processes, download unauthorized material and load it, load a malicious process which then loads the original process to help disguise the attack, avoid detection, and more! One possible solution might be to write a Windows Service that can validate the MFT before loading the desktop and possibly help to repair any broken entry. Such a tool could effectively detect when a record has been changed simply by comparing various information. One of the more reliable methods might be to compare the specified size of the $DATA portion of the object as recorded in the altered MFT record to the actual size of the $DATA pointed to by the altered MFT record.