In the early screenshot where it shows the directory listing for "%TEMP%\RootKitBuster", three entries jump out (to me) as immediately interesting:
* sqlite3.dll
* scan_db.sql
* DB <-- a folder name
That scan_db.sql is likely full of SQL statements.
And SQLite can have user defined C functions added.
Depending on when those SQL statements are run (just for initial DB creation? during every run? etc), it could be a cheap and easy way to get your code running in a high privilege context. :)
And SQLite can have user defined C functions added.
Depending on when those SQL statements are run (just for initial DB creation? during every run? etc), it could be a cheap and easy way to get your code running in a high privilege context. :)