Dailydave mailing list archives
Re: modGREPER - hidden kernel modules detector
From: Mark <mark () vulndev org>
Date: Sat, 25 Jun 2005 12:20:08 +0100 (BST)
On Fri, 24 Jun 2005, rd wrote:
James Butler wrote:Joanna, We (Sherri and I) had already defeated this detection mechanism before you released it. Perhaps you should see: http://www.blackhat.com/html/bh-usa-05/bh-usa-05-speakers.html#Sparks[snip]modGREPER is a hidden module detector for Windows 2000/XP/2003. It searches through whole kernel memory in order to find structures which looks like a valid module description objects. Currently two mosthi, I'm not into windows kernel part so this is just my opinion :) . I think this kind of detection (by searching module structure from kernel memory) could be defeated easily by clean up/free unnecessary fields (which could be used to identify the structure as the module structure) by zero out or write random data to the original module structure (of course you should not overwrite important data such as function pointer or so).
Easy answer is "yes" (that doesn't quite fit the context but WTH, why not.), blanking out the structures (or being suitably unfair and copying, byte for byte, a "known good" set of structures (under solaris genunix is quite popular, so i hear)) is a good way of annoying "rootkit detectors".. or for that matter kernel memory tracers/debuggers of any description bzero is your friend.
This might be similar to module hiding in Linux, in which cleaner.c (by stealth/teso) unlink the module structure to hide the module, while
Until someone showed him a nicer way to do it of course.
KSTAT (by s0ftpr0ject) searches /dev/kmem for module structure to detect hidden module. My modclean tool which was written few years ago solves this problem simply by cleanup module structure as well as its symbols (to avoid the detection by tools which search for module symbols) after unlink the module in order to hide the kernel module.
and to think, they do it all for us in the 2.6.x linux kernel, ain't they a generous bunch. M
cheers, --rd -- rd <rd () thc org> - The Hacker's Choice - http://www.thc.org PGP Key Fingerprint - E18F 6CE8 E12B 3306 80D9 6B5A 364B 1D77 71BB 82EF _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
-- VulnDev\[.\]org "Paranoia, keeping us clothed and fed since _init();" _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- modGREPER - hidden kernel modules detector Joanna Rutkowska (Jun 06)
- <Possible follow-ups>
- Re: modGREPER - hidden kernel modules detector joanna (Jun 07)
- Re: modGREPER - hidden kernel modules detector Mark (Jun 07)
- Re: modGREPER - hidden kernel modules detector James Butler (Jun 07)
- Re: modGREPER - hidden kernel modules detector Joanna Rutkowska (Jun 07)
- Re: modGREPER - hidden kernel modules detector rd (Jun 24)
- Re: modGREPER - hidden kernel modules detector Mark (Jun 25)
- Re: modGREPER - hidden kernel modules detector Joanna Rutkowska (Jun 07)