Full Disclosure mailing list archives
Re: Microsoft GhostBuster Opinions
From: dk <dk () pwarchitects com>
Date: Fri, 18 Mar 2005 14:32:26 -0600
Ron DuFresne wrote:
If the kernel is modified, on a windows or *nix system, you are going to have a clear clue upfront; the system will have rebooted. Course, a
That's a dangerous position to believe, at least with the linux kernel (man insmod). Aside from just loading a kernel module that wraps system calls, one has been able to directly modify kernel memory for years, even without kernel bugs. Hence the utility of PaX, grsec, etc, etc.
In fact a few popular RK's do just his via /dev/kmem (bypassing module loading) and the like do they not? (like suckit??)
Further research might be in order. ;-) http://www.l0t3k.org/biblio/kernel/english/runtime-kernel-kmem-patching.txt http://www.phrack.org/show.php?p=58&a=7 http://www.l0t3k.org/security/docs/rootkit/ ... -- dk _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://www.secunia.com/
Current thread:
- Microsoft GhostBuster Opionions Dave King (Mar 17)
- Re: Microsoft GhostBuster Opionions Valdis . Kletnieks (Mar 17)
- Re: Microsoft GhostBuster Opionions bkfsec (Mar 17)
- Re: Microsoft GhostBuster Opionions Dave King (Mar 17)
- Re: Microsoft GhostBuster Opinions Dave King (Mar 17)
- Re: Microsoft GhostBuster Opinions Ron DuFresne (Mar 17)
- Re: Microsoft GhostBuster Opinions Jeremy Bishop (Mar 17)
- Re: Microsoft GhostBuster Opinions J u a n (Mar 18)
- Re: Microsoft GhostBuster Opinions Dave King (Mar 18)
- Re: Microsoft GhostBuster Opinions dk (Mar 18)
- Re: Microsoft GhostBuster Opinions Ron DuFresne (Mar 18)
- Re: Microsoft GhostBuster Opionions bkfsec (Mar 17)
- Re: Microsoft GhostBuster Opionions Valdis . Kletnieks (Mar 17)