Vulnerability Development mailing list archives
Re: Positive uses for rootkits
From: Ryan Permeh <ryan () EEYE COM>
Date: Wed, 28 Mar 2001 09:31:28 -0800
there are kernel debuggers that use /dev/kmem. using this same methodology, you could create a inmemory kernel patcher that could inject rootkit code into a running kernel. Signed, Ryan Permeh eEye Digital Security Team http://www.eEye.com/Retina -Network Security Scanner http://www.eEye.com/Iris -Network Traffic Analyzer ----- Original Message ----- From: "Martin 'Goran' Moravec" <goran () UCW CZ> To: <VULN-DEV () SECURITYFOCUS COM> Sent: Tuesday, March 27, 2001 1:16 PM Subject: Re: Positive uses for rootkits
That is a great strategy to follow. Take it another step tho. If this is a server we are talking about, don't even put devel. tools on the box. Build your small static kernel elsewhere and copy it to the box. There *are* wasy around this, but you gotta be good. If you play with memory locations directly, there are ways to load a module even on a static monloitic kernel.^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ HOW ?! (with modules disabled) seems insane to me, although I'm not a kernel hacker.But as I said, you gotta be real good. Read that as "no script kiddies" -bGoran
Current thread:
- Re: Positive uses for rootkits -> off-topic: booting tricks., (continued)
- Re: Positive uses for rootkits -> off-topic: booting tricks. ze Snark (Mar 28)
- Re: Positive uses for rootkits The Attitude Adjuster (Mar 25)
- Re: Positive uses for rootkits Ben Ford (Mar 28)
- Re: Positive uses for rootkits Big Woz (Mar 28)
- Re: Positive uses for rootkits Renee Teunissen (Mar 26)
- Re: Positive uses for rootkits Dick Visser (Mar 26)
- The use of immunix Renee Teunissen (Mar 26)
- Re: Positive uses for rootkits Ben Ford (Mar 27)
- Re: Positive uses for rootkits Martin 'Goran' Moravec (Mar 28)
- Re: Positive uses for rootkits Kev (Mar 28)
- Re: Positive uses for rootkits Ryan Permeh (Mar 29)
- Kernel-level security (was Re: Positive uses for rootkits) Craig Boston (Mar 29)
- Re: Positive uses for rootkits Gregor Binder (Mar 29)
- ICQ exploit Geo. (Mar 28)
- Re: ICQ exploit Jonathan James (Mar 28)
- Re: ICQ exploit Mikko Ruskola (Mar 28)
- Re: ICQ exploit Knud Erik Højgaard - CyberCity Support (Mar 28)
- Re: ICQ exploit John (Mar 28)
- Re: ICQ exploit Blake Frantz (Mar 28)