Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Positive uses for rootkits

From: Ryan Permeh <ryan () EEYE COM>
Date: Wed, 28 Mar 2001 09:31:28 -0800
there are kernel debuggers that use /dev/kmem.  using this same methodology,
you could create a inmemory kernel patcher that could inject rootkit code
into a running kernel.
Signed,
Ryan Permeh
eEye Digital Security Team
http://www.eEye.com/Retina -Network Security Scanner
http://www.eEye.com/Iris -Network Traffic Analyzer

----- Original Message -----
From: "Martin 'Goran' Moravec" <goran () UCW CZ>
To: <VULN-DEV () SECURITYFOCUS COM>
Sent: Tuesday, March 27, 2001 1:16 PM
Subject: Re: Positive uses for rootkits




That is a great strategy to follow.  Take it another step tho.  If this
is a server we are talking about, don't even put devel. tools on the
box.  Build your small static kernel elsewhere and copy it to the box.

There *are* wasy around this, but you gotta be good.  If you play with
memory locations directly, there are ways to load a module even on a
static monloitic kernel.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
HOW ?! (with modules disabled)
seems insane to me, although I'm not a kernel hacker.


But as I said, you gotta be real good.  Read that as "no script kiddies"

-b



Goran
Previous By Date Next
Previous By Thread Next

Current thread: