Dailydave mailing list archives

Re: modGREPER - hidden kernel modules detector

From: Mark <mark () vulndev org>
Date: Sat, 25 Jun 2005 12:20:08 +0100 (BST)

On Fri, 24 Jun 2005, rd wrote:

James Butler wrote:

Joanna,
   We (Sherri and I) had already defeated this detection mechanism before
you released it. Perhaps you should see:
http://www.blackhat.com/html/bh-usa-05/bh-usa-05-speakers.html#Sparks

[snip]

modGREPER is a hidden module detector for Windows 2000/XP/2003. It
searches through whole kernel memory in order to find structures which
looks like a valid module description objects. Currently two most


hi,

I'm not into windows kernel part so this is just my opinion  :) . I
think this kind of detection (by searching module structure from kernel
memory) could be defeated easily by clean up/free unnecessary fields
(which could be used to identify the structure as the module structure)
by zero out or write random data to the original module structure (of
course you should not overwrite important data such as function pointer
or so).


Easy answer is "yes" (that doesn't quite fit the context but WTH, why
not.), blanking out the structures (or being suitably unfair
and copying, byte for byte, a "known good" set of structures (under
solaris genunix is quite popular, so i hear)) is a good way of annoying
"rootkit detectors".. or for that matter kernel memory tracers/debuggers
of any description

bzero is your friend.


This might be similar to module hiding in Linux, in which cleaner.c (by
stealth/teso) unlink the module structure to hide the module, while


Until someone showed him a nicer way to do it of course.

KSTAT (by s0ftpr0ject) searches /dev/kmem for module structure to detect
hidden module. My modclean tool which was written few years ago solves
this problem simply by cleanup module structure as well as its symbols
(to avoid the detection by tools which search for module symbols) after
unlink the module in order to hide the kernel module.


and to think, they do it all for us in the 2.6.x linux kernel, ain't they
a generous bunch.

M

cheers,

--rd

--
rd <rd () thc org> - The Hacker's Choice - http://www.thc.org
PGP Key Fingerprint - E18F 6CE8 E12B 3306 80D9 6B5A 364B 1D77 71BB 82EF
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave


--
                VulnDev\[.\]org
"Paranoia, keeping us clothed and fed since _init();"

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

modGREPER - hidden kernel modules detector Joanna Rutkowska (Jun 06)
- <Possible follow-ups>
- Re: modGREPER - hidden kernel modules detector joanna (Jun 07)
  - Re: modGREPER - hidden kernel modules detector Mark (Jun 07)
- Re: modGREPER - hidden kernel modules detector James Butler (Jun 07)
  - Re: modGREPER - hidden kernel modules detector Joanna Rutkowska (Jun 07)
  - Re: modGREPER - hidden kernel modules detector rd (Jun 24)
    - Re: modGREPER - hidden kernel modules detector Mark (Jun 25)
- Re: modGREPER - hidden kernel modules detector Joanna Rutkowska (Jun 07)