Dailydave mailing list archives
Re: DR Linux 2.6 rootkit released
From: Bas Alberts <bas.alberts () immunityinc com>
Date: Thu, 04 Sep 2008 12:59:21 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Just as a sidenote, I was unaware of Pierre's research paper until today (not much up on the Italians :)). But his paper most definitely is a goto reference for this general hooking approach. Even if it is in Italian, it's pretty readable and well researched. Combined with the Intel SDM the work presented becomes pretty straightforward. I've added it to the references in the DR README, and feel that it serves as an excellent reference for the general approach as far as Linux debug register based kernel hooking specifics go. To answer some questions I've been getting off-list: - - Yes, SMP support will be added - - Yes, X86_64 support will be added - - Yes, Proper GD support will be added The initial implementation was written on the spot and in the span of a week. Because the engine is used in the CANVAS rootkit it will receive continuous support and updates. Feel free to submit feature requests. Regards, Bas Alberts Senior Security Researcher Immunity, Inc. Pierre Falda wrote:
Hi people, if someone else is still interested in these things and wants to see an 'old' code, in 2006 i have published an article and a 2.4.x/2.6.x (tested until .19) linux rootkit which loads itself through kmem and fully implements these techniques. It's a full working rootkit with a debug registers engine and with anti detection checks via GD and CPU emulation to protect itself too. It has all modern rootkits hiding features, anti detection extra features like kmem/mem/kcore/procfs on the fly patching and most add-ons like TTY and applications sniffing. It works watching SCT and supports syscall invocations through int 80 and sysenter and so on. You can find the source code here: http://packetstormsecurity.org/UNIX/penetration/rootkits/mood-nt_2.3.tgz or here http://darkangel.antifork.org/codes.htm The article about the hardware engine (in Italian) is here http://darkangel.antifork.org/publications/Abuso%20dell%27Hardware%20nell%27Attacco%20al%20Kernel%20di%20Linux.pdf and if you want the printed version in a scientific publication you can go here: http://www.atsystem.org/en/conventions/nss06/convention+proceedings Have a nice day! Pierre Falda 'darkangel' http://darkangel.antifork.org Antifork Research Inc. ------------------------------------------------------------------------ _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIwBPpLpdA2Ju9tfcRAnR6AJ9UHQPhTG5U8hIqQIiZCzf5cUbIMACeK73N FJ3eafqT3KebzG4ADuJF6aw= =LA18 -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- DR Linux 2.6 rootkit released Bas Alberts (Sep 03)
- Message not available
- Re: DR Linux 2.6 rootkit released Bas Alberts (Sep 04)
- Message not available
- Re: DR Linux 2.6 rootkit released Joanna Rutkowska (Sep 04)
- Re: DR Linux 2.6 rootkit released Piotr Bania (Sep 05)
- <Possible follow-ups>
- Re: DR Linux 2.6 rootkit released Pierre Falda (Sep 04)
- Re: DR Linux 2.6 rootkit released Bas Alberts (Sep 04)
- Re: DR Linux 2.6 rootkit released Bas Alberts (Sep 04)
- Re: DR Linux 2.6 rootkit released Mohammad Hosein (Sep 04)
- Re: DR Linux 2.6 rootkit released Valdis . Kletnieks (Sep 04)
- Re: DR Linux 2.6 rootkit released Jon Oberheide (Sep 05)
- Re: DR Linux 2.6 rootkit released Curt Wilson (Sep 05)
- Re: DR Linux 2.6 rootkit released Mohammad Hosein (Sep 04)