Educause Security Discussion mailing list archives
Re: Rootkit discovery tools
From: Graham Toal <gtoal () UTPA EDU>
Date: Tue, 27 Jun 2006 08:51:45 -0500
Our requirement is to build a "toolkit" for our technicians to be able scan and detect on each server in our environment.
The biggest problem you may have will be that *all* rootkit detectors almost by definition have to be stand-alone booting. This doesn't scale too well to an enterprise, if you have to implement it by someone going machine to machine. My suggestion then would be to come up with a bootstrap mechanism (such as a netboot) which first booted the rootkit detector, which would run on every boot, which when finished would then invoke the 'normal' bootstrap for the operating system itself, whichever one that happened to be. I'm none too clear on how one might do this, but I'd guess that maybe netbooting for the first bootstrap might be involved.. Graham PS Rootkitrevealer is the only one I know of that is even likely to work from within windows itself, if we can't come up with a clever chained bootstrap trick.
Current thread:
- Rootkit discovery tools John Tooley (Jun 26)
- <Possible follow-ups>
- Re: Rootkit discovery tools Wes Young (Jun 27)
- Re: Rootkit discovery tools David Taylor (Jun 27)
- Re: Rootkit discovery tools Caroline Couture (Jun 27)
- Re: Rootkit discovery tools Graham Toal (Jun 27)
- Re: Rootkit discovery tools Wyman Miles (Jun 27)
- Re: Rootkit discovery tools David Boyer (Jun 27)
- Re: Rootkit discovery tools James H Moore (Jun 27)
- Re: Rootkit discovery tools David Taylor (Jun 27)
- Re: Rootkit discovery tools Mike Wiseman (Jun 27)
- Re: Rootkit discovery tools Graham Toal (Jun 27)
- Re: Rootkit discovery tools Wyman Miles (Jun 27)
- Re: Rootkit discovery tools Valdis Kletnieks (Jun 28)
- Re: Rootkit discovery tools Graham Toal (Jun 28)
- Re: Rootkit discovery tools Valdis Kletnieks (Jun 28)
(Thread continues...)