Full Disclosure mailing list archives

Re: System monitor scheme

From: Caraciola <caraciola () gmx net>
Date: Wed, 29 Oct 2003 22:36:21 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

That will open a big can of worms.... to start the exeloader has to supply an 
image of TEXT and CODE segments (x86), feed that to a function which 
fingerprints this ( PoC with gnupg ?), a daemon has to check every 
process/thread each ? second or so, housekeeping of the results... i think it 
will be costly in performance terms. And where do you start, it would have to 
be done on the OS itself, should spread of course to the disk-images of exes 
and so on. In the end you will need hardware to secure the machine itself ( 
heard of TCPA ?). Easiest way to achieve this would be a machine with 
seperate memory for data and program, so the hardware grants there is no 
write to the code area after initial load.....

have fun thinking about the ins and outs of this ...

Caraciola


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE/oCTUANzMondHN+cRAr9+AJ4jw2OA/OUpNbIOy/whf4VVqnW73wCgsK/J
1117UGVkdEpu27nVYV4Pfsc=
=2A1L
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

System monitor scheme - anyone know anything like this? Glenn_Everhart (Oct 29)
- Re: System monitor scheme Caraciola (Oct 29)
  - Re: System monitor scheme Valdis . Kletnieks (Oct 29)
  - Re: System monitor scheme Bill Royds (Oct 29)