Full Disclosure mailing list archives
Re: System monitor scheme
From: Caraciola <caraciola () gmx net>
Date: Wed, 29 Oct 2003 22:36:21 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 That will open a big can of worms.... to start the exeloader has to supply an image of TEXT and CODE segments (x86), feed that to a function which fingerprints this ( PoC with gnupg ?), a daemon has to check every process/thread each ? second or so, housekeeping of the results... i think it will be costly in performance terms. And where do you start, it would have to be done on the OS itself, should spread of course to the disk-images of exes and so on. In the end you will need hardware to secure the machine itself ( heard of TCPA ?). Easiest way to achieve this would be a machine with seperate memory for data and program, so the hardware grants there is no write to the code area after initial load..... have fun thinking about the ins and outs of this ... Caraciola
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE/oCTUANzMondHN+cRAr9+AJ4jw2OA/OUpNbIOy/whf4VVqnW73wCgsK/J 1117UGVkdEpu27nVYV4Pfsc= =2A1L -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- System monitor scheme - anyone know anything like this? Glenn_Everhart (Oct 29)
- Re: System monitor scheme Caraciola (Oct 29)
- Re: System monitor scheme Valdis . Kletnieks (Oct 29)
- Re: System monitor scheme Bill Royds (Oct 29)
- Re: System monitor scheme Caraciola (Oct 29)