Re: Positive uses for rootkits

[Gregor Binder <gbinder () sysfive com>]

Ryan Permeh on Wed, Mar 28, 2001 at 09:31:28AM -0800:

Ryan,

> there are kernel debuggers that use /dev/kmem.  using this same methodology,
> you could create a inmemory kernel patcher that could inject rootkit code
> into a running kernel.

absolutely, and you don't even have to have much more than a debugger
macro, no need for a patching tool. (On systems that have such a debug-
ger)

Think about this:

echo "$<your_leet_adb_macro" | adb -I /tmp -w -k /dev/ksyms /dev/mem

where /tmp/your_leet_adb_macro merely needs to contain positioning code,
and the instructions you want to place at whatever location you decided
to patch, all written as adb commands.

Since you have symbols available, it shouldn't be too hard to find the
call you want to mess with ... getting the assembly instructions right
will be a lot harder, as well as staying inside the function, not
freezing/panicing your box during development (well, just boot in kadb
and undo your changes if that happens and deal with it ;))

The concept above is the Solaris way to do it, while it would still work
on many SVR4 style UNIXes. On BSDs, you might get there with kdb or ddb,
on Linux you'd probably have to use somehthing homegrown targetted for
this particular use, since no one will build the SGI kernel debugger
into their system just for you to penetrate it :)

I think it would be *a lot* easier to hide a rootkit like this, and one
of the few techniques that will get you good results even on trusted
boxes (given you can get to /dev/mem somehow).

Regards,

--
Gregor Binder       <gregor.binder () sysfive com>      http://sysfive.com/
sysfive.com GmbH               UNIX. Networking. Security. Applications.
PGP id: 0x20C6DA55 fp: 18AB 2DD0 F8FA D710 1EDC A97A B128 01C0 20C6 DA55