[prev in list] [next in list] [prev in thread] [next in thread] 

List:       dailydave
Subject:    Re: [Dailydave] A growing darkness
From:       "Robert Holgstad" <rholgstad () gmail ! com>
Date:       2008-08-14 23:27:10
Message-ID: 1278b0690808141627q79052f0ep12518a565322d889 () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


http://packetstormsecurity.nl/UNIX/penetration/rootkits/mood-nt_2.3.tgz

this is a rk for linux that uses it now..
halfdeads article in the last phrack also explains the idea also.

other question: how does your rootkit enter the kernel (I am guessing this
is the loader part?) I am sure you have seen by now that in 2.6.26 -stable
they have limited access to /dev/mem to bios, pci, and non-ram address for
hardware, and completely killed kmem which kills many peoples rk research.

On Thu, Aug 14, 2008 at 2:47 PM, Dave Aitel <dave@immunityinc.com> wrote:

> [2] I think a Windows rootkit uses this hooking technique but I can't
> remember which one.
>
>

[Attachment #5 (text/html)]

<div dir="ltr"><a href="http://packetstormsecurity.nl/UNIX/penetration/rootkits/mood-n \
t_2.3.tgz">http://packetstormsecurity.nl/UNIX/penetration/rootkits/mood-nt_2.3.tgz</a><br><br>this \
is a rk for linux that uses it now.. <br> halfdeads article in the last phrack also \
explains the idea also.<br><br>other question: how does your rootkit enter the kernel \
(I am guessing this is the loader part?) I am sure you have seen by now that in \
2.6.26 -stable they have limited access to /dev/mem to bios, pci, and non-ram address \
for hardware, and completely killed kmem which kills many peoples rk research.<br> \
<br><div class="gmail_quote">On Thu, Aug 14, 2008 at 2:47 PM, Dave Aitel <span \
dir="ltr">&lt;<a href="mailto:dave@immunityinc.com">dave@immunityinc.com</a>&gt;</span> \
wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, \
204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">

[2] I think a Windows rootkit uses this hooking technique but I can&#39;t<br>
remember which one.<br><br>
</blockquote></div><br></div>



_______________________________________________
Dailydave mailing list
Dailydave@lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic