[prev in list] [next in list] [prev in thread] [next in thread]
List: dailydave
Subject: Re: [Dailydave] A growing darkness
From: "Robert Holgstad" <rholgstad () gmail ! com>
Date: 2008-08-14 23:27:10
Message-ID: 1278b0690808141627q79052f0ep12518a565322d889 () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
http://packetstormsecurity.nl/UNIX/penetration/rootkits/mood-nt_2.3.tgz
this is a rk for linux that uses it now..
halfdeads article in the last phrack also explains the idea also.
other question: how does your rootkit enter the kernel (I am guessing this
is the loader part?) I am sure you have seen by now that in 2.6.26 -stable
they have limited access to /dev/mem to bios, pci, and non-ram address for
hardware, and completely killed kmem which kills many peoples rk research.
On Thu, Aug 14, 2008 at 2:47 PM, Dave Aitel <dave@immunityinc.com> wrote:
> [2] I think a Windows rootkit uses this hooking technique but I can't
> remember which one.
>
>
[Attachment #5 (text/html)]
<div dir="ltr"><a href="http://packetstormsecurity.nl/UNIX/penetration/rootkits/mood-n \
t_2.3.tgz">http://packetstormsecurity.nl/UNIX/penetration/rootkits/mood-nt_2.3.tgz</a><br><br>this \
is a rk for linux that uses it now.. <br> halfdeads article in the last phrack also \
explains the idea also.<br><br>other question: how does your rootkit enter the kernel \
(I am guessing this is the loader part?) I am sure you have seen by now that in \
2.6.26 -stable they have limited access to /dev/mem to bios, pci, and non-ram address \
for hardware, and completely killed kmem which kills many peoples rk research.<br> \
<br><div class="gmail_quote">On Thu, Aug 14, 2008 at 2:47 PM, Dave Aitel <span \
dir="ltr"><<a href="mailto:dave@immunityinc.com">dave@immunityinc.com</a>></span> \
wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, \
204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
[2] I think a Windows rootkit uses this hooking technique but I can't<br>
remember which one.<br><br>
</blockquote></div><br></div>
_______________________________________________
Dailydave mailing list
Dailydave@lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic