Re: Kernel Rootkits

From: Daniel Souza
Date: Fri Apr 15 2005 - 13:48:37 EST

Next message: Tomasz Chmielewski: "Re: [SATA] status reports updated"
Previous message: Lennart Sorensen: "Re: Kernel Rootkits"
In reply to: Andre Tomt: "Re: Kernel Rootkits"
Next in thread: Lee Revell: "Re: Kernel Rootkits"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

PS: suckit is not loaded as a kernel module. it uses interrupt gates
to allocate kernel memory and install itself in that memory block,
patching some syscalls and doing other stuffs.

A way to "protect" system calls is, after boot a trusted kernel image,
take a MD5 of the syscalls functions implementations (the opcodes that
are part of sys_read for example) and store it in a secure place. To
verify the integrity of system calls, we can check the current
checksum with the stored ones. Of course, there are other ways to trap
syscalls and hook the system instead of just replace the syscall table
or add JMPs to the start of functions implementation. In that way,
everytime somebody will find another way to trick the system and
bypass this 'protection'.

--
# (perl -e "while (1) { print "\x90"; }") | dd of=/dev/evil
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Tomasz Chmielewski: "Re: [SATA] status reports updated"
Previous message: Lennart Sorensen: "Re: Kernel Rootkits"
In reply to: Andre Tomt: "Re: Kernel Rootkits"
Next in thread: Lee Revell: "Re: Kernel Rootkits"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]