Re: Kernel Rootkits

From: Daniel Souza
Date: Fri Apr 15 2005 - 14:41:09 EST

Next message: Daniel Souza: "Re: Kernel Rootkits"
Previous message: Tomasz Chmielewski: "Re: [SATA] status reports updated"
In reply to: Allison: "Re: Kernel Rootkits"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 4/15/05, Allison <fireflyblue@xxxxxxxxx> wrote:
> Isn't the kernel code segment marked read-only ? How can the module
> write into the function text in the kernel ? Shouldn't this cause some
> kind of protection fault ?

The kernel code segment is totally unacessible to userspace programs,
and to kernel itself, is marked read-write. A module runs at kernel
level, so, it has +rw to kernel memory. Each process has a task
structure that defines the top of memory that the user process can
access (current->fs). In normal processes, this is 0xbfffff (the last
adressable memory in user mode). After that, 0xc00000, starts the
kernel code. If, by using any method, a user process receives a
(current->fs = KERNEL_DS), it will be able to fully access the kernel
memory. As mentioned, this is unsual.

--
# (perl -e "while (1) { print "\x90"; }") | dd of=/dev/evil
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Daniel Souza: "Re: Kernel Rootkits"
Previous message: Tomasz Chmielewski: "Re: [SATA] status reports updated"
In reply to: Allison: "Re: Kernel Rootkits"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]