From: Daniel Souza <thehazard@gmail.com>
To: Allison <fireflyblue@gmail.com>
Cc: linux-kernel@vger.kernel.org
Subject: Re: Kernel Rootkits
Date: Fri, 15 Apr 2005 11:34:29 -0700 [thread overview]
Message-ID: <e1e1d5f405041511342af714c1@mail.gmail.com> (raw)
In-Reply-To: <17d79880504151115744c47bd@mail.gmail.com>
In fact, LKM's are not the unique way to make code run in kernel. In
fact, we can install a kernel rootkit even when LKM support is
disabled. For example, by patching the kernel memory, you can modify
the behavior of kernel on-the-fly without restart the machine, just
inserting code in the right memory addresses (generally writing to
/dev/mem or /dev/kmem or using another methods like set a userspace
memory limit to KERNEL_DS and write to addressable kernel memory. You
can also insert code into existing kernel modules (for example, your
NIC driver) to be executed when the kernel shuts up). LKMs have the
advantage of relocation (i.e., the kernel's internal function adresses
are "readressed" to fit the existent function addresses and a call to
printk will point to the start of printk function at kernel memory).
Inject executable code at kernel memory can be done without LKM
support, but also, is not automatically relocated. There are some
tricks to make injected code work fine like use only non-global
variables and allocate needed memory space in the stack, or made a
hard relocation of binary code to be injected before the injection,
etc.
Google for things like "suckit". phrack is also a good start.
--
# (perl -e "while (1) { print "\x90"; }") | dd of=/dev/evil
next prev parent reply other threads:[~2005-04-15 18:37 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-04-15 18:15 Kernel Rootkits Allison
2005-04-15 18:33 ` Petr Baudis
2005-04-15 18:34 ` Daniel Souza [this message]
2005-04-15 18:36 ` Lee Revell
2005-04-15 18:37 ` Lennart Sorensen
2005-04-15 19:19 ` Andre Tomt
2005-04-15 18:40 ` Daniel Souza
2005-04-15 19:21 ` Lee Revell
2005-04-15 19:40 ` Daniel Souza
-- strict thread matches above, loose matches on Subject: below --
2005-04-15 19:15 Allison
2005-04-15 19:38 ` Daniel Souza
2005-04-15 17:33 Malita, Florin
2005-04-15 18:08 ` Lee Revell
2005-04-15 16:02 Allison
2005-04-15 17:16 ` Richard B. Johnson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e1e1d5f405041511342af714c1@mail.gmail.com \
--to=thehazard@gmail.com \
--cc=fireflyblue@gmail.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox