Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Vulnerability Development mailing list archives

Re: Positive uses for rootkits
From: Ryan Permeh <ryan () EEYE COM>
Date: Wed, 28 Mar 2001 09:31:28 -0800
there are kernel debuggers that use /dev/kmem.  using this same methodology,
you could create a inmemory kernel patcher that could inject rootkit code
into a running kernel.
Signed,
Ryan Permeh
eEye Digital Security Team
http://www.eEye.com/Retina -Network Security Scanner
http://www.eEye.com/Iris -Network Traffic Analyzer

----- Original Message -----
From: "Martin 'Goran' Moravec" <goran () UCW CZ>
To: <VULN-DEV () SECURITYFOCUS COM>
Sent: Tuesday, March 27, 2001 1:16 PM
Subject: Re: Positive uses for rootkits




That is a great strategy to follow.  Take it another step tho.  If this
is a server we are talking about, don't even put devel. tools on the
box.  Build your small static kernel elsewhere and copy it to the box.

There *are* wasy around this, but you gotta be good.  If you play with
memory locations directly, there are ways to load a module even on a
static monloitic kernel.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
HOW ?! (with modules disabled)
seems insane to me, although I'm not a kernel hacker.


But as I said, you gotta be real good.  Read that as "no script kiddies"

-b



Goran

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]