[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Microsoft GhostBuster Opinions
- To: dk <dk@xxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] Microsoft GhostBuster Opinions
- From: Ron DuFresne <dufresne@xxxxxxxxxxxxx>
- Date: Fri, 18 Mar 2005 17:19:55 -0600 (CST)
On Fri, 18 Mar 2005, dk wrote:
> Ron DuFresne wrote:
>
> > If the kernel is modified, on a windows or *nix system, you are going to
> > have a clear clue upfront; the system will have rebooted. Course, a
>
> That's a dangerous position to believe, at least with the linux kernel
> (man insmod). Aside from just loading a kernel module that wraps system
> calls, one has been able to directly modify kernel memory for years,
> even without kernel bugs. Hence the utility of PaX, grsec, etc, etc.
>
> In fact a few popular RK's do just his via /dev/kmem (bypassing module
> loading) and the like do they not? (like suckit??)
>
> Further research might be in order. ;-)
>
> http://www.l0t3k.org/biblio/kernel/english/runtime-kernel-kmem-patching.txt
>
> http://www.phrack.org/show.php?p=58&a=7
>
> http://www.l0t3k.org/security/docs/rootkit/
>
agreed, thanks again to you and the earlier posters for correcting me.
Thanks,
Ron DuFresne
--
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/