| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: dufresne at winternet.com (Ron DuFresne)
Subject: Microsoft GhostBuster Opinions
On Fri, 18 Mar 2005, dk wrote:
> Ron DuFresne wrote:
>
> > If the kernel is modified, on a windows or *nix system, you are going to
> > have a clear clue upfront; the system will have rebooted. Course, a
>
> That's a dangerous position to believe, at least with the linux kernel
> (man insmod). Aside from just loading a kernel module that wraps system
> calls, one has been able to directly modify kernel memory for years,
> even without kernel bugs. Hence the utility of PaX, grsec, etc, etc.
>
> In fact a few popular RK's do just his via /dev/kmem (bypassing module
> loading) and the like do they not? (like suckit??)
>
> Further research might be in order. ;-)
>
> http://www.l0t3k.org/biblio/kernel/english/runtime-kernel-kmem-patching.txt
>
> http://www.phrack.org/show.php?p=58&a=7
>
> http://www.l0t3k.org/security/docs/rootkit/
>
agreed, thanks again to you and the earlier posters for correcting me.
Thanks,
Ron DuFresne
--
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
Powered by blists - more mailing lists