how to prevent this except
- Code: Select all
echo 1 > /proc/sys/kernel/grsecurity/disable_modules
DR rootkit
2 posts
• Page 1 of 1
DR rootkit
by voron » Sat Sep 06, 2008 3:21 am
http://lists.immunitysec.com/pipermail/ ... 05323.html
how to prevent this except
how to prevent this except
- voron
- Posts: 22
- Joined: Mon May 29, 2006 8:54 am
Re: DR rootkit
by spender » Thu Sep 18, 2008 10:30 am
There are many ways grsec can be used to prevent insertion of this rootkit, even if the injection method is altered (MODSTOP, RBAC system, /dev/mem restrictions).
Also, due to a bug in the rootkit, the presence of KERNEXEC will cause it to crash the system instead of being able to hook do_debug() successfully. They assume kernel code to be writable, and don't wrap their writes with cr0 modifications to clear/set WP.
-Brad
Also, due to a bug in the rootkit, the presence of KERNEXEC will cause it to crash the system instead of being able to hook do_debug() successfully. They assume kernel code to be writable, and don't wrap their writes with cr0 modifications to clear/set WP.
-Brad
- spender
- Posts: 2185
- Joined: Wed Feb 20, 2002 8:00 pm
2 posts
• Page 1 of 1