grsecurity forums


https://forums.grsecurity.net./

DR rootkit

https://forums.grsecurity.net./viewtopic.php?f=3&t=2037

Page 1 of 1

DR rootkit

PostPosted: Sat Sep 06, 2008 3:21 am
by voron
http://lists.immunitysec.com/pipermail/ ... 05323.html
how to prevent this except
Code: Select all
echo 1 > /proc/sys/kernel/grsecurity/disable_modules
Just intresting. Maybe debug register protection in DR7 GD-bit and so on(from http://www.phrack.com/issues.html?issue=65&id=8#article) ?

Re: DR rootkit

PostPosted: Thu Sep 18, 2008 10:30 am
by spender
There are many ways grsec can be used to prevent insertion of this rootkit, even if the injection method is altered (MODSTOP, RBAC system, /dev/mem restrictions).

Also, due to a bug in the rootkit, the presence of KERNEXEC will cause it to crash the system instead of being able to hook do_debug() successfully. They assume kernel code to be writable, and don't wrap their writes with cr0 modifications to clear/set WP.

-Brad
All times are UTC - 5 hours [ DST ]
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/