DR rootkit

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

DR rootkit

Postby voron » Sat Sep 06, 2008 3:21 am

http://lists.immunitysec.com/pipermail/ ... 05323.html
how to prevent this except
Code: Select all
echo 1 > /proc/sys/kernel/grsecurity/disable_modules
Just intresting. Maybe debug register protection in DR7 GD-bit and so on(from http://www.phrack.com/issues.html?issue=65&id=8#article) ?
voron
 
Posts: 22
Joined: Mon May 29, 2006 8:54 am

Re: DR rootkit

Postby spender » Thu Sep 18, 2008 10:30 am

There are many ways grsec can be used to prevent insertion of this rootkit, even if the injection method is altered (MODSTOP, RBAC system, /dev/mem restrictions).

Also, due to a bug in the rootkit, the presence of KERNEXEC will cause it to crash the system instead of being able to hook do_debug() successfully. They assume kernel code to be writable, and don't wrap their writes with cr0 modifications to clear/set WP.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm


Return to grsecurity support