NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > FOCUS-Linux> 2009-q2

Re: curuncula dbr rootkit detection tool

From: Forums (forumshtbindustries.org)
Date: Fri May 22 2009 - 05:53:42 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Can't seem to compile this on my system.

(skimmer:~/Xploits/curuncula)% make
make -C /lib/modules/`uname -r`/build M=`pwd` modules
make[1]: Entering directory `/boot/src/linux-2.6.28-tuxonice-r8'
  CC [M] /home/circut/Xploits/curuncula/curuncula_26.o
/home/circut/Xploits/curuncula/curuncula_26.c:42:1: warning: "rdmsr" redefined
In file included from /boot/src/linux-2.6.28-tuxonice-r8/arch/x86/include/asm/processor.h:20,
                 from include/linux/prefetch.h:14,
                 from include/linux/list.h:6,
                 from include/linux/module.h:9,
                 from /home/circut/Xploits/curuncula/curuncula_26.c:33:
/boot/src/linux-2.6.28-tuxonice-r8/arch/x86/include/asm/msr.h:134:1: warning: this is the location of the previous definition
/home/circut/Xploits/curuncula/curuncula_26.c: Assembler messages:
/home/circut/Xploits/curuncula/curuncula_26.c:232: Error: suffix or operands invalid for `mov'
/home/circut/Xploits/curuncula/curuncula_26.c:235: Error: suffix or operands invalid for `mov'
/home/circut/Xploits/curuncula/curuncula_26.c:238: Error: suffix or operands invalid for `mov'
/home/circut/Xploits/curuncula/curuncula_26.c:241: Error: suffix or operands invalid for `mov'
/home/circut/Xploits/curuncula/curuncula_26.c:244: Error: suffix or operands invalid for `mov'
make[2]: *** [/home/circut/Xploits/curuncula/curuncula_26.o] Error 1
make[1]: *** [_module_/home/circut/Xploits/curuncula] Error 2
make[1]: Leaving directory `/boot/src/linux-2.6.28-tuxonice-r8'
make: *** [curuncula_26] Error 2
(skimmer:~/Xploits/curuncula)% uname -a
Linux skimmer 2.6.28-tuxonice-r8 #2 SMP Mon May 4 15:54:00 CDT 2009 x86_64 Intel(R) Core(TM)2 Duo CPU T7100 1.80GHz GenuineIntel GNU/Linux

-Erik

On Fri, 24 Apr 2009 00:13:59 +0200
Giuseppe Cocomazzi <sbudellaemail.it> wrote:

> Hi,
> I've released a little program named Curuncula.
> Curuncula is a tool shipped as a loadable kernel module that aims to
> detect rootkits based on the Intel debugging support facilities.
> Rootkits that set the GD access flag are also detected. It makes use of
> the "last branch recording" mechanism provided by the Intel
> architecture. Support both the 2.4 and 2.6 Linux kernels.
> Complete source code can be found here:
> http://packetstormsecurity.org/UNIX/audit/curuncula.tgz
>
> I hope you find it useful.
> Regards,
> Giuseppe Cocomazzi
>
> --
> every day above ground is a good one.

--
Forums <forumshtbindustries.org>

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]