[Dailydave] DR Linux 2.6 rootkit released

Bas Alberts bas.alberts at immunityinc.com
Thu Sep 4 12:59:21 EDT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Just as a sidenote, I was unaware of Pierre's research paper until today
(not much up on the Italians :)). But his paper most definitely is a
goto reference for this general hooking approach. Even if it is in
Italian, it's pretty readable and well researched. Combined with the
Intel SDM the work presented becomes pretty straightforward.

I've added it to the references in the DR README, and feel that it
serves as an excellent reference for the general approach as far as
Linux debug register based kernel hooking specifics go.

To answer some questions I've been getting off-list:

- - Yes, SMP support will be added
- - Yes, X86_64 support will be added
- - Yes, Proper GD support will be added

The initial implementation was written on the spot and in the span of a
week. Because the engine is used in the CANVAS rootkit it will receive
continuous support and updates. Feel free to submit feature requests.

Regards,
Bas Alberts
Senior Security Researcher
Immunity, Inc.

Pierre Falda wrote:
> Hi people,
> if someone else is still interested in these things and wants to see an
> 'old' code, in 2006 i have published an article and a 2.4.x/2.6.x (tested
> until .19) linux rootkit
> which loads itself through kmem and fully implements these techniques. It's
> a full working rootkit with a debug registers engine and with
> anti detection checks via GD and CPU emulation to protect itself too. It has
> all modern rootkits hiding features, anti detection extra features
> like kmem/mem/kcore/procfs on the fly patching and most add-ons like TTY and
> applications sniffing. It works watching SCT and supports
> syscall invocations through int 80 and sysenter and so on.
> 
> You can find the source code here:
> 
> http://packetstormsecurity.org/UNIX/penetration/rootkits/mood-nt_2.3.tgz
> 
> or here
> 
> http://darkangel.antifork.org/codes.htm
> 
> The article about the hardware engine (in Italian) is here
> 
> http://darkangel.antifork.org/publications/Abuso%20dell%27Hardware%20nell%27Attacco%20al%20Kernel%20di%20Linux.pdf
> 
> and if you want the printed version in a scientific publication you can go
> here:
> 
> http://www.atsystem.org/en/conventions/nss06/convention+proceedings
> 
> Have a nice day!
> 
> 
> Pierre Falda 'darkangel'
> http://darkangel.antifork.org
> Antifork Research Inc.
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIwBPpLpdA2Ju9tfcRAnR6AJ9UHQPhTG5U8hIqQIiZCzf5cUbIMACeK73N
FJ3eafqT3KebzG4ADuJF6aw=
=LA18
-----END PGP SIGNATURE-----

More information about the Dailydave mailing list