Re: Microsoft GhostBuster Opinions

[Ron DuFresne <dufresne () winternet com>]

On Fri, 18 Mar 2005, dk wrote:

> Ron DuFresne wrote:
>
> > If the kernel is modified, on a windows or *nix system, you are going to
> > have a clear clue upfront;  the system will have rebooted.  Course, a
>
> That's a dangerous position to believe, at least with the linux kernel
> (man insmod). Aside from just loading a kernel module that wraps system
> calls, one has been able to directly modify kernel memory for years,
> even without kernel bugs. Hence the utility of PaX, grsec, etc, etc.
>
> In fact a few popular RK's do just his via /dev/kmem (bypassing module
> loading) and the like do they not? (like suckit??)
>
> Further research might be in order.  ;-)
>
> http://www.l0t3k.org/biblio/kernel/english/runtime-kernel-kmem-patching.txt
>
> http://www.phrack.org/show.php?p=58&a=7
>
> http://www.l0t3k.org/security/docs/rootkit/


agreed, thanks again to you and the earlier posters for correcting me.

Thanks,

Ron DuFresne
-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/