Archive

Posts Tagged ‘Kernel 2.6’

Infecting loadable kernel modules: kernel versions 2.6.x/3.0.x

April 18, 2012 5 comments

Hi.
“Infecting loadable kernel modules: kernel versions 2.6.x/3.0.x” is the title of my last paper that has been published on phrack #68. You can read the paper here.

Many thanks to:
– blackb1rd (a phrack reviewer) who helped me in writing the paper.
– All the phrack staff for publishing the paper.
– emdel for … mmmh … Hi, emdel!

Any comments or suggestions would be (obviously) appreciated.
Bye.

Syscall Hijacking: Dynamically obtain syscall table address (kernel 2.6.x) #2

March 18, 2011 26 comments

Hi. In this brief post I’ll show you another way to get the syscall table address dinamically.
This post is only an expansion of this one. Read more…

Syscall Hijacking: Anti Fork-Bomb LKM (kernel 2.6.x)

February 10, 2011 Leave a comment

Hi. In this post I’ll show you how to implement a simple anti fork-bomb LKM.
There is already a kernel method to prevent the fork bomb: you can search online about this stuff.
Instead I’ll show you how prevent a fork bomb attack through a simple loadable kernel module, in order to better understand how a new process is created and how we can prevent its creation. Read more…

Syscall Hijacking: Dynamically obtain syscall table address (kernel 2.6.x)

January 20, 2011 32 comments

Hi. In this post I’ll show you how to obtain dynamically the syscall table address. In the last posts (this and this) I wrote codes in which the syscall table address was hardcoded (as suggested by sj).
Now I’ll show you how to dinamically obtain it. Read more…

Syscall Hijacking: Simple Rootkit (kernel 2.6.x)

December 28, 2010 18 comments

Hi. In this post I’ll show you how to change the process credentials through kernel modules. In a such way you can make your own rootkit(s): i.e. when you performs a pre-established action, the module will give you a root access.
First of all we need to know where these credentials are kept: in the kernel versions < 2.6.29 we find all this informations in the “task_struct” structure. This structure is defined in “linux/sched.h”: Read more…

Syscall Hijacking: Kernel 2.6.* systems

December 3, 2010 34 comments

In this guide I will explain how to hijack the syscall in kernel 2.6.*: in particular how to bypass the kernel write protection and the “protected mode” bit of the CR0 CPUs register.
I don’t explain what is a syscall or syscall table: I assume you know what it is.
Read more…

Follow

Get every new post delivered to your Inbox.