Linux on-the-fly kernel patching without LKM

February 7, 2008 Leave a comment

Well, I didn’t know this was possible. First published in phrack, and can be viewed at http://doc.bughunter.net/rootkit-backdoor/kernel-patching.html

I guess that pokes a hole in my careful ideas about ids systems (I guess another one, there are holes on top of holes). Not this particular rootkit of course, but the fact that you can potentially manipulate the kernel by modifying kernel memory. Very tricky.

Of course, if you can modify the kernel, potentially tripwire could be fooled, processes can be hidden, and network connections can be shielded from the view of many of my tools. If it’s possible to modify the kernel without even a reboot to tip me off, shoot, that could be sinister.

Though it would take someone a heck of a lot better than I am to do it to that sort of degree that quickly.

I normally allow loadable module support anyway, so I guess there is that.

Filed under Bits and Bytes, GrayHat, Linux Tagged with

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.