Linux on-the-fly kernel patching without LKM
February 7th, 2008 by webstersprodigy
Well, I didn’t know this was possible. First published in phrack, and can be viewed at http://doc.bughunter.net/rootkit-backdoor/kernel-patching.html
I guess that pokes a hole in my careful ideas about ids systems (I guess another one, there are holes on top of holes). Not this particular rootkit of course, but the fact that you can potentially manipulate the kernel by modifying kernel memory. Very tricky.
Of course, if you can modify the kernel, potentially tripwire could be fooled, processes can be hidden, and network connections can be shielded from the view of many of my tools. If it’s possible to modify the kernel without even a reboot to tip me off, shoot, that could be sinister.
Though it would take someone a heck of a lot better than I am to do it to that sort of degree that quickly.
This really isn’t that big of a deal to me. I normally allow loadable module support anyway, but I always figured I could turn it off and be safe from crap like this. Guess not. I guess the best I can do is turn it off and make it a bit harder. :)