SUN Bloody Daft Solaris Mechanisms

Objekt

Titel
SUN Bloody Daft Solaris Mechanisms
Beschreibung
A new look into writing Solaris kernel rootkits using the new tools provided to the Solaris 10 Admin by SUN.about this event: http://www.ccc.de/congress/2004/fahrplan/event/57.en.html
content
A talk that will go through the new gifts given by SUN to the Kernel rootkit writer. Covers How to hide processes without modifying Getdents(), solving the off by one module ID when unlinking from the kernel modules list, removing the module from the kernel symbol table and removing the kernels functions from the DTrace providers list. Will look at DTrace and using MDB in kernel mode to examine the Solaris kernel. The paper will also cover how to avoid modifying the system entry table and hi-jacking the execve function regardless by dynamically re-writing it.

Various Demos will be included such as using DTrace to snoop on userland processes, what happens if you don't remove the module functions from the DTrace provider and finally the current status of the kernel code (including hiding child processes and maybe sockets.) and also a demonstration of modifying execve whilst live, after the module is loade
Veröffentlichungsdatum
28 Dezember 2004
Beteiligte Person
Archim
Is Referenced By
21C3 Website Screenshot21C3 Website
Umfang
0:36:27
Typ
video/mp4
Tag
21c3
Hacking
Identifikator
ark:/45490/bCTnv7