Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
PostgreSQL 9.3 beta: Federated databases and more
LWN.net Weekly Edition for May 9, 2013
(Nearly) full tickless operation in 3.10
What if I already got a root kit on my system. Can I, by creating a hidden
process with DR, use a shell to see those other hidden root kit processes?
Then it would be a nice security tool.
DR rootkit released under the GPL
Posted Sep 12, 2008 15:17 UTC (Fri) by cde (guest, #46554)
In this case the trick is to reload a new bare IDT with lidt (which can't be trapped with DR), and then proceed to clear all debug registers before checking for signs of the rootkit. I don't know of any ARK software that does this yet (switching the IDT is a bit dangerous, and has to be done for all processors).
Posted Dec 14, 2008 20:02 UTC (Sun) by trv (guest, #55399)
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds