User: Password:
|
|
Subscribe / Log in / New account

DR rootkit released under the GPL

DR rootkit released under the GPL

Posted Sep 12, 2008 6:40 UTC (Fri) by zmi (guest, #4829)
Parent article: DR rootkit released under the GPL

> But if you are a hidden process, you can see hidden resources

What if I already got a root kit on my system. Can I, by creating a hidden
process with DR, use a shell to see those other hidden root kit processes?
Then it would be a nice security tool.


(Log in to post comments)

DR rootkit released under the GPL

Posted Sep 12, 2008 15:17 UTC (Fri) by cde (guest, #46554) [Link]

All rootkits can be detected when you know where to look (except perhaps hypervisor rootkits).

In this case the trick is to reload a new bare IDT with lidt (which can't be trapped with DR), and then proceed to clear all debug registers before checking for signs of the rootkit. I don't know of any ARK software that does this yet (switching the IDT is a bit dangerous, and has to be done for all processors).

DR rootkit released under the GPL

Posted Dec 14, 2008 20:02 UTC (Sun) by trv (guest, #55399) [Link]

The IDT is not modified by this rootkit, so what's the use of loading a new idt?


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds