I believe hooking functions has become difficult in the 2.6 kernel, because of the new syscall_table_description restrictions (its hidden). I've heard of a few dirty methods to get around this and I believe adore has a 2.6 version of their linux kernel module rootkit, but I have not messed around with it.
Nathan Sportsman On Feb 1, 2008 3:56 PM, Brandon Louder <[EMAIL PROTECTED]> wrote: > I can't answer your entire question but I can provide a good resource. > > http://www.packetstormsecurity.org/UNIX/penetration/rootkits/ > > Packet Storm has A LOT of known rootkits listed there with descriptions > and links to other sites. > > Another tool you might look into is Rootkit Hunter (rkhunter). > > Good Luck! > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Ahmed Zaki > Sent: Thursday, January 31, 2008 1:41 PM > To: [email protected] > Subject: RootKits Under Linux > > Hi all > > I am currently doing a project on rootkits under linux os. I am > specially interested in loadable kernel module rootkits. I wanted to > know > where does research stand now in terms of detecting such rootkits. It > would > be very helpful if you would be able to point me to resources where I > gain > information on the diverse variations of these rootkits and current > available methods of detecting them. Also if there are mechanisms that > can > be used to totally avoid detection that would be used by rootkits. > > > > Regards > > Zeeq > > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to > http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig > n=intro_sfw > to learn more. > ------------------------------------------------------------------------ > > > ----------------------------------------- > Confidentiality Notice: This e-mail message, including any > attachments, is for the sole use of the intended recipient(s) and > may contain confidential and privileged information. Any > unauthorized review, use, disclosure, or distribution is > prohibited. If you are not the intended recipient, please contact > the sender by reply e-mail and destroy all copies of the original > message. > > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to > http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw > to learn more. > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
