A new look into writing Solaris kernel rootkits using the new tools provided to the Solaris 10 Admin by SUN. A talk that will go through the new gifts given by SUN to the Kernel rootkit writer. Covers How to hide processes without modifying Getdents(), solving the off by one module ID when unlinking from the kernel modules list, removing the module from the kernel symbol table and removing the kernels functions from the DTrace providers list. Will look at DTrace and using MDB in kernel mode to examine the Solaris kernel. The paper will also cover how to avoid modifying the system entry table and hi-jacking the execve function regardless by dynamically re-writing it. Various Demos will be included such as using DTrace to snoop on userland processes, what happens if you don't remove the module functions from the DTrace provider and finally the current status of the kernel code (including hiding child processes and maybe sockets.) and also a demonstration of modifying execve whilst live, after the module is loade
Secdocs is a project aimed to index high-quality IT security and hacking documents. These are fetched from multiple data sources: events, conferences and generally from interwebs.
Serving 8166 documents and 531.0 GB of hacking knowledge, indexed from 2419 authors from 163 security conferences.