Learn, hack!

Hacking and security documentation: slides, papers, video and audio recordings. All in high-quality, daily updated, avoiding security crap documents. Spreading hacking knowledge, for free, enjoy. Follow on .

SUN Bloody Daft Solaris Mechanisms

Chaos Communication Congress 21th (21C3) 2004
Indexed on
Mar 27, 2013
File name
File size
115.9 KB

A new look into writing Solaris kernel rootkits using the new tools provided to the Solaris 10 Admin by SUN. A talk that will go through the new gifts given by SUN to the Kernel rootkit writer. Covers How to hide processes without modifying Getdents(), solving the off by one module ID when unlinking from the kernel modules list, removing the module from the kernel symbol table and removing the kernels functions from the DTrace providers list. Will look at DTrace and using MDB in kernel mode to examine the Solaris kernel. The paper will also cover how to avoid modifying the system entry table and hi-jacking the execve function regardless by dynamically re-writing it. Various Demos will be included such as using DTrace to snoop on userland processes, what happens if you don't remove the module functions from the DTrace provider and finally the current status of the kernel code (including hiding child processes and maybe sockets.) and also a demonstration of modifying execve whilst live, after the module is loade

About us

Secdocs is a project aimed to index high-quality IT security and hacking documents. These are fetched from multiple data sources: events, conferences and generally from interwebs.


Serving 8166 documents and 531.0 GB of hacking knowledge, indexed from 2419 authors from 163 security conferences.


To support this site and keep it alive, you can click on the buttons below. Any help is really appreciated! This service is provided for free, but real money is needed to pay bills.

Flattr this Click here to lend your support to: Keep live SecDocs for an year and make a donation at www.pledgie.com !