Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Learning Linux Binary Analysis

You're reading from   Learning Linux Binary Analysis Learning Linux Binary Analysis

Arrow left icon
Product type Paperback
Published in Feb 2016
Publisher Packt
ISBN-13 9781782167105
Length 282 pages
Edition 1st Edition
Languages
Tools
Arrow right icon
Author (1):
Arrow left icon
Ryan "elfmaster" O'Neill Ryan "elfmaster" O'Neill
Author Profile Icon Ryan "elfmaster" O'Neill
Ryan "elfmaster" O'Neill
Arrow right icon
View More author details
Toc

Table of Contents (11) Chapters Close

Preface 1. The Linux Environment and Its Tools FREE CHAPTER 2. The ELF Binary Format 3. Linux Process Tracing 4. ELF Virus Technology – Linux/Unix Viruses 5. Linux Binary Protection 6. ELF Binary Forensics in Linux 7. Process Memory Forensics 8. ECFS – Extended Core File Snapshot Technology 9. Linux /proc/kcore Analysis Index

Debug register rootkits – DRR


This type of kernel rootkit uses the Intel Debug registers as a means to hijack the control flow. A great Phrack paper was written by halfdead on this technique. It is available here:

http://phrack.org/issues/65/8.html.

This technique is often hailed as ultra-stealth because it requires no modification of sys_call_table. Once again, however, there are ways of detecting this type of infection as well.

Detecting DRR

In many rootkit implementations, sys_call_table and other common infection points do go unmodified, but the int1 handler does not. The call instruction to the do_debug function gets patched to call an alternative do_debug function, as shown in the phrack paper linked earlier. Therefore, detecting this type of rootkit is often as simple as disassembling the int1 handler and looking at the offset of the call do_debug instruction, as follows:

target_address = address_of_call + offset + 5

If target_address has the same value as the do_debug address found in...

lock icon The rest of the chapter is locked
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at €18.99/month. Cancel anytime