|
|
|
|
|
|
by tptacek
5517 days ago
|
|
|
This does not look like a new development in rootkits. If I understand the article's summary: there's a rootkit that sets a hardware breakpoint on the memory it overwrote in the kernel, and checks to see if access are normal or abnormal; for abnormal access, it subs in fake value for the contents of that range of memory. If you want to see where the state of the art in rootkits was in 2007(!), read: http://i.i.com.com/cnwk.1d/i/z/200701/bh-dc-07-Rutkowska-ppt... ...noting that this is Joanna Rutkowska explaining how to reprogram MMUs (here with MMIO remapping) to defeat hardware DMA memory forensics. |
|
|
If you read the data you think you'll execute, you will be fooled. [2] This is a pretty nice trick.
[1]: http://en.wikipedia.org/wiki/Translation_lookaside_buffer#Ov...
[2]: http://uninformed.org/index.cgi?v=6&a=1&p=21