Focus on Linux
curuncula dbr rootkit detection tool Apr 23 2009 10:13PM
Giuseppe Cocomazzi (sbudella email it) (1 replies)
Re: curuncula dbr rootkit detection tool May 22 2009 10:53AM
Forums (forums htbindustries org) (1 replies)

Can't seem to compile this on my system.

(skimmer:~/Xploits/curuncula)% make
make -C /lib/modules/`uname -r`/build M=`pwd` modules
make[1]: Entering directory `/boot/src/linux-2.6.28-tuxonice-r8'
CC [M] /home/circut/Xploits/curuncula/curuncula_26.o
/home/circut/Xploits/curuncula/curuncula_26.c:42:1: warning: "rdmsr" redefined
In file included from /boot/src/linux-2.6.28-tuxonice-r8/arch/x86/include/asm/processor.h:20,
from include/linux/prefetch.h:14,
from include/linux/list.h:6,
from include/linux/module.h:9,
from /home/circut/Xploits/curuncula/curuncula_26.c:33:
/boot/src/linux-2.6.28-tuxonice-r8/arch/x86/include/asm/msr.h:134:1: warning: this is the location of the previous definition
/home/circut/Xploits/curuncula/curuncula_26.c: Assembler messages:
/home/circut/Xploits/curuncula/curuncula_26.c:232: Error: suffix or operands invalid for `mov'
/home/circut/Xploits/curuncula/curuncula_26.c:235: Error: suffix or operands invalid for `mov'
/home/circut/Xploits/curuncula/curuncula_26.c:238: Error: suffix or operands invalid for `mov'
/home/circut/Xploits/curuncula/curuncula_26.c:241: Error: suffix or operands invalid for `mov'
/home/circut/Xploits/curuncula/curuncula_26.c:244: Error: suffix or operands invalid for `mov'
make[2]: *** [/home/circut/Xploits/curuncula/curuncula_26.o] Error 1
make[1]: *** [_module_/home/circut/Xploits/curuncula] Error 2
make[1]: Leaving directory `/boot/src/linux-2.6.28-tuxonice-r8'
make: *** [curuncula_26] Error 2
(skimmer:~/Xploits/curuncula)% uname -a
Linux skimmer 2.6.28-tuxonice-r8 #2 SMP Mon May 4 15:54:00 CDT 2009 x86_64 Intel(R) Core(TM)2 Duo CPU T7100 @ 1.80GHz GenuineIntel GNU/Linux

-Erik

On Fri, 24 Apr 2009 00:13:59 +0200
Giuseppe Cocomazzi <sbudella (at) email (dot) it [email concealed]> wrote:

> Hi,
> I've released a little program named Curuncula.
> Curuncula is a tool shipped as a loadable kernel module that aims to
> detect rootkits based on the Intel debugging support facilities.
> Rootkits that set the GD access flag are also detected. It makes use of
> the "last branch recording" mechanism provided by the Intel
> architecture. Support both the 2.4 and 2.6 Linux kernels.
> Complete source code can be found here:
> http://packetstormsecurity.org/UNIX/audit/curuncula.tgz
>
> I hope you find it useful.
> Regards,
> Giuseppe Cocomazzi
>
> --
> every day above ground is a good one.

--
Forums <forums (at) htbindustries (dot) org [email concealed]>

[ reply ]
RE: curuncula dbr rootkit detection tool May 25 2009 04:44PM
Jeremi Gosney (Jeremi Gosney motricity com)


 

Privacy Statement
Copyright 2010, SecurityFocus