Focus on Linux
curuncula dbr rootkit detection tool Apr 23 2009 10:13PM
Giuseppe Cocomazzi (sbudella email it) (1 replies)
Re: curuncula dbr rootkit detection tool May 22 2009 10:53AM
Forums (forums htbindustries org) (1 replies)
RE: curuncula dbr rootkit detection tool May 25 2009 04:44PM
Jeremi Gosney (Jeremi Gosney motricity com)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

you appear to be running a release candidate kernel instead of a stable
kernel. as you can see, this source relies on the kernel headers. try
compiling it with a stable kernel. if you are using an unstable version
of gcc, this could attribute to this as well. it's really hard to debug
things if you aren't running stable software.

cheers.

- -----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]]
On Behalf Of Forums
Sent: Friday, May 22, 2009 3:54 AM
To: focus-linux (at) securityfocus (dot) com [email concealed]
Subject: Re: curuncula dbr rootkit detection tool

Can't seem to compile this on my system.

(skimmer:~/Xploits/curuncula)% make
make -C /lib/modules/`uname -r`/build M=`pwd` modules
make[1]: Entering directory `/boot/src/linux-2.6.28-tuxonice-r8'
CC [M] /home/circut/Xploits/curuncula/curuncula_26.o
/home/circut/Xploits/curuncula/curuncula_26.c:42:1: warning: "rdmsr"
redefined In file included from
/boot/src/linux-2.6.28-tuxonice-r8/arch/x86/include/asm/processor.h:20,
from include/linux/prefetch.h:14,
from include/linux/list.h:6,
from include/linux/module.h:9,
from /home/circut/Xploits/curuncula/curuncula_26.c:33:
/boot/src/linux-2.6.28-tuxonice-r8/arch/x86/include/asm/msr.h:134:1:
warning: this is the location of the previous definition
/home/circut/Xploits/curuncula/curuncula_26.c: Assembler messages:
/home/circut/Xploits/curuncula/curuncula_26.c:232: Error: suffix or
operands invalid for `mov'
/home/circut/Xploits/curuncula/curuncula_26.c:235: Error: suffix or
operands invalid for `mov'
/home/circut/Xploits/curuncula/curuncula_26.c:238: Error: suffix or
operands invalid for `mov'
/home/circut/Xploits/curuncula/curuncula_26.c:241: Error: suffix or
operands invalid for `mov'
/home/circut/Xploits/curuncula/curuncula_26.c:244: Error: suffix or
operands invalid for `mov'
make[2]: *** [/home/circut/Xploits/curuncula/curuncula_26.o] Error 1
make[1]: *** [_module_/home/circut/Xploits/curuncula] Error 2
make[1]: Leaving directory `/boot/src/linux-2.6.28-tuxonice-r8'
make: *** [curuncula_26] Error 2
(skimmer:~/Xploits/curuncula)% uname -a
Linux skimmer 2.6.28-tuxonice-r8 #2 SMP Mon May 4 15:54:00 CDT 2009
x86_64 Intel(R) Core(TM)2 Duo CPU T7100 @ 1.80GHz GenuineIntel GNU/Linux

- -Erik

On Fri, 24 Apr 2009 00:13:59 +0200
Giuseppe Cocomazzi <sbudella (at) email (dot) it [email concealed]> wrote:

> Hi,
> I've released a little program named Curuncula.
> Curuncula is a tool shipped as a loadable kernel module that aims to
> detect rootkits based on the Intel debugging support facilities.
> Rootkits that set the GD access flag are also detected. It makes use
> of the "last branch recording" mechanism provided by the Intel
> architecture. Support both the 2.4 and 2.6 Linux kernels.
> Complete source code can be found here:
> http://packetstormsecurity.org/UNIX/audit/curuncula.tgz
>
> I hope you find it useful.
> Regards,
> Giuseppe Cocomazzi
>
> --
> every day above ground is a good one.

- --
Forums <forums (at) htbindustries (dot) org [email concealed]>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iEYEARECAAYFAkoayvAACgkQIBHDN8vm6zuyxACfbQ3xaZ8AwxBtpYGOt8ksdtW3
GzYAoIUBS8gmjrsRdoyKXtnNtX6XHXR/
=hktL
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus