Focus on Linux
curuncula dbr rootkit detection tool Apr 23 2009 10:13PM
Giuseppe Cocomazzi (sbudella email it) (1 replies)
Re: curuncula dbr rootkit detection tool May 22 2009 10:53AM
Forums (forums htbindustries org) (1 replies)
RE: curuncula dbr rootkit detection tool May 25 2009 04:44PM
Jeremi Gosney (Jeremi Gosney motricity com)
Hash: SHA1

you appear to be running a release candidate kernel instead of a stable
kernel. as you can see, this source relies on the kernel headers. try
compiling it with a stable kernel. if you are using an unstable version
of gcc, this could attribute to this as well. it's really hard to debug
things if you aren't running stable software.


- -----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]]
On Behalf Of Forums
Sent: Friday, May 22, 2009 3:54 AM
To: focus-linux (at) securityfocus (dot) com [email concealed]
Subject: Re: curuncula dbr rootkit detection tool

Can't seem to compile this on my system.

(skimmer:~/Xploits/curuncula)% make
make -C /lib/modules/`uname -r`/build M=`pwd` modules
make[1]: Entering directory `/boot/src/linux-2.6.28-tuxonice-r8'
CC [M] /home/circut/Xploits/curuncula/curuncula_26.o
/home/circut/Xploits/curuncula/curuncula_26.c:42:1: warning: "rdmsr"
redefined In file included from
from include/linux/prefetch.h:14,
from include/linux/list.h:6,
from include/linux/module.h:9,
from /home/circut/Xploits/curuncula/curuncula_26.c:33:
warning: this is the location of the previous definition
/home/circut/Xploits/curuncula/curuncula_26.c: Assembler messages:
/home/circut/Xploits/curuncula/curuncula_26.c:232: Error: suffix or
operands invalid for `mov'
/home/circut/Xploits/curuncula/curuncula_26.c:235: Error: suffix or
operands invalid for `mov'
/home/circut/Xploits/curuncula/curuncula_26.c:238: Error: suffix or
operands invalid for `mov'
/home/circut/Xploits/curuncula/curuncula_26.c:241: Error: suffix or
operands invalid for `mov'
/home/circut/Xploits/curuncula/curuncula_26.c:244: Error: suffix or
operands invalid for `mov'
make[2]: *** [/home/circut/Xploits/curuncula/curuncula_26.o] Error 1
make[1]: *** [_module_/home/circut/Xploits/curuncula] Error 2
make[1]: Leaving directory `/boot/src/linux-2.6.28-tuxonice-r8'
make: *** [curuncula_26] Error 2
(skimmer:~/Xploits/curuncula)% uname -a
Linux skimmer 2.6.28-tuxonice-r8 #2 SMP Mon May 4 15:54:00 CDT 2009
x86_64 Intel(R) Core(TM)2 Duo CPU T7100 @ 1.80GHz GenuineIntel GNU/Linux

- -Erik

On Fri, 24 Apr 2009 00:13:59 +0200
Giuseppe Cocomazzi <sbudella (at) email (dot) it [email concealed]> wrote:

> Hi,
> I've released a little program named Curuncula.
> Curuncula is a tool shipped as a loadable kernel module that aims to
> detect rootkits based on the Intel debugging support facilities.
> Rootkits that set the GD access flag are also detected. It makes use
> of the "last branch recording" mechanism provided by the Intel
> architecture. Support both the 2.4 and 2.6 Linux kernels.
> Complete source code can be found here:
> I hope you find it useful.
> Regards,
> Giuseppe Cocomazzi
> --
> every day above ground is a good one.

- --
Forums <forums (at) htbindustries (dot) org [email concealed]>
Version: GnuPG v1.4.9 (MingW32)


[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus