I've been experimenting with the suckit rootkit, and I've determined that either A) it can't really hide processes, or B) I've set it up wrong. But the file-hiding works perfectly, so...I'm leaning towards just finding another way to hide processes. Any ideas?
Also, I KNOW I setup adore-ng wrong, as it just..dies. THis is my output:
# ./ava I
Checking for adore 0.12 or higher ...
Tried to authorized myself. No luck, no adore?
Found adore 1.-1 installed. Please update adore.
ELITE_UID: <removed>, ELITE_GID=<removed>, ADORE_KEY=<removed> CURRENT_ADORE=<removed>
adore 1.-1? What? Is there a way to remove it and start over? Obviously, rmmod won't work...Thanks in advance
I've been experimenting with the suckit rootkit, and I've determined that either A) it can't really hide processes, or B) I've set it up wrong. But the file-hiding works perfectly, so...I'm leaning towards just finding another way to hide processes. Any ideas?
Also, I KNOW I setup adore-ng wrong, as it just..dies. THis is my output:
# ./ava I
Checking for adore 0.12 or higher ...
Tried to authorized myself. No luck, no adore?
Found adore 1.-1 installed. Please update adore.
ELITE_UID: <removed>, ELITE_GID=<removed>, ADORE_KEY=<removed> CURRENT_ADORE=<removed>
adore 1.-1? What? Is there a way to remove it and start over? Obviously, rmmod won't work...Thanks in advance
I cannot possibly see the point in learning to use a rootkit that is not intended for wrong doing.
now if you were trying to learn how to write a rootkit, or write an exploit that would be a different story, but flat out learning how to use or install a rootkit is just umm must I say script-kiddie behavior
you might as well be asking someone how to install subseven
www.SwiftLayer.com
SwiftLayer serves a multitude of customer needs, from the small businesses to the corporate giants, we have researched and delivered solutions that are perfect for today yet adaptable for tomorrow. SwiftLayer's shared hosting, virtual hosting, and managed hosting is the ideal choice for business success.
I cannot possibly see the point in learning to use a rootkit that is not intended for wrong doing.
now if you were trying to learn how to write a rootkit, or write an exploit that would be a different story, but flat out learning how to use or install a rootkit is just umm must I say script-kiddie behavior
So, you simply ASSUMED that I am not in the process of writing said rootkit. I am, thank you very much. I was looking at adore for ideas. Don't just assume someone is a script kiddie without checking the intent first.
I think that you could write your own 'ps' command, and switch it with the one on the machine.
It would work as the usual 'ps' command but would not display the processes you want to hide.
That's a little messy, don't you think? You have to deal with linking the right libraries and all that. Plus, from the "dark side", so to speak, you then have to deal with applications such as tripwire. I was leaning towards an LKM solution, and I already found out how to do it. It's fairly simple; just pull the entry out of the linked list of processes in the kernel.
If you need the easiest method go for a modified ps but as mentionned tripwire is able to detect it. Best method is still the kernel module but it's still detectable...
Interestingly enough, my LKM loads, hides a process by PID passed on the command line (Example: insmod rootkit.o 809) and then can be removed, leaving it NEARLY undetectable. It's not quite a perfect system, but it works.
Sign In
Register
Help
MultiQuote
