This talk is the final result of personal research into the FreeBSD kernel with the goal of building a clever kernel rootkit framework. The main goal was building tools that would be helpful in the development of FreeBSD rookits.
An hypothetical rootkit, written with these tools, might be:
- Simple to trigger
- Simple to apply (not passing from /dev/kmem or kernel .text
- Opaque (very difficult to discover)
All these conditions are met by passing through the ABI (kernel binary emulation layer) subsystem.
The talk will show theoretical issues and a practical approach to crafting stealth rootkits with this new technique (in particular the remote usage of rootkits).
speaker: Attilio Rao
location: SITE A0150