simple rootkits for vmi detection demonstration (kernel version 2.6.32-5)
Hi,
I should give a small talk in a VM course about virtual machine introspection.
I would like to give a simple demonstration as well, by finding a simple rootkit with vdi which hides from ps/top/netstat within the infected machine.
So, here comes my problem: I seem to be unable to infect my debian test machine due to all available rootkits being for lower kernel versions and downgrading the kernel is somewhat of a dependency nightmare.
Are there any simple rootkits that hide from ps/top/netstat without being too focused on a certain kernel version? The rootkit does not have to be undetectable by normal security meassures. It should just not show up on ps/top/netstat. (And obviously I have root access on the infected machine.)
I tried KBeast which seems to be suitable for 2.6.32, but it fails to build probably due to 2.6.32-5 kernel headers.
Note that it is no problem if the rootkit only works for a specific distribution, since reinstalling the infected machine is quicker than to sort through source code.
|