linux-rootkit

Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)
git clone git://git.deurzen.net/linux-rootkit
Log | Files | Refs
commit 7204638200b96cf7267993fec98aaa6ec3576e8e
parent fadca86b45ca23024ea19b5e524c77fad69c1512
Author: Tizian Leonhardt <tizianleonhardt@web.de>
Date:   Sat,  6 Feb 2021 21:10:00 +0100

Change agenda; finalize livedm section (for now!)

Diffstat:

Mproject/slides/presentation.tex | 68++++++++++++++++++++++++++++++++++++++++++++++++++++++++------------


1 file changed, 56 insertions(+), 12 deletions(-)

diff --git a/project/slides/presentation.tex b/project/slides/presentation.tex
@@ -12,17 +12,13 @@
 \begin{frame}{\insertsection}
   \begin{enumerate}
    \item Background
-   \begin{itemize}
-    \item Dynamic Kernel Memory
-    \item LiveDM
-   \end{itemize}
-   \item Possible Approaches
-   \begin{itemize}
-    \item Xen, KVM, QEMU
-   \end{itemize}
-   \item Our Approach
-   \item Results
-   \item Discussion / Questions
+    \begin{itemize}
+        \item Dynamic Kernel Memory
+        \item LiveDM
+    \end{itemize}
+    \item Our Approach
+    \item Results
+    \item Discussion / Questions
   \end{enumerate}
 \end{frame}
 
@@ -65,7 +61,7 @@
   \framesubtitle{LiveDM - Overview}
   
   \begin{itemize}
-    \item Three phases exist to create the mapping:
+    \item Three phases \footnote{The word 'phase' is not the best pick here} exist to create the mapping:
     \begin{enumerate}
 \pause
      \item Gathering of necessary values
@@ -93,6 +89,54 @@
   \end{itemize}
 \end{frame}
 
+\begin{frame}{\insertsection}
+  \framesubtitle{LiveDM - Phase 2}
+  
+  \begin{itemize}
+    \item In phase 2, the scope of memory monitoring is chosen
+    \begin{itemize}
+\pause
+     \item Offer snapshots of the memory map (containing type and size for allocated memory)
+     \begin{itemize}
+      \item We offer this in our PoC
+     \end{itemize}
+\pause
+     \item Trace every memory access on known memory blocks
+     \begin{itemize}
+      \item We are able to showcase that on a small example
+     \end{itemize}
+    \end{itemize}
+  \end{itemize}
+\end{frame}
+
+\begin{frame}{\insertsection}
+  \framesubtitle{LiveDM - Phase 3}
+  
+  \begin{itemize}
+    \item In phase 3, the caller's address is translated into a type
+\pause
+    \begin{itemize}
+     \item Relies on instrumenting GCC to retrieve abstract syntax tree (AST)
+    \end{itemize}
+  \end{itemize}
+\end{frame}
+
+\begin{frame}{\insertsection}
+  \framesubtitle{LiveDM - Motivation}
+  
+  \begin{itemize}
+    \item Why do we need this information? Possible answers include..
+    \begin{enumerate}
+\pause
+     \item To make dynamic memory less transparent
+\pause
+     \item To utilize this information for debugging
+\pause
+     \item \textcolor{yellow}{To utilize this information for rootkit detection}
+    \end{enumerate}
+  \end{itemize}
+\end{frame}
+
 
 
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%