jm33_ng
  • Course notes
  • Misc
  • Pentest
  • Programming
  • Tools
  • Vulnerabilities

jm33_ng


cyber security / noob developer / poor English

Hook System Calls in Linux 5.x

Date Thu 12 December 2019 Tags pentest / rootkit / linux / lkm

success

how to disable WP when cr0 is "pinned"?

you can read my previous article

according to this stackoverflow question, we cannot:

  • disable CR0's Write-Protection bits
  • set RO page to RW

i think ive found a solution:

since lkm runs in ring0, why not just write to cr0 directly, why bother …

View comments.

more ...

We Can No Longer Easily Disable CR0 WP (Write-Protection)

Date Thu 12 December 2019 Tags pentest / rootkit / linux / lkm

commit

this commit makes write_cr0(read_cr0() | 0x10000) useless, next time you see a 5.x linux kernel, good luck

according to this stackoverflow question, we cannot:

  • disable CR0's Write-Protection bits
  • set RO page to RW

i think ive found a solution:

since lkm runs in ring0, why not just write to …

View comments.

more ...
  • «
  • 1
  • 2
  • 3
  • 4
  • »

About jm33

Who

  • Cyber Security Researcher

Contact

  • 0x3A5DBF07

  • Mastodon

  • Leave a message

  • Social

    • Twitter
    • GitHub
    • LinkedIn
    • StackOverflow

  • Recent Posts

    • Hook System Calls in Linux 5.x
    • We Can No Longer Easily Disable CR0 WP (Write-Protection)
    • Linux Rootkit for Fun and Profit - 0x03 - LKM - Hide from ss/netstat
    • Linux Rootkit for Fun and Profit - 0x02 - LKM - Hide files/procs
    • Linux Rootkit for Fun and Profit - 0x01 - LKM

  • Tags
    • 404
    • 443
    • active directory
    • ad
    • announcement
    • antivirus
    • anyconnect
    • apache
    • arch
    • assembly
    • asu
    • backdoor
    • baidu
    • blackhat
    • bridge
    • buffer overflow
    • C#
    • career
    • censorship
    • cisco
    • code maintainance
    • compton
    • conhost
    • conpty
    • Coursera
    • credential harvesting
    • crypto
    • cryptography
    • CVE
    • CVE-2018-18955
    • CVE-2018-7750
    • diary
    • DNS污染
    • DPI
    • email
    • emp3r0r
    • exploit
    • file transfer
    • gdb
    • gfw
    • ghidra
    • github
    • Glowing Bear
    • golang
    • gpu
    • great wall
    • greatwall
    • hacking
    • hacking tool
    • HiWiFi
    • HTTP2
    • https
    • injection
    • IRC
    • 极路由
    • KCP
    • kcptun
    • kernel
    • killer
    • lede
    • libvirt
    • life
    • linux
    • linux kernel
    • lkm
    • log cleaner
    • LPE
    • macos
    • mass exploit
    • mec
    • memory layout
    • mentohust
    • Misc
    • mouse
    • multi-threaded crawler
    • namespace
    • natural scroll
    • netcat
    • network
    • nic
    • obfs4
    • obfsproxy
    • ocserv
    • openwrt
    • paramiko
    • pentest
    • pep8
    • PGP
    • pi
    • port-forwarding
    • post-exploitation
    • privilege escalation
    • programming
    • project
    • proxy
    • ptrace
    • PTRACE_TRACEME
    • python
    • pythonic
    • qemu
    • QQ
    • quote
    • RCE
    • reverse shell
    • reversing
    • rootkit
    • s2-045
    • scanner
    • scramblesuit
    • secure boot
    • SEED lab
    • sfu
    • shadowsocks
    • shadowsocks-plus
    • shell
    • shellcode
    • socket
    • SS
    • ssh
    • ssh-harvester
    • sshd
    • SSL
    • Stanford
    • sudo
    • switch
    • systemd
    • terminal
    • Thomas Jefferson
    • TMUX
    • tools
    • trasparent proxy
    • vim
    • virtualbox
    • virtualization
    • vpn
    • wayland
    • web
    • weechat
    • windows
    • windows domain
    • windows server
    • xfce4
    • xfwm
    • xhost
    • xml
    • zoomeye
© 2019 jm33-ng - About this site

Creative Commons License Content licensed under a Creative Commons Attribution-NonCommercial 4.0 International License, except where indicated otherwise.

Images hosted on this site are either my own or from the Internet