Re: curuncula dbr rootkit detection tool




Can't seem to compile this on my system.

(skimmer:~/Xploits/curuncula)% make
make -C /lib/modules/`uname -r`/build M=`pwd` modules
make[1]: Entering directory `/boot/src/linux-2.6.28-tuxonice-r8'
CC [M] /home/circut/Xploits/curuncula/curuncula_26.o
/home/circut/Xploits/curuncula/curuncula_26.c:42:1: warning: "rdmsr" redefined
In file included from /boot/src/linux-2.6.28-tuxonice-r8/arch/x86/include/asm/processor.h:20,
from include/linux/prefetch.h:14,
from include/linux/list.h:6,
from include/linux/module.h:9,
from /home/circut/Xploits/curuncula/curuncula_26.c:33:
/boot/src/linux-2.6.28-tuxonice-r8/arch/x86/include/asm/msr.h:134:1: warning: this is the location of the previous definition
/home/circut/Xploits/curuncula/curuncula_26.c: Assembler messages:
/home/circut/Xploits/curuncula/curuncula_26.c:232: Error: suffix or operands invalid for `mov'
/home/circut/Xploits/curuncula/curuncula_26.c:235: Error: suffix or operands invalid for `mov'
/home/circut/Xploits/curuncula/curuncula_26.c:238: Error: suffix or operands invalid for `mov'
/home/circut/Xploits/curuncula/curuncula_26.c:241: Error: suffix or operands invalid for `mov'
/home/circut/Xploits/curuncula/curuncula_26.c:244: Error: suffix or operands invalid for `mov'
make[2]: *** [/home/circut/Xploits/curuncula/curuncula_26.o] Error 1
make[1]: *** [_module_/home/circut/Xploits/curuncula] Error 2
make[1]: Leaving directory `/boot/src/linux-2.6.28-tuxonice-r8'
make: *** [curuncula_26] Error 2
(skimmer:~/Xploits/curuncula)% uname -a
Linux skimmer 2.6.28-tuxonice-r8 #2 SMP Mon May 4 15:54:00 CDT 2009 x86_64 Intel(R) Core(TM)2 Duo CPU T7100 @ 1.80GHz GenuineIntel GNU/Linux

-Erik

On Fri, 24 Apr 2009 00:13:59 +0200
Giuseppe Cocomazzi <sbudella@xxxxxxxx> wrote:

Hi,
I've released a little program named Curuncula.
Curuncula is a tool shipped as a loadable kernel module that aims to
detect rootkits based on the Intel debugging support facilities.
Rootkits that set the GD access flag are also detected. It makes use of
the "last branch recording" mechanism provided by the Intel
architecture. Support both the 2.4 and 2.6 Linux kernels.
Complete source code can be found here:
http://packetstormsecurity.org/UNIX/audit/curuncula.tgz

I hope you find it useful.
Regards,
Giuseppe Cocomazzi

--
every day above ground is a good one.


--
Forums <forums@xxxxxxxxxxxxxxxxx>