what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 29 RSS Feed

Files from Tim Lawless

First Active1999-11-24
Last Active2002-10-28
StJude_LKM-0.22.tar.gz
Posted Oct 28, 2002
Authored by Tim Lawless | Site wwjh.net

Saint Jude LKM is a Linux Kernel Module for the 2.2.0 and 2.4.0 series of kernels. This module implements the Saint Jude model for improper privilege transitions. This will permit the discovery of local and remote root exploits during the exploit itself. Once discovered, Saint Jude will terminate the execution, preventing the root exploit from occurring. This is done without checking for attack signatures of known exploits, and thus should work for both known and unknown exploits.

Changes: Redhat 8.0's attempt to stop module rootkits stopped StJude as well - added code to discover the sys_call_table during initialization on systems with a non-exported sys_call_table. Fixed some bugs and include problems.
tags | remote, kernel, local, root
systems | linux
SHA-256 | 1d72affc7e06f7cbad96d2f3c0eab42e93abbff260cf5fbb62b13dfcbdf5468e
StJude_LKM-0.21.tar.gz
Posted Aug 7, 2002
Authored by Tim Lawless | Site sourceforge.net

Saint Jude LKM is a Linux Kernel Module for the 2.2.0 and 2.4.0 series of kernels. This module implements the Saint Jude model for improper privilege transitions. This will permit the discovery of local and remote root exploits during the exploit itself. Once discovered, Saint Jude will terminate the execution, preventing the root exploit from occurring. This is done without checking for attack signatures of known exploits, and thus should work for both known and unknown exploits.

Changes: Addition of Self Integrity Checks to Detect Attacks against StJude itself, Addition of configuration options to hard-code memory offsets into the source instead of discovery during load time permitting the loading of Stmichael from an initrd, before init spawns and the filesystems are mounted. Added in Kernel Licensing Code to Identify the Kernel License for Newer kernels - No more Tainted Kernels. Really Immutable filesystem support for ext3 fs added. Includes modifications to work with more recent ac kernels.
tags | remote, kernel, local, root
systems | linux
SHA-256 | 18ba017359747bd64ce087008e2e9a292252a6d9659754a1fc1928b307b99330
StMichael_LKM-0.11.tar.gz
Posted Aug 7, 2002
Authored by Tim Lawless | Site sourceforge.net

StMichael is a LKM that attempts to detect and divert attempts to install a kernel-module backdoor into a running linux system. This is done by monitoring the init_module and delete_module process for changes in the system call table. Detects most modern LKM's, including KIS.

Changes: Addition of Self Integrity Checks to Detect Attacks Against StMichael itself. Added of configuration options to hard-code memory offsets into the source instead of discovery during load time, permitting loading of Stmichael from an initrd, before init spawns and the filesystems are mounted.
tags | kernel
systems | linux
SHA-256 | 05453e68b128c4bc3d111e203127ddebcf8a353f6d35be8a1568db78e5a6bcf9
OIR.pdf
Posted May 14, 2002
Authored by Tim Lawless | Site sourceforge.net

This paper puts forth the concept of intrusion resiliency as an emergent behavior that occurs within coupled intrusion detection and intrusion response mechanisms when the mechanisms, as a whole, exhibit a key set of identified attributes. An Illustrative example of how these attributes interact with each other to produce this behavior is given in the form of the Saint Jude Linux Kernel Module.

tags | paper, kernel
systems | linux
SHA-256 | 10cdd85dfc4ab9986f41339000087747a99bb2b8f9df26f4f9dd7d02256374a8
StJude_SKM-0.10.tar.gz
Posted May 14, 2002
Authored by Tim Lawless | Site sourceforge.net

The Saint Jude Solaris Kernel module is a port of the StJude_LKM kernel module into the Solaris 8 kernel for both 32 and 64 bit architectures. This Module implements the Saint Jude Model for the detection of improper privilege transitions. This will permit the discovery of local and remote root exploits during the exploit itself. Once discovered, Saint Jude will terminate the execution, preventing the root exploit from occurring. This is done without checking for attack signatures of known exploits, and thus should work for both known and unknown exploits. This is the First public release of the StJude Solaris Kernel Module (SKM). The Version number, though, parallels the capability and maturity of its sister program StJude_LKM. Tested on single and dual Sparc and ultrasparc I/II on Solaris 8.

tags | remote, kernel, local, root
systems | unix, solaris
SHA-256 | cd6b25d7d4a1edb3285c886a6099b8ea8394efc2f6767f20103414573115a6ba
StMichael_LKM-0.10.tar.gz
Posted Mar 30, 2002
Authored by Tim Lawless | Site sourceforge.net

StMichael is a LKM that attempts to detect and divert attempts to install a kernel-module backdoor into a running linux system. This is done by monitoring the init_module and delete_module process for changes in the system call table. Detects most modern LKM's, including KIS.

Changes: Really Immutable filesystem support for ext3 fs added, Added in Kernel Licensing Code to Identify the Kernel License for newer kernels, Backup kernel is now obscured from string searches using the weak crypt function, Added needed modifications to support the newer Alan Cox Kernels, with the different VM system, fixed lots of compilation issues, and better docs.
tags | kernel
systems | linux
SHA-256 | 3cadd9c000f7abda3f802cd86a8bb3e997005480eea923b062032b96f0c4b9e4
StMichael_LKM-0.08.tar.gz
Posted Jan 22, 2002
Authored by Tim Lawless | Site sourceforge.net

StMichael is a LKM that attempts to detect and divert attempts to install a kernel-module backdoor into a running linux system. This is done by monitoring the init_module and delete_module process for changes in the system call table. Detects most modern LKM's, including KIS.

Changes: Addition of ability to restore a system attacked using kernel modification techniques such as a Silvio Stealth syscall by reloading the kernel without a reboot. Addition of Checks to detect the possible subversion of the kernel at loadtime. Now does Full Kernel Text Validation.
tags | kernel
systems | linux
SHA-256 | cfdc95d46449ec34094b6f6d84b7777f5aa317ca625e1df739166a92bce9f556
StMichael_LKM-0.07.tar.gz
Posted Oct 30, 2001
Authored by Tim Lawless | Site sourceforge.net

StMichael is a LKM that attempts to detect and divert attempts to install a kernel-module backdoor into a running linux system. This is done by monitoring the init_module and delete_module process for changes in the system call table. Detects most modern LKM's, including KIS.

Changes: Fixed a serious bug that could cause a kernel Oops if StMichael was not the first module loaded into the system.
tags | kernel
systems | linux
SHA-256 | a7774eef3632893c5a98ee5c960e6b6f9dbac1d3f386cf18305d212787aaa0c8
StMichael_LKM-0.06.tar.gz
Posted Oct 25, 2001
Authored by Tim Lawless | Site sourceforge.net

StMichael is a LKM that attempts to detect and divert attempts to install a kernel-module backdoor into a running linux system. This is done by monitoring the init_module and delete_module process for changes in the system call table. Detects most modern LKM's, including KIS.

Changes: Began code and signature obfuscation work to conceal commonly found strings, Introduced permanent immutability to files on ext2 fs, and other misc code beautification.
tags | kernel
systems | linux
SHA-256 | aea8dd329d274f75e8784ed565f3fbfe92bc1d968087cc372f4a6edd4e673f6a
StJude_LKM-0.20.tar.gz
Posted Jul 30, 2001
Authored by Tim Lawless | Site sourceforge.net

Saint Jude LKM is a Linux Kernel Module for the 2.2.0 and 2.4.0 series of kernels. This module implements the Saint Jude model for improper privilege transitions. This will permit the discovery of local and remote root exploits during the exploit itself. Once discovered, Saint Jude will terminate the execution, preventing the root exploit from occurring. This is done without checking for attack signatures of known exploits, and thus should work for both known and unknown exploits.

Changes: Introduced kernel integrity checking, and module support on systems that require module support. Added Read-Only /dev/kmem support. Eliminated the double-execve problem. New configuration script simplifies platform identification, and selection of compile-time options. Updated checks, verified compatibility with 2.4.7, and updated documentation. Changed license to GNU.
tags | remote, kernel, local, root
systems | linux
SHA-256 | 10ed91c76ecba958bba10ae5f2976871efdc47add4787b162dbce8be5ca574c9
StMichael_LKM-0.05.tar.gz
Posted Jul 12, 2001
Authored by Tim Lawless | Site sourceforge.net

StMichael is a LKM that attempts to detect and divert attempts to install a kernel-module backdoor into a running linux system. This is done by monitoring the init_module and delete_module process for changes in the system call table. Detects most modern LKM's, including KIS.

Changes: Added Checks to Detect modules hiding their presence, Added Read-Only /dev/kmem, and Added VFS checking.
tags | kernel
systems | linux
SHA-256 | 33b2a82b72ad4b69da6a97ec42e2075330adf82b34899f654194adb5c628dd98
StMichael_LKM-0.04.tar.gz
Posted Jul 11, 2001
Authored by Tim Lawless | Site sourceforge.net

StMichael is a LKM that attempts to detect and divert attempts to install a kernel-module backdoor into a running linux system. This is done by monitoring the init_module and delete_module process for changes in the system call table. This is a experimental version, and a spin off from the Saint Jude Project.

Changes: Added the SHA1 checksum to complement the md5's, added timers to periodically revalidate the kernel, added a configuration script, and added some demos which will trigger StMichael.
tags | kernel
systems | linux
SHA-256 | a0d290b17442053787c6652f23397b32b04e3066b225c9bafc040f367dd857d5
StMichael_LKM-0.03.tar.gz
Posted Jun 5, 2001
Authored by Tim Lawless | Site sourceforge.net

StMichael is a LKM that attempts to detect and divert attempts to install a kernel-module backdoor into a running linux system. This is done by monitoring the init_module and delete_module process for changes in the system call table. This is a experimental version, and a spin off from the Saint Jude Project.

Changes: Added md5 checksums to the contents of system calls, added cloaking to hide the presence of StMichael, and its symbols. Since StMichael cause the rootkits to not work as expected, we do not want to give away any useful debugging information.
tags | kernel
systems | linux
SHA-256 | 3a46b99429e5f1bbbff87fa24b0ed3404e912a0cc93c119499d0f899367e02a6
StMichael_LKM-0.02.tar.gz
Posted May 10, 2001
Authored by Tim Lawless | Site sourceforge.net

StMichael is a LKM that attempts to detect and divert attempts to install a kernel-module backdoor into a running linux system. This is done by monitoring the init_module and delete_module process for changes in the system call table. This is a experimental version, and a spin off from the Saint Jude Project.

Changes: Fixed an inverted match which could cause kernel to hang on attempt to unload StMichael.
tags | kernel
systems | linux
SHA-256 | 909fea48bf854a5ec92e4a60a669b1c0609f13118aa49647f57b775f69d65db4
StMichael_LKM-0.01.tar.gz
Posted May 8, 2001
Authored by Tim Lawless | Site sourceforge.net

StMichael is a LKM that attempts to detect and divert attempts to install a kernel-module backdoor into a running linux system. This is done by monitoring the init_module and delete_module process for changes in the system call table. This is a experimental version, and a spin off from the Saint Jude Project.

tags | kernel
systems | linux
SHA-256 | dc244889f82b38409d2d4895342ec004e2fe8ee52ab5326ddf12acc3346c0b4d
StJude_LKM-0.12.tar.gz
Posted Apr 6, 2001
Authored by Tim Lawless | Site sourceforge.net

Saint Jude LKM is a Linux Kernel Module for the 2.2.0 and 2.4.0 series of kernels. This module implements the Saint Jude model for improper privilege transitions. This will permit the discovery of local and remote root exploits during the exploit itself. Once discovered, Saint Jude will terminate the execution, preventing the root exploit from occurring. This is done without checking for attack signatures of known exploits, and thus should work for both known and unknown exploits.

Changes: Updated checks and verified compatibility with 2.4.3, and fixed some theoretical bugs.
tags | remote, kernel, local, root
systems | linux
SHA-256 | 9e042e8ecd4bbafd3dca641ff8fa9f48f4ea1fb717af57f9a4757911c51662a0
StJude_LKM-0.11.tar.gz
Posted Mar 20, 2001
Authored by Tim Lawless | Site sourceforge.net

Saint Jude LKM is a Linux Kernel Module for the 2.2.0 and 2.4.0 series of kernels. This module implements the Saint Jude model for improper privilege transitions. This will permit the discovery of local, and ultimately, remote root exploits during the exploit itself. Once discovered, Saint Jude will terminate the execution, preventing the root exploit from occurring. This is done without checking for attack signatures of known exploits, and thus should work for both known and unknown exploits.

Changes: Several compilation problems are fixed, in addition to a bug where if a process exec'd() without forking, and it was an override rule -- the first execution wouldn't be recorded through learning.
tags | remote, kernel, local, root
systems | linux
SHA-256 | 96e04303160a68d54a4aa8a20b4c0084a12f42e3081363121c48adc0914ea087
StJude_LKM-0.10.tar.gz
Posted Mar 19, 2001
Authored by Tim Lawless | Site sourceforge.net

Saint Jude LKM is a Linux Kernel Module for the 2.2.0 and 2.4.0 series of kernels. This module implements the Saint Jude model for improper privilege transitions. This will permit the discovery of local, and ultimately, remote root exploits during the exploit itself. Once discovered, Saint Jude will terminate the execution, preventing the root exploit from occurring. This is done without checking for attack signatures of known exploits, and thus should work for both known and unknown exploits.

Changes: This is the most stable version yet. Tested with kernel 2.4. Added Learning Parser to facilitate the generation of the Rulebase from the Learning Mode output. Combined with the Override directive, remote root attacks may be thwarted.
tags | remote, kernel, local, root
systems | linux
SHA-256 | f7f922f8f16946ab95f37c07600d7d52e13c7d3e3b2865374f613ca83947a95c
StJude_LKM-0.07.tar.gz
Posted Mar 19, 2001
Authored by Tim Lawless | Site sourceforge.net

Saint Jude LKM is a Linux Kernel Module for 2.2.0 and greater kernels. This module implements the Saint Jude model for improper privilege transitions. This will permit the discovery of local, and ultimately, remote root exploits during the exploit itself. Once discovered, Saint Jude will terminate the execution, preventing the root exploit from occurring. This is done without checking for attack signatures of known exploits, and thus should work equally well for both known and unknown exploits.

Changes: Fixes problems on some of the newer Linux distributions. Makefile can now find include files better.
tags | remote, kernel, local, root
systems | linux
SHA-256 | c105819d64f6618d2359f51876d4b6557c65033cc7bb9236e94192f35a1f1e23
StJude_LKM-0.06.tar.gz
Posted Dec 17, 2000
Authored by Tim Lawless | Site sourceforge.net

Saint Jude LKM is a Linux Kernel Module for 2.2.0 and greater kernels. This module implements the Saint Jude model for improper privilege transitions. This will permit the discovery of local, and ultimately, remote root exploits during the exploit itself. Once discovered, Saint Jude will terminate the execution, preventing the root exploit from occurring. This is done without checking for attack signatures of known exploits, and thus should work equally well for both known and unknown exploits.

Changes: Fixed some broken code from 0.05 due to a 2AM release.
tags | remote, kernel, local, root
systems | linux
SHA-256 | 3e8c3b45c5408af069bcf8afd580a27ef66c4ba362fb62e8019194ddb54b3518
StJude_LKM-0.05.tar.gz
Posted Dec 15, 2000
Authored by Tim Lawless | Site sourceforge.net

Saint Jude LKM is a Linux Kernel Module for 2.2.0 and greater kernels. This module implements the Saint Jude model for improper privilege transitions. This will permit the discovery of local, and ultimately, remote root exploits during the exploit itself. Once discovered, Saint Jude will terminate the execution, preventing the root exploit from occurring. This is done without checking for attack signatures of known exploits, and thus should work equally well for both known and unknown exploits.

Changes: Added new response method which will execute an external command to record and deal with the intrusion. It is likely to be noted by an astute individual that this also affords the opportunity to counter-attack the attacker, using their control channel against them.
tags | remote, kernel, local, root
systems | linux
SHA-256 | 0a1f1e745c9305728343c29b50726a9384d6f9f0123caec99ec9473b156315fb
StJudeModel.pdf
Posted Nov 2, 2000
Authored by Tim Lawless | Site sourceforge.net

This paper describes how the StJude kernel module stops local and remote exploits from being successful. The Saint Jude model for improper privilege transitions terminates program execution when it is exploited even if the exploit is unknown.

tags | paper, remote, kernel, local
systems | unix
SHA-256 | 32a264782ffbeb3b1d5ac2fe7295419e164d7bcced7404713c2fa709c85c1ee7
StJude_LKM-0.04.tar.gz
Posted Nov 2, 2000
Authored by Tim Lawless | Site sourceforge.net

Saint Jude LKM is a Linux Kernel Module for 2.2.11 and greater kernels. This module implements the Saint Jude model for improper privilege transitions. This will permit the discovery of local, and ultimately, remote root exploits during the exploit itself. Once discovered, Saint Jude will terminate the execution, preventing the root exploit from occuring. This is done without checking for attack signatures of known exploits, and thus should work for both known and unknown exploits.

Changes: Fixed bugs, added a Makefile, hid the old execve better, added a homepage.
tags | remote, kernel, local, root
systems | linux
SHA-256 | 37643ba93bc57afffa0b2696e08bb971606429da0f856cdd4260620c42f1b387
StJude_LKM-0.03.tar.gz
Posted Aug 11, 2000
Authored by Tim Lawless

Saint Jude LKM is a Linux Kernel Module for 2.2.11 and greater kernels. This module implements the Saint Jude model for improper privilege transitions. This will permit the discovery of local, and ultimately, remote root exploits during the exploit itself. Once discovered, Saint Jude will terminate the execution, preventing the root exploit from occuring. This is done without checking for attack signatures of known exploits, and thus should work for both known and unknown exploits.

Changes: Support for SMP kernels, module-sealing is enabled, and a memory leak fix.
tags | remote, kernel, local, root
systems | linux
SHA-256 | 7a4167f795924aff6fa44181378b1bca05d209648a56ee122e5379cb791f53d9
StJude_LKM-0.02.tar.gz
Posted Jul 29, 2000
Authored by Tim Lawless

Saint Jude LKM is a Linux Kernel Module for the 2.2.0 series of kernels. This module implements the Saint Jude model for improper privilege transitions. This will permit the discovery of local, and ultimately, remote root exploits during the exploit itself. Once discovered, Saint Jude will terminate the execution, preventing the root exploit from occuring. This is done without checking for attack signatures of known exploits, and thus should work for both known and unknown exploits.

Changes: Fixed bug which would prevent the setreuid syscal from being restored upon exit.
tags | remote, kernel, local, root
systems | linux
SHA-256 | e6bee285fc2507dd3ee0f6b64ca1459171be968066027209d9f561350491b65d
Page 1 of 2
Back12Next

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    17 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close