[Gllug] Memory scanning

[Richard Jones]

On Sat, Sep 04, 2010 at 03:15:08PM +0100, Dave Lambley wrote:
> The OS would normally mark the executable sections of memory as read
> only. At least, I'd hope it would.

Precisely.  If you don't trust the integrity of the OS, then there's
not much point trusting the scanning program running inside it.

It's possible, though not simple, to do this from the hypervisor.  I
have written programs which scan the kernel for its version, look at
the process table and so on, and from there it's possible to scan the
executable pages of any process running of interest to you.  I did it
via this libvirt API:

http://libvirt.org/html/libvirt-libvirt.html#virDomainMemoryPeek

Then you've got the question of what you are scanning for, which is
yet another excellent example of 'enumerating badness':

http://www.ranum.com/security/computer_security/editorials/dumb/

All in all I'd say this idea is both hard and stupid.  However, lots
of people have made tons of money from this similar stupid ideas (most
recently, Intel paid $7B for McAfee) so I say go for it.  Even better,
take out a bogus software patent and wait until someone else does it,
then sue them.  It's the American Way (TM)!

Rich.

-- 
Richard Jones
Red Hat
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug