Differences:
Modelling methods:
Differences between SQL and NoSQL:
Automated conversion of SQL to MongoDB syntax:
MySQL to MongoDB converter:
28 Apr
Differences:
Modelling methods:
Differences between SQL and NoSQL:
Automated conversion of SQL to MongoDB syntax:
MySQL to MongoDB converter:
21 Apr
Just piecing together various resources from internet:
11 Apr
Looking through the various rootkit detector:
A-Protect https://github.com/sincoder/A-Protect.git
Blackbone https://github.com/DarthTon/Blackbone.git
chkrootkit https://github.com/Magentron/chkrootkit.git
kjackal https://github.com/dgoulet/kjackal.git
ossec-hids https://github.com/ossec/ossec-hids.git
rootkit.com https://github.com/bowlofstew/rootkit.com.git
rootkit_detector https://github.com/Freedzone/rootkit_detector.git
rootkit-detector https://github.com/CMQY/rootkit-detector.git
ScDetective https://github.com/kedebug/ScDetective.git
wazuh https://github.com/wazuh/wazuh.git
Some are linux, and some are Windows. So here I am proposing more features to add to this technology – linux userspace rootkit detector (not kernel-based rootkit):
1. Dynamic library injection through LD_PRELOAD. So upon the startup of the process, the envionment variable LD_PRELOAD would have been defined. This is not common, but can be easily detected:
/proc/PID/environ will display all the environment variables upon starting up of process.
As you can see above, the environment variables are NULL terminated, and so “grep” will not work – which is newline based, but overcoming this is easy.
2. Network port opening: rootkit may be listening on certain ports waiting for incoming connections. Thus a simple “netstat” should reveal some abnormal listening ports.
3. Network connections: for a server which mainly deals with LAN-based transaction (eg, Oracle database) then all the communications most likely will arise from local communication. But the existence of a rootkit will disrupt this generalization adnd patterns. Some internet IP address in this communication exchanges will likely indicate the existence of internal LAN-based agent communicating with internet-based agents.
4. In dynamic library injection as described in (1) above, you will like to see some weird library files injected into the traditional locations of library files:
Either “lsof” or “cat /proc/PID/smaps” will reveal all the dynamic libraries loaded by the process:
Therefore detect the possible existence of outliers in the dynamic libraries enumeration – for example, the name of the library files can come from some other non-standard directories – is this normal?
BUT do take note that the non-existence of the dynamic files does not mean it is not used – a shellcode can be written to dynamically call dlopen() to load the library file. (and then you have to use vulnerability to execute the shellcode). And thereafter dlclose() it after use.
And there are so many other possibilities: what if a process is actively snooping on the keyboard buffer (for each terminal)? what if someone is listening on the mouse?
Doing a “dmesg|grep hda”, I can find a lot of references to /devices/pci* indicating things like /sound/cardx/inputy, or devices/*sound/card0/input0 – these are called “devfs”.
Two techniques are available: Linux notification API and devices capturing program via devfs.
If you issue a “lsof” you can easily estimate how many mouse and keyboard listening processes are there:
Research scattered with thoughts, ideas, and dreams
Offensive Techniques & Methodologies
@astr0baby on Twitter for fresh randomness
playing around with open data to learn some cool stuff about data analysis and the world
Data | ML | NLP | Python | R
Just a thought
A Graduate Course Offered at Université de Montréal
Philippe Paradis - My solutions to the image inpainting problem
Pedro Emanuel Almeida Cardoso
Pulkit's thoughts on the course project
No man but a blockhead ever wrote except for money -- Samuel Johnson
a random walk through Computer Science research, by Adrian Colyer
Shakir's Machine Learning Blog
You must be logged in to post a comment.