FHRP: [ Download tarball | Read Paper ]
Published: [ BFi#12-dev-01 ]
Translations: [ English Version | French Version ]

Find Hidden Resident Process (fhrp) is a kernel module to find some subtle family of hidden processes
(like those with massive scheduling and task structures hijacking...) running on a linux box also when the
core-kernel is already compromised.
It runs in "interrupt context" exploiting timer interrupt and cr3 control register to find inconsistences
in process switch management. It tends to be less scalable on box with high network system load, see todos
for more info about some lacks and future improvements.
This tool was co-developed with Twiz (twiz< at >antifork.org)

TIMER HIJACKING [ Read Paper (only Italian Version) ]
Published: [ BFi#12-dev-11 ]

This paper describes a technique to build strong uncheckable kernel space code, to hide ring0 backdoor.
It arranges relocable code with kernel dynamic timers to take fully "real-time" control of remote box.
This technique is totally flexible and can be used as a base to re-implement old-static overall approch like
function hijacking and pointer redirection with real-time self-modification.