Re: Found, a new rootkit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Tim wrote:

This is a "wake" as in turn on again, no matter what the system state
was (e.g. could be sleep, or soft off).  And, in this case, it's a
function of the motherboard.  You don't even need any system software,
it's done by BIOS (you could remove the hard drive), and you'd get the
turned off systemboard come to life if your modem (or any other IRQ you
picked upon in your BIOS power management settings) triggered a wake up
event.

Hmm. In that case Joanne's comment is apropos. It may or may not
have anything to do with interrupts.

NB:  This is different from the ring indicator in the RS-232 line.
That's yet another event that can be used.

You can wake up the motherboard through the BIOS, which will *then* boot
up the system (if it can).  Or, you can have a halted OS that unhalts
when a wake up event happens, so your OS handles it instead of the BIOS.

Sounds like a reasonably complicated I/F which is likely to conceal
defects. Too many fingers in the pie.

All in all, that goes back to the idea that if your serial port has an
IRQ associated with it, which they can (*) do.  Any activity on the port
generates an IRQ (regardless of whether you've got software paying
attention to the serial port).  Such IRQs are important events that the

Any enabled IRQ. Normally, the chipsets emulate the old 16550 chip,
which allow separate enables on Transmit Empty, Receive Full,
Control Line Change (CTS, etc.).

CPU pays attention to.  Now, if you haven't got software configured to
do something with the event, it doesn't go and do anything.  But the CPU
has been interrupted to check whether it should.

In any case, perhaps the BIOS can enable interrupts. I proposed that
we try an experiment. Since I'm more interested in Truth than in
Being Right, what do you say I build you a bootable floppy image with
an interrupt capture program I wrote several years ago, and we'll
try it out?

Want some IRQ fun?  Give someone a PS/2 mouse with an intermittent break
in the lead.  Nudging the cable sends a mass of IRQs thanks to the PS/2
port, which can bring Win98 to its knees for no obvious reason
(especially if the mouse still appears to work).  ;-)

* On boards like this, you *can* preset IRQs and addresses for a COM
port to use, much the same as jumpers on ye olde systems.  You set them
for plug and play, where the OS will configure them (or not).  Or you

I'm aware of this, but thanks for the info, anyway.

[snip]

Mike
--
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux