Sacicon 2013 – talk

I’ve made available a ‘bogus’ version (since it is intended for educational purposes only) of our LKM Linux rootkit, the one which was the subject of my talking at Sacicon 2013 .

The source code can be found here.


VMWare fun install

VMCI isn’t default since VMWare workstation 6 but happens that with my version 9 it is enabled.

With my kernel 3.8.0-29 it is breaking during modules compilation at driver.c, an open-vm-tools file. Few syntax errors like missing data types (declaration) and so on.

I could simply disable VCMI or fix the problem correctly, but this is my own computer at my home so I decided that it woudn’t be fun enough.

VMCI should get the file from:


But for some reason it is messing things up and using another file or re-generating some other shit.

The solution was to brute force it 🙂


PHP and mysqli_connect()

Here is a tip that may save a couple of hours: If you want to connect to a different MySQL’s port other than default 3306, do not use “localhost” as $host because mysqli_connect and deprecated mysql_connect will both ignore port argument. 

Use instead “”.

Lame but useful.

NX-Protected pages


Recently, while playing with ELF images inside of Linux kernel > 2.6.35 I was, by accident, surprised by a message from syslog, after having my module Killed:

kernel tried to execute NX-protected page – exploit attempt? (uid: 1000)

Now I am wondering if is possible to toggle off NX (NX stands for Never eXecute) bit, just like we can do with the 16th bit of cr0 for read-only pages…