Date: Sun, 9 Sep 2001 14:27:14 +0400 (MSD) From: "Eugene L. Vorokov" <vel@bugz.infotecs.ru> To: charon@labs.gr (Giorgos Keramidas) Cc: freebsd-hackers@freebsd.org Subject: Re: Kernel-loadable Root Kits Message-ID: <200109091027.f89AREX05365@bugz.infotecs.ru> In-Reply-To: <20010909001951.A6949@hades.hell.gr> from "Giorgos Keramidas" at Sep 09, 2001 12:19:51 AM
next in thread | previous in thread | raw e-mail | index | archive | help
> > 1) scan the sysent table and check syscalls pointers (generally, rootkits > > intercepts syscalls) > > This can get really "hairy". To scan the syscall table, even if you > are 'root' and directly access /dev/mem you will have to use some > system calls to open(), read() and seek() into the /dev/mem device. > But those syscalls might be the intercepted ones: ouch! Of course this is not to be done from userland program. You should write your own KLD module which will compare sysent[] values against standart system calls and list the differences. I don't really see how "root kit" can prevent such scan. Regards, Eugene To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200109091027.f89AREX05365>