From owner-freebsd-hackers Sun Sep 9 3:27:47 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from bugz.infotecs.ru (bugz.infotecs.ru [195.210.139.22]) by hub.freebsd.org (Postfix) with ESMTP id A7D4737B406 for ; Sun, 9 Sep 2001 03:27:40 -0700 (PDT) Received: (from root@localhost) by bugz.infotecs.ru (8.11.6/8.11.4) id f89AREX05365; Sun, 9 Sep 2001 14:27:14 +0400 (MSD) (envelope-from vel) From: "Eugene L. Vorokov" Message-Id: <200109091027.f89AREX05365@bugz.infotecs.ru> Subject: Re: Kernel-loadable Root Kits To: charon@labs.gr (Giorgos Keramidas) Date: Sun, 9 Sep 2001 14:27:14 +0400 (MSD) Cc: freebsd-hackers@freebsd.org In-Reply-To: <20010909001951.A6949@hades.hell.gr> from "Giorgos Keramidas" at Sep 09, 2001 12:19:51 AM X-Mailer: ELM [version 2.5 PL5] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > > 1) scan the sysent table and check syscalls pointers (generally, rootkits > > intercepts syscalls) > > This can get really "hairy". To scan the syscall table, even if you > are 'root' and directly access /dev/mem you will have to use some > system calls to open(), read() and seek() into the /dev/mem device. > But those syscalls might be the intercepted ones: ouch! Of course this is not to be done from userland program. You should write your own KLD module which will compare sysent[] values against standart system calls and list the differences. I don't really see how "root kit" can prevent such scan. Regards, Eugene To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message