Date: Sun, 9 Sep 2001 12:36:42 +0200 From: "Sansonetti Laurent" <lorenzo@linuxbe.org> To: "Giorgos Keramidas" <charon@labs.gr> Cc: <freebsd-hackers@freebsd.org> Subject: Re: Kernel-loadable Root Kits Message-ID: <003601c1391b$50f7c580$0201a8c0@teledisnet.be> References: <GPEOJKGHAMKFIOMAGMDIGEHGFHAA.deepak@ai.net> <002f01c13871$8dc2d360$0201a8c0@teledisnet.be> <20010909001951.A6949@hades.hell.gr>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, > > 1) scan the sysent table and check syscalls pointers (generally, rootkits > > intercepts syscalls) > > This can get really "hairy". To scan the syscall table, even if you > are 'root' and directly access /dev/mem you will have to use some > system calls to open(), read() and seek() into the /dev/mem device. > But those syscalls might be the intercepted ones: ouch! I don't think so, you can easily make a KLD which simply scans the table and checks the pointers. This is not really good but it'll work. > Instead of worrying after the module has been loaded it's much safer > to run the kernel in securelevel>=1 when modules cannot be loaded > without a reboot to single-user mode. You might see this: http://www.s0ftpj.org/tools/securelvl.tgz (I didn't tested it yet). > -giorgos > -- Sansonetti Laurent - http://lrz.linuxbe.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?003601c1391b$50f7c580$0201a8c0>