From owner-freebsd-hackers  Sun Sep  9  3:32:39 2001
Delivered-To: freebsd-hackers@freebsd.org
Received: from mail.teledis.be (mail.teledis.be [217.117.32.52])
	by hub.freebsd.org (Postfix) with ESMTP id 1F25237B405
	for <freebsd-hackers@freebsd.org>; Sun,  9 Sep 2001 03:32:32 -0700 (PDT)
Received: from natalie ([217.117.38.8]) by mail.teledis.be
          (Netscape Messaging Server 4.15) with SMTP id GJE5A801.H7T; Sun,
          9 Sep 2001 12:32:32 +0200 
Message-ID: <003601c1391b$50f7c580$0201a8c0@teledisnet.be>
From: "Sansonetti Laurent" <lorenzo@linuxbe.org>
To: "Giorgos Keramidas" <charon@labs.gr>
Cc: <freebsd-hackers@freebsd.org>
References: <GPEOJKGHAMKFIOMAGMDIGEHGFHAA.deepak@ai.net> <002f01c13871$8dc2d360$0201a8c0@teledisnet.be> <20010909001951.A6949@hades.hell.gr>
Subject: Re: Kernel-loadable Root Kits
Date: Sun, 9 Sep 2001 12:36:42 +0200
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2615.200
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

Hello,

> > 1) scan the sysent table and check syscalls pointers (generally,
rootkits
> > intercepts syscalls)
>
> This can get really "hairy".  To scan the syscall table, even if you
> are 'root' and directly access /dev/mem you will have to use some
> system calls to open(), read() and seek() into the /dev/mem device.
> But those syscalls might be the intercepted ones: ouch!

I don't think so, you can easily make a KLD which simply scans the table and
checks the pointers.
This is not really good but it'll work.

> Instead of worrying after the module has been loaded it's much safer
> to run the kernel in securelevel>=1 when modules cannot be loaded
> without a reboot to single-user mode.

You might see this: http://www.s0ftpj.org/tools/securelvl.tgz (I didn't
tested it yet).

> -giorgos
>

--
Sansonetti Laurent - http://lrz.linuxbe.org



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message