Date: Sat, 8 Sep 2001 16:21:29 +0200 From: "Sansonetti Laurent" <lorenzo@linuxbe.org> To: <deepak@ai.net> Cc: <freebsd-hackers@freebsd.org> Subject: Re: Kernel-loadable Root Kits Message-ID: <002f01c13871$8dc2d360$0201a8c0@teledisnet.be> References: <GPEOJKGHAMKFIOMAGMDIGEHGFHAA.deepak@ai.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, > Short question: > > Is there a way to prevent the kernel from allowing loadable modules? Yes, by hacking kldload(2). You can also switch the secure level using sysctl. > With the advent of the kernel-loadable root kit, intrusion detection has > gotten a bit more complicated. Is there a _simple_ solution to detecting the > presence of a kernel-based root kit once it is running? 1) scan the sysent table and check syscalls pointers (generally, rootkits intercepts syscalls) 2) scan the tail queue called 'modules' (note, many rootkits erases their entry in MOD_LOAD) Hope this help, -- Sansonetti Laurent - http://lrz.linuxbe.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002f01c13871$8dc2d360$0201a8c0>