Re: LKM rootkits in 2.6.x

From: Dave Jones
Date: Thu Mar 11 2004 - 13:52:07 EST

Next message: Andrew Morton: "Re: blk_congestion_wait racy?"
Previous message: Nakajima, Jun: "RE: 2.6.4-mm1"
In reply to: pg smith: "LKM rootkits in 2.6.x"
Next in thread: Christophe Saout: "Re: LKM rootkits in 2.6.x"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Mar 11, 2004 at 11:26:23AM -0800, pg smith wrote:
> Any thoughts on the future of LKM rootkits in the 2.6 kernel branch ? In
> the last few years I've become quite interested in them (from a defensive
> point of view), but with the 2.6 kernel no longer exporting the syscall
> table, intercepting system calls would appear to be a non-starter now.

Don't bet on it. They'll just start doing what binary-only driver vendors
have been doing for months.. If the table isn't exported, they find a symbol
that is exported, and grovel around in memory near there until they find
something that looks like it, and patch accordingly.

Dave

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Andrew Morton: "Re: blk_congestion_wait racy?"
Previous message: Nakajima, Jun: "RE: 2.6.4-mm1"
In reply to: pg smith: "LKM rootkits in 2.6.x"
Next in thread: Christophe Saout: "Re: LKM rootkits in 2.6.x"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]