Re: LKM rootkits in 2.6.x

From: Horst von Brand
Date: Thu Mar 11 2004 - 15:34:43 EST

Next message: Adrian Bunk: "2.6.4-mm1: modular quota needs unknown symbol"
Previous message: Geert Uytterhoeven: "[PATCH 423] Macintosh IDE"
In reply to: Valdis . Kletnieks: "Re: LKM rootkits in 2.6.x"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

pg smith <pete@xxxxxxxxxxxxxx> said:
> Any thoughts on the future of LKM rootkits in the 2.6 kernel branch ? In
> the last few years I've become quite interested in them (from a defensive
> point of view), but with the 2.6 kernel no longer exporting the syscall
> table, intercepting system calls would appear to be a non-starter now. In
> a perverse sort of way, i'm actually rather dissapointed: all that
> learning gone to waste.

If you get to load a module, you are in-kernel. Once there, you can either
use what you know are the offsets for $distro-$version-$arch kernel and be
in business as usual, or fool around on your own. Harder than before, yes.
Impossible, by no means.
--
Dr. Horst H. von Brand User #22616 counter.li.org
Departamento de Informatica Fono: +56 32 654431
Universidad Tecnica Federico Santa Maria +56 32 654239
Casilla 110-V, Valparaiso, Chile Fax: +56 32 797513
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Adrian Bunk: "2.6.4-mm1: modular quota needs unknown symbol"
Previous message: Geert Uytterhoeven: "[PATCH 423] Macintosh IDE"
In reply to: Valdis . Kletnieks: "Re: LKM rootkits in 2.6.x"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]