Re: LKM rootkits in 2.6.x

From: Jirka Kosina
Date: Sat Mar 13 2004 - 19:48:05 EST

Next message: Linus Torvalds: "Re: anon_vma RFC2"
Previous message: Pavel Machek: "Re: Dealing with swsusp vs. pmdisk"
In reply to: Dave Jones: "Re: LKM rootkits in 2.6.x"
Next in thread: Valdis . Kletnieks: "Re: LKM rootkits in 2.6.x"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 11 Mar 2004, Dave Jones wrote:

> > Any thoughts on the future of LKM rootkits in the 2.6 kernel branch ? In
> > the last few years I've become quite interested in them (from a defensive
> > point of view), but with the 2.6 kernel no longer exporting the syscall
> > table, intercepting system calls would appear to be a non-starter now.
> Don't bet on it. They'll just start doing what binary-only driver vendors
> have been doing for months.. If the table isn't exported, they find a symbol
> that is exported, and grovel around in memory near there until they find
> something that looks like it, and patch accordingly.

Why bother .. just find any symbol (function name) which is exported to
modules and also being frequently called somehow indirectly from userland
(VFS layer functions, vm functions, ...) and use this function as an
open-backdoor spell.

It is easy to patch existing rootkits this way.

--
JiKos.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Linus Torvalds: "Re: anon_vma RFC2"
Previous message: Pavel Machek: "Re: Dealing with swsusp vs. pmdisk"
In reply to: Dave Jones: "Re: LKM rootkits in 2.6.x"
Next in thread: Valdis . Kletnieks: "Re: LKM rootkits in 2.6.x"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]