why is the sys_close symbol exported ?
Date: Fri Nov 18 2016 - 04:08:36 EST
Following the various rootkit and system call redirection developments, the current
way of identifying the location of the system call table seems to be brute force scanning
the memory for the location of one of the system calls. This is only possible from a module
if the symbol is exported: I see that only one system call symbol is still exported, that
is sys_close. Removing this symbol export would hinder one of the ways of finding the
systam call table: I have not been able to find the reason for exporting this particular
symbol (while sys_open for example is not exported). Can anyone justify why that is ?
Thank you, Jean-Michel
JM Friedt, FEMTO-ST Time & Frequency/SENSeOR, 26 rue de l'Epitaphe, 25000 Besancon, France