Would it be possible for a program running as root
that wasn't compiled with the kernel to access a
process structure in the processes link list?
I've read an article about hiding processes and the
article made sound so easy to access the link list and
hide a process, how easy is it?
Is it possible to a process to access its own entry in
the processes link list?
Thanks,
Ali
__________________________________
Do you Yahoo!?
Meet the all-new My Yahoo! - Try it today!
http://my.yahoo.com
A M <[email protected]> writes:
> Would it be possible for a program running as root
> that wasn't compiled with the kernel to access a
> process structure in the processes link list?
Yes, but see below.
> I've read an article about hiding processes and the
> article made sound so easy to access the link list and
> hide a process, how easy is it?
You need read access to /dev/kmem and a fairly intimate knowledge of
the kernel data structures in question.
> Is it possible to a process to access its own entry in
> the processes link list?
Not without read access to the kmem device...
-Doug
How would you know the offset (location of index 0 if
it was an array or the head of link list) of that
variable in memory, in this case it is the process
table named task of type a pointer to task_struct?
Any recommendation for references will be appreciated.
Thanks,
Ali
--- Doug McNaught <[email protected]> wrote:
> A M <[email protected]> writes:
>
> > Would it be possible for a program running as root
> > that wasn't compiled with the kernel to access a
> > process structure in the processes link list?
>
> Yes, but see below.
>
> > I've read an article about hiding processes and
> the
> > article made sound so easy to access the link list
> and
> > hide a process, how easy is it?
>
> You need read access to /dev/kmem and a fairly
> intimate knowledge of
> the kernel data structures in question.
>
> > Is it possible to a process to access its own
> entry in
> > the processes link list?
>
> Not without read access to the kmem device...
>
> -Doug
>
__________________________________
Do you Yahoo!?
The all-new My Yahoo! - Get yours free!
http://my.yahoo.com
A M wrote:
> How would you know the offset (location of index 0 if
> it was an array or the head of link list) of that
> variable in memory, in this case it is the process
> table named task of type a pointer to task_struct?
>
> Any recommendation for references will be appreciated.
>
>
> Thanks,
>
> Ali
>
http://www.securityfocus.com/infocus/1811
is about identifying hooked syscalls, but the principles involved in locating the
system call table could be applied to finding the process table.
P. S. You can locate the process in memory with read access to /proc/kmem or
/proc/mem (that's a lot tougher, though), but to modify it requires write access.
> --- Doug McNaught <[email protected]> wrote:
>
>
>>A M <[email protected]> writes:
>>
>>
>>>Would it be possible for a program running as root
>>>that wasn't compiled with the kernel to access a
>>>process structure in the processes link list?
>>
>>Yes, but see below.
>>
>>
>>>I've read an article about hiding processes and
>>
>>the
>>
>>>article made sound so easy to access the link list
>>
>>and
>>
>>>hide a process, how easy is it?
>>
>>You need read access to /dev/kmem and a fairly
>>intimate knowledge of
>>the kernel data structures in question.
>>
>>
>>>Is it possible to a process to access its own
>>
>>entry in
>>
>>>the processes link list?
>>
>>Not without read access to the kmem device...
>>
>>-Doug
>>
>
>
>
>
>
> __________________________________
> Do you Yahoo!?
> The all-new My Yahoo! - Get yours free!
> http://my.yahoo.com
>
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
>