Content-Type: text/plain; charset=US-ASCII
From: Jesse Pollard <jesse@cats-chateau.net>
To: petter wahlman <petter@bluezone.no>, root@chaos.analogic.com
Subject: Re: The disappearing sys_call_table export.
Date: Wed, 7 May 2003 12:21:11 -0500
Cc: Linux kernel <linux-kernel@vger.kernel.org>
References: <1052321673.3727.737.camel@badeip> <Pine.LNX.4.53.0305071147510.12652@chaos> <1052323711.3739.750.camel@badeip>
In-Reply-To: <1052323711.3739.750.camel@badeip>
MIME-Version: 1.0
Message-Id: <03050712211100.06848@tabby>
Content-Transfer-Encoding: 7BIT
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1338
Lines: 32

On Wednesday 07 May 2003 11:08, petter wahlman wrote:
> On Wed, 2003-05-07 at 18:00, Richard B. Johnson wrote:
> > On Wed, 7 May 2003, petter wahlman wrote:
> > > It seems like nobody belives that there are any technically valid
> > > reasons for hooking system calls, but how should e.g anti virus
> > > on-access scanners intercept syscalls?
> > > Preloading libraries, ptracing init, patching g/libc, etc. are
> >
> >   ^^^^^^^^^^^^^^^^^^^
> >
> >                     |________  Is the way to go. That's how
> >
> > you communicate every system-call to a user-mode daemon that
> > does whatever you want it to do, including phoning the National
> > Security Administrator if that's the policy.
> >
> > > obviously not the way to go.
> >
> > Oviously wrong.
>
> And how would you force the virus to preload this library?

You don't have to... The preload is performed by the program image loader,
before the virus, or even the application, can be started.

You don't really want to do it anyway... Consider a file open (like tar)... 
you gonna try to scan the entire archive for a virus???? 
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/