Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S261664AbUCKStK (ORCPT ); Thu, 11 Mar 2004 13:49:10 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S261672AbUCKStK (ORCPT ); Thu, 11 Mar 2004 13:49:10 -0500 Received: from delerium.kernelslacker.org ([81.187.208.145]:51152 "EHLO delerium.codemonkey.org.uk") by vger.kernel.org with ESMTP id S261664AbUCKStF (ORCPT ); Thu, 11 Mar 2004 13:49:05 -0500 Date: Thu, 11 Mar 2004 18:48:35 +0000 From: Dave Jones To: pg smith Cc: linux-kernel@vger.kernel.org Subject: Re: LKM rootkits in 2.6.x Message-ID: <20040311184835.GA21330@redhat.com> Mail-Followup-To: Dave Jones , pg smith , linux-kernel@vger.kernel.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.1i Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 892 Lines: 18 On Thu, Mar 11, 2004 at 11:26:23AM -0800, pg smith wrote: > Any thoughts on the future of LKM rootkits in the 2.6 kernel branch ? In > the last few years I've become quite interested in them (from a defensive > point of view), but with the 2.6 kernel no longer exporting the syscall > table, intercepting system calls would appear to be a non-starter now. Don't bet on it. They'll just start doing what binary-only driver vendors have been doing for months.. If the table isn't exported, they find a symbol that is exported, and grovel around in memory near there until they find something that looks like it, and patch accordingly. Dave - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/