DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
        s=beta; d=gmail.com;
        h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition;
        b=bYxZ14g3Gkay9/q+5gUvUasshlDeNGUlQT0iNzAUvhc6UXMNOnCji3kaf9VzPmurxaYQBIG0dxP/h73Gd4V+zZ3HKVdTDlluoxjZAKPDzWamgtgXfzdTvrUF1xRe4TsYK9njtspRX1/QzsuCnP4YIHvb+Lf7NoSMiwKcUtt6Ytw=
Message-ID: <17d798805041509022ba6df49@mail.gmail.com>
Date: Fri, 15 Apr 2005 12:02:10 -0400
From: Allison <fireflyblue@gmail.com>
Reply-To: Allison <fireflyblue@gmail.com>
To: linux-kernel@vger.kernel.org
Subject: Kernel Rootkits
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7BIT
Content-Disposition: inline
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 963
Lines: 27

Hi,

I was curious about how kernel rootkits become a part of the kernel ?
One way I guess is by inserting a kernel module.  And rootkits also
manage to hide themselves from rootkit detectors.

few questions:
1. Are there any other ways by which rootkits become part of the kernel ?

2. If modules can access only exported symbols, how is it that kernel
rootkits manage to get hold of other information from the kernel ? For
ex, the process table.

I am not familiar with the /dev/kmem interface. Does this interface
let any kernel module read any symbol (even non-exported) from the
kernel ?

3. If I want to hide a function which is part of the kernel from
kernel modules, is this possible ideally ?

thanks,
Allison
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/