User: Password:
Subscribe / Log in / New account

System calls and rootkits

System calls and rootkits

Posted Jul 22, 2010 0:25 UTC (Thu) by petermag (guest, #7550)
In reply to: System calls and rootkits by nix
Parent article: System calls and rootkits

If u have implement any rootkits, u will know that the best way to do it IS NOT hook at the syscall level (eg, because "sys_read" can be used for so many purposes). Instead, it is much better to do it at the lower level (eg, VFS layer). But if u can hook the syscall table, and so can u unpatch the patch that Arjan has put in to protect the syscall table. And likewise, many other techniques like making the ".text" region read-executable only, is really a joke - because u can easily undo it if u are a rootkit. Eg, ftrace have to make the region writeable momentarily and then switching it back to readonly - exactly the same sequence of steps can be executed by the rootkit kernel module as well. In general "rootkit" means that the system is alreayd 0wned (or compromised). Comments?

(Log in to post comments)

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds