Re: How real root kits run. (was: Re: Root Kit Protection)
> If I were going to write a root-kit, I'd spend half an hour writing a
> kernel module that would give up the real file on an open() or fopen(),
> and run _my_ special program on execution.
See my other posting how to deal with this. I worte a ext2chksum program,
that does not use the kernels vfs. It opens the device directly. But this
will only raise the bar. A potential cracker could tamper ext2chksum. Or
he could just check if we exec("ext2chksum") and start a nice little fake
program, that behaves like ext2chksum but never rings the alarm bell.
> It would, of course, hide my files in space that I claim is free, and
> name itself to the kernel as something innocent-looking, like 'mtrr' or
You do not need to name it as something innocent. Just delete it from kernels
module list (this is trivial) and it will be invisible.
> - chad
GPG Fingerprint = EA71 B296 4597 4D8B 343E 821E 9624 83E1 5662 C734
\ / ASCII RIBBON CAMPAIGN /|\
X AGAINST HTML MAIL >>
/ \ o