Wang Jian wrote: >THE ALTERNATIVE METHOD > >Our alternative method uses the first style: to find the differences >between the fake view and the real view. > >We read the raw disk and traverse the filesystem on disk, bypass the >live filesystem, and create a real view of files on disk; then traverse >the live filesystem to get the fake view. Compare the two view, we can >find the differences. We will find the stealth files. > Be sure that this will be fixed in the next 'generation' of LRKM's. Patching the device methods for disk special nodes is not a big deal - why not to incorporate even your code into one of the nice LRKM's? You probably found a weaknes of 'current' LRKM's but in general it is a bad idea to check your machine while running a compromised kernel.
/ih