On Fri, Jan 11, 2002 at 10:25:03PM +0100, martin f krafft wrote: > > i doubt that a kernel module can override the linux kernel filesystem > abstraction layer. but i guess it could be possible. >
Oh, it certainly can! knark is a perfect example of a kernel module to do just this. (knark is Swedish for "drugged".) It allows files, processes, network connections, and network interface promiscuity to be *completely* hidden. It allows the cracker to override what actual binary file gets run when a user tries to run some other (possibly hidden) executable. It works amazingly well, and it is scary. It's been around for quite a while now (couple of years, I guess), but hasn't shown up in rootkits much yet. noah -- _______________________________________________________ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html
pgpDVRsRjs1EV.pgp
Description: PGP signature