On Fri, 11 Jan 2002, Noah L. Meyerhans wrote:
> On Fri, Jan 11, 2002 at 10:25:03PM +0100, martin f krafft wrote: > > > > i doubt that a kernel module can override the linux kernel filesystem > > abstraction layer. but i guess it could be possible. > > > > Oh, it certainly can! knark is a perfect example of a kernel module to > do just this. (knark is Swedish for "drugged".) It allows files, > processes, network connections, and network interface promiscuity to be > *completely* hidden. It allows the cracker to override what actual > binary file gets run when a user tries to run some other (possibly > hidden) executable. Here kstat might be of intrest, it's getting it's information directly from the kernel structures. (reading /dev/kmen, and using a dummy module) [RicV]