Hello,
> > 1) scan the sysent table and check syscalls pointers (generally,
rootkits
> > intercepts syscalls)
>
> This can get really "hairy". To scan the syscall table, even if you
> are 'root' and directly access /dev/mem you will have to use some
> system calls to open(), read() and seek() into the /dev/mem device.
> But those syscalls might be the intercepted ones: ouch!
I don't think so, you can easily make a KLD which simply scans the table and
checks the pointers.
This is not really good but it'll work.
> Instead of worrying after the module has been loaded it's much safer
> to run the kernel in securelevel>=1 when modules cannot be loaded
> without a reboot to single-user mode.
You might see this: http://www.s0ftpj.org/tools/securelvl.tgz (I didn't
tested it yet).
> -giorgos
>
--
Sansonetti Laurent - http://lrz.linuxbe.org
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
