On Wednesday 15 December 2004 15:48, [EMAIL PROTECTED] wrote: > Not by disabling the syscall but by replacing it in the manner that a > rootkit replaces syscalls. Build a new kernel from the same > source/config except for patch. Replace syscalls where there is change. > Practical? > Stable? > No. Much easier to simply reboot to new kernel. If service(s) are so > critical as to not tolerate a reboot yet have a single point of failure > on this one component then there are greater problems at play.
I'd have to agree with Paul on this one, be it syscall or a binary patch for other code. It's in kernel mode, if the module/patch crashes the running image 'oops' I downed the box. I doubt any reasonable IT procedures would endure this type of fix on their production systems. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html