Following the various rootkit and system call redirection developments, the current way of identifying the location of the system call table seems to be brute force scanning the memory for the location of one of the system calls. This is only possible from a module if the symbol is exported: I see that only one system call symbol is still exported, that is sys_close. Removing this symbol export would hinder one of the ways of finding the systam call table: I have not been able to find the reason for exporting this particular symbol (while sys_open for example is not exported). Can anyone justify why that is ?
Thank you, Jean-Michel -- JM Friedt, FEMTO-ST Time & Frequency/SENSeOR, 26 rue de l'Epitaphe, 25000 Besancon, France
