Bugtraq mailing list archives
Re: Mantrap By Recourse Technologies - Fate Advisory (11-01-00)
From: "Svartholm Warg, Gottfrid" <wilson () F8LABS COM>
Date: Sat, 4 Nov 2000 09:48:30 -0800
The advisory wasn't about detecting LKMs :-), but it's still an interesting matter. As I explained in the advisory, the proc()-vs-kill hack compares the kernel's process table against /proc, and prints any abnormalities. This CAN be used to detect LKMs, as long as they don't hook/spoof kill(), and as long as there is any hidden processes. I don't know if ADORE does this, Knark does not (at least in the version I've checked). Try hiding some processes via the module (I do not know how this is done via ADORE) and running it again. What rkscan does is that it bruteforces the modules' magic words/numbers used to check for activation, get root etc, so of course it does not detect ManTrap... //wilson
Current thread:
- Re: Mantrap By Recourse Technologies - Fate Advisory (11-01-00) Svartholm Warg, Gottfrid (Nov 06)