Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

KSTAT (and maybe others) bypass

From: "Dark Angel" <dark0 () angelfire com>
Date: Thu, 05 Sep 2002 17:06:10 -0900
Is possible to hide processes to kstat removing theirs structs from the kernel's task_struct list.
Is also possible to bypass kstat's checks on syscalls: if you modify a sub-function instead of the call (for example 
do_execve instad of sys_execve) the effects is the same, but for kstat is all okay:

Shoikan:~/Phantasmagoria# ./kstat -P | grep kstat
 686      403     0       0       kstat
Shoikan:~/Phantasmagoria# ./kstat -S             
Probing System Calls FingerPrints... No System Call Modified!
Shoikan:~/Phantasmagoria# insmod Phantasmagoria.o
Shoikan:~/Phantasmagoria# ./Heider 403(the current shell pid) HIDE
Hiding successfull
Shoikan:~/Phantasmagoria# ./kstat -P | grep kstat
Shoikan:~/Phantasmagoria# ./kstat -S
Probing System Calls FingerPrints... No System Call Modified!
Shoikan:~/Phantasmagoria# 

Attached there is an english translation + proof of concept code of the original paper published on www.s0ftpj.org

Regards

-= Dark-Angel =-





Is your boss reading your email? ....Probably
Keep your messages private by using Lycos Mail.
Sign up today at http://mail.lycos.com

Attachment: Phantasmagoria.tgz
Description:

Previous By Date Next
Previous By Thread Next

Current thread: