Problem with rootkit

[Robert Larsen <robert () the-playground dk>]

Hi

I'm not sure this is the correct list but here goes.

I'm player around with Sebek and trying to understand rootkit technology by creating my own rootkit but is having problems finding the system call 
tabel. I "borrowed" the function get_sct(void) from Sebek:

u32** get_sct(void){
 unsigned long ptr;
 extern int loops_per_jiffy;
 for (ptr = (unsigned long)&loops_per_jiffy;
      ptr < (unsigned long)&boot_cpu_data; ptr += sizeof(void *)){
   unsigned long *p;
   p = (unsigned long *)ptr;
   //---- orig ver that looked for sys_exit didnt work on stock
   //---- kerns.
   if (p[__NR_close] == (u32) sys_close){
      return  (u32 **)p;
   }
 }
 return 0;
}

...and placed it in a module I wrote myself but it didn't work (the module that is).
I then changed the get_sct function to search the entire space and report all adresses that could be the SCT:

void print_sct(void) {
   unsigned long ptr;
   extern int loops_per_jiffy;
   for (ptr = (unsigned long)&loops_per_jiffy;
        ptr < (unsigned long)&boot_cpu_data; ptr += sizeof(void *)) {
       unsigned long *p;
       p = (unsigned long *)ptr;
       //---- orig ver that looked for sys_exit didnt work on stock
       //---- kerns.
       if (p[__NR_close] == (u32) sys_close) {
           printk(KERN_INFO "Possible call table: %p\n", (u32 **)p);
       }
   }
}

That gave me:
Det giver mig:
Possible call table: c03287bc
Possible call table: c03474f4

Two possibilities, so I am probably using the wrong address. I then expanded the get_sct with an extra check:

       if (p[__NR_close] == (u32) sys_close &&
           p[__NR_open] == (u32) sys_open) {
           return  (u32 **)p;
       }

But then I cannot insert the module:

robert-debian:~/code/kernel_module $ sudo insmod mymodule.ko
insmod: error inserting 'mymodule.ko': -1 Unknown symbol in module

dmesg says:
mymodule: Unknown symbol sys_open

But sys_open is in /proc/kallsyms:
robert-debian:~/code/kernel_module $ grep sys_open /proc/kallsyms
c0166470 T do_sys_open
c0166570 T sys_open

Do anybody know what I am doing wrong ?

I am using Ubuntu Dapper with kernel 2.6.15-26-686.

Sincerely,
Robert

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------