Re: Mantrap By Recourse Technologies - Fate Advisory (11-01-00)

["Svartholm Warg, Gottfrid" <wilson () F8LABS COM>]

The advisory wasn't about detecting LKMs :-), but it's still an
interesting matter.
As I explained in the advisory, the proc()-vs-kill hack compares the
kernel's process table against /proc, and prints any abnormalities.
This CAN be used to detect LKMs, as long as they don't hook/spoof kill(),
and as long as there is any hidden processes. I don't know if ADORE does
this, Knark does not (at least in the version I've checked). Try hiding
some processes via the module (I do not know how this is done via
ADORE) and running it again.
What rkscan does is that it bruteforces the modules' magic words/numbers
used to check for activation, get root etc, so of course it does not
detect ManTrap...

//wilson