Re: sebek as a patch?

[Edward Balas <ebalas () iu edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Valdis.Kletnieks () vt edu wrote:

| On Thu, 06 Oct 2005 13:18:15 +0800, "Daniel J. Axtens" said:
|
|> I am not a kernel/honepot hacker, but, would it be possible, to,
|> at the kernel level, redirect /dev/{mem,kmem} to, for example, a
|> stored memory dump?
|
|
| Possible, but not very practical.  If *I* were a hacker, and
| suspected that I was in a honeypot, and had read access to
| /dev/*mem, one of the *first* things I'd do is walk the process
| chain in memory, and see if it bears any resemblance to the
| processes listed as running in /proc.  Unless I first looked at
| /proc/uptime and the corresponding kernel variables (look at
| uptime_read_proc() in fs/proc/proc_misc.c - it's all of 4 lines of
| executable code).  Hardest part is finding the right copy of
| System.map and finding where the init_task structure lives in
| memory.


Even if you could present an altered /dev/*mem, the intruder with root
access can load a kern module which would give them direct access to
kernel memory, bypassing all of your work.  Yeah you could disable the
install of kernel modules using the technique Thorsten mentioned, but
that provides a pretty large indicator itself.

Edward
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDRTZDlKB5oSzVKwoRAlYAAJ4sjgDZNV8g+p6IMt5dKacdHeGSGgCfVMWd
GHWG1melNrvcbNAtLi7BSEQ=
=UhNB
-----END PGP SIGNATURE-----