From: Martin Markovitz [stealth@DIONE.IDS.PL] Sent: Wednesday, September 08, 1999 1:47 PM To: BUGTRAQ@SECURITYFOCUS.COM Subject: re, anti btrom hi, Sorry for somewhat late reply... >Why it is not convenient to use the sys_call_table? >Using the sys_call_table to hook a system call is the 'right way', but it is >not for a stealth module, because programs like "btrom" can detect that, and >having the 'System.map' (file that every paranoic administrator must have), The problems are: 1.) If you assume you have a breakin, you can't depend on System.map or something else. Attackers may even install a new kernel, not only modules. 2.) New and unknown technics maybe exist that you don't know and scanners like btrom die on that. Thus you may think that all is OK, but it isn't. :( 3.) => Securelevels such as BSD's make the kernel more trustworthy even if you think that someone broke in. What i have seen in the most hacker/backdoor modules is that they do somethink like mp->name=""; mp->size=0; but not really remove the module from the list. So you could write somethink like radar.c (once written to bypass EoE) which could maybe help you: /*** Used to detect stealth modules. ;-) ***/ #define __KERNEL__ #define MODULE #include int init_module() { int i = 0; struct module *m = &__this_module; while (m) { printk("Found %s\n", m->name); #ifdef KILL_EOE if (strstr(m->name, "eoe")) { for (i = 0; i < GET_USE_COUNT(m); i++) __MOD_DEC_USE_COUNT(m); } #endif m = m->next; } return 0; } int cleanup_module() { return 0; } OK, you maybe see output like 'Found: ' which shows you 'Aha! there is something that hides itself', because name="". Be happy as long as you can see the not-so-stealth modules. So. But this is only a special solution, as _all_ scanners would be a special solution which would all die on technics like o not hooking syscalls, but stealing ...->files->fd[i]->f_op or replacing it. o unregistering/registering drivers on the fly ;-) o deleting modules from the list, either as described in stealth.c or with other teks o etc. Oh ... when does securelevels appear in Linux ... :-) Stealth : ---- main(){fork();main();} ---- : Hi! I'm a .signature virus! Copy me into your ~/.signature, please! : Stealth <-> http://www.kalug.lug.net/stealth