Honeypots mailing list archives
Re: sebek as a patch?
From: Edward Balas <ebalas () iu edu>
Date: Thu, 06 Oct 2005 09:35:48 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Valdis.Kletnieks () vt edu wrote: | On Thu, 06 Oct 2005 13:18:15 +0800, "Daniel J. Axtens" said: | |> I am not a kernel/honepot hacker, but, would it be possible, to, |> at the kernel level, redirect /dev/{mem,kmem} to, for example, a |> stored memory dump? | | | Possible, but not very practical. If *I* were a hacker, and | suspected that I was in a honeypot, and had read access to | /dev/*mem, one of the *first* things I'd do is walk the process | chain in memory, and see if it bears any resemblance to the | processes listed as running in /proc. Unless I first looked at | /proc/uptime and the corresponding kernel variables (look at | uptime_read_proc() in fs/proc/proc_misc.c - it's all of 4 lines of | executable code). Hardest part is finding the right copy of | System.map and finding where the init_task structure lives in | memory. Even if you could present an altered /dev/*mem, the intruder with root access can load a kern module which would give them direct access to kernel memory, bypassing all of your work. Yeah you could disable the install of kernel modules using the technique Thorsten mentioned, but that provides a pretty large indicator itself. Edward -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDRTZDlKB5oSzVKwoRAlYAAJ4sjgDZNV8g+p6IMt5dKacdHeGSGgCfVMWd GHWG1melNrvcbNAtLi7BSEQ= =UhNB -----END PGP SIGNATURE-----
Current thread:
- Re: sebek as a patch?, (continued)
- Re: sebek as a patch? Laurent OUDOT (Oct 04)
- Re: sebek as a patch? NAHieu (Oct 05)
- Re: sebek as a patch? Edward Balas (Oct 05)
- Re: sebek as a patch? Thorsten Holz (Oct 05)
- Re: sebek as a patch? Edward Balas (Oct 05)
- Re: sebek as a patch? NAHieu (Oct 05)
- Re: sebek as a patch? Edward Balas (Oct 05)
- Re: sebek as a patch? Valdis . Kletnieks (Oct 05)
- Re: sebek as a patch? Daniel J. Axtens (Oct 06)
- Re: sebek as a patch? Valdis . Kletnieks (Oct 06)
- Re: sebek as a patch? Edward Balas (Oct 06)
- Re: sebek as a patch? Valdis . Kletnieks (Oct 06)
- Re: sebek as a patch? Daniel J. Axtens (Oct 07)
- Re: sebek as a patch? Edward Balas (Oct 07)
- Re: sebek as a patch? Thorsten Holz (Oct 05)