Re: LKM

From: Cedric Blancher (blancher@cartel-info.fr)
Date: 12/20/01

  • Next message: Marek Pedziwiatr: "web downoload robots"

    From: Cedric Blancher <blancher@cartel-info.fr>
    Date: Thu, 20 Dec 2001 08:48:41 +0000 (UTC)
    
    

    Dans sa prose, uzon (asb23@hotmail.com) nous ecrivait :
    > how is it possible to detect a malicious LKM?

    Yes, most of them.

    > I saw something with KSTAT but it wasn't too clear.

    You can look at exported symbols.

    See http://www.chkrootkit.org/

    And, to avoid them, build your kernel _without_ module support and
    disable /dev/kmem and stuff with a patch like LIDS to avoid a LKM to be
    forced loaded.

    -- 
    BOFH excuse #55:
    

    Plumber mistook routing panel for decorative wall fixture