Hy!
When i start to thinking about this (ps or process handling) problem (it was a sidetrack one of my previous project), i thinking about a technical problem, not about rootkit or anything else. Now when we see this problem we can thinking about, how we can correct process checking, for example compare ps output lines with /proc pid directorys, it is a simple script, or we can build some similar checks into ps. It is a technical forum for dtrace i alwalys thinking about the technical problems, and i think if the admins don't wanna see my letter in the mail list/forum or impact with any mail list policy they will remove it. It is like a proof of concept script. Cni (At my workplace currently i am working on some dtrace script(s), for Oracle and for Solaris 10 performance tuning) (Sorry for the non technical letter, if somebody have a non technical comment for this post, please write it directly to me not to the list) 2009/12/8 Allan <allan.mcale...@gmail.com>: > Sorry to be a pain here but > > My problem was how can i modify ps output, after i check ps's syscalls > (i don't check kernel space calls, just syscalls), i find > syscall::open:entry ask info about the process, and > syscall::write:return write the data to the terminal/console etc..... > > Does this not seem to be a way of asking how to hide the output when looking > for a particular string i.e in a ps , more of a rootkit type idea. I may be > way wrong here.... > -- > This message posted from opensolaris.org > _______________________________________________ > dtrace-discuss mailing list > dtrace-discuss@opensolaris.org > _______________________________________________ dtrace-discuss mailing list dtrace-discuss@opensolaris.org
