> > 1) scan the sysent table and check syscalls pointers (generally, rootkits
> > intercepts syscalls)
>
> This can get really "hairy". To scan the syscall table, even if you
> are 'root' and directly access /dev/mem you will have to use some
> system calls to open(), read() and seek() into the /dev/mem device.
> But those syscalls might be the intercepted ones: ouch!
Of course this is not to be done from userland program. You should write
your own KLD module which will compare sysent[] values against standart
system calls and list the differences. I don't really see how "root kit"
can prevent such scan.
Regards,
Eugene
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
