Sh wrote:
Well,ok.....
There is a rootkit for Solaris that can hide itself from modinfo,so:
166 feb9f2f6 194c 52 1 shmsys (System V shared memory)
168 f9e062a4 13cc 207 1 pset (processor sets)
-bash-3.00#
So, we have only the aproximate address of this module in memory(According to
addresses of previsious and next modules).And we need somehow to determine the
adress of _fini() and unload this module,however, we don't have its id and if
we do unload -i 167 we get error. Of course we can remove this module from
autoloading on boot and then reboot the system, but imagine we can't do
this.So,that's it!
Ah, but even if you were able to find _fini()'s address and call it, it
still wouldn't help you to unload the module. _fini() is called by the
kernel to ask the module if it is willing/able to be unloaded and your
rootkit would then say 'No, I'm not' by returning EBUSY...
Menno
--
Menno Lageman | [EMAIL PROTECTED]
Project Engineer | tel. +31 (0)33 4515036 (x15036)
Sun Microsystems | http://blogs.sun.com/menno
_______________________________________________
opensolaris-discuss mailing list
[email protected]
