> i'm not sure, but i believe that a lkm is clever enough (ie. very good > programmed), it can really 'wipe' a file/process/??? from the system, so > it's hard sometimes to diagnose your server
It really can. I never did it (too lazy :), but the concept of doing it is
rather simple. You create a kernel module that "interrupts" the relevant
syscalls- open(), read(), etc. Interrupting here means it changes the syscall
table to call my_open() in place of open(). What my_open() is it checks the
parameters whether they match a "wiped" file. If yes, it returns a value that
would indicate the file does not exits. If not, it just calls the original
open() and returns its return value.
The following code shows how to interrupt ptrace() calls. My less lazy friend
wrote it after we came with the idea to use it to work-around the recent
ptrace() bug in the Linux kernel.
<CODE>
#define MODULE
#define __KERNEL__
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/modversions.h>
#include <linux/smp_lock.h>
#include <linux/types.h>
#include <linux/dirent.h>
#include <linux/string.h>
#include <linux/mm.h>
#include <linux/sched.h>
#include <sys/syscall.h> /* The list of system calls */
MODULE_LICENSE("GPL");
extern void *sys_call_table[]; /*sys_call_table is exported, so we can access
i t */
int (*orig_sys_ptrace)(long request, long pid, long addr, long data);
#define is_dumpable(tsk) ((tsk)->task_dumpable && (tsk)->mm->dumpable)
int
hacked_sys_ptrace (long request, long pid, long addr, long data)
{
return -EPERM;
}
int
init_module (void) /*module setup */
{
orig_sys_ptrace = sys_call_table[SYS_ptrace];
sys_call_table[SYS_ptrace] = hacked_sys_ptrace;
return 0;
}
void
cleanup_module (void) /*module shutdown */
{
sys_call_table[SYS_ptrace] = orig_sys_ptrace; /*set ptrace syscall to the
orig al one */
}
</CODE>
Focus on init_modue() and hacked_sys_ptrace().
[e]
--
_______________________________________________________________________________
>[EMAIL PROTECTED]< /(bb|[^b]{2})/
>>http://hq.sk/~euro<
"always know what you say, but do not always say what you know"
pgp00000.pgp
Description: PGP signature
