Wang Jian wrote : > > Our alternative method uses the first style: to find the differences > between the fake view and the real view. > [...] > > We read the raw disk and traverse the filesystem on disk, bypass the > live filesystem, and create a real view of files on disk; then traverse > the live filesystem to get the fake view. Compare the two view, we can > find the differences. We will find the stealth files. > For your information, I wrote the same kind of tool some time ago. It works fine for my needs, and found all the LKM I tested, as far as files are hidden (I mean, if the LKM doesn't hide any file, "ancheck" doesn't find it). I definitly think that the "Find the differences between the two views" approach is a very good approach to detect LKM. I called my tool "ancheck" (alternate ncheck) because it works more or less like the UNIX "ncheck" command (ncheck exists on most UNIX systems, but not on Linux) : http://www.cert-ist.com/francais/outils/ancheck03.tar.Z http://www.cert-ist.com/francais/outils/ancheck03.tar.Z.sig Ancheck is a set of 2 UNIX commands ("ls_hidden" and "ancheck") designed to locate hidden or deleted files. It works on UFS (Solaris) and EXT2 (Linux) file systems. You need TCT (the Coroner's Toolkit)to compile the package. TCT can be downloaded from : http://www.porcupine.org/tct http://www.fish.com/tct/ Philippe Bourgeois Cert-IST
This archive was generated by hypermail 2b30 : Wed Apr 17 2002 - 18:37:40 PDT