-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mulyadi Santosa wrote: > Hi... > > On Mon, Nov 17, 2008 at 7:39 PM, Giannis Kozyrakis <trv@xxxxxxxxxxx> wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> I'm doing some research, and i've noticed an odd thing in my opinion: >> >> 1. According to all references, the /proc/kallsyms file contains all the >> global kernel symbols, and those of the modules too. [ NOT just the >> exported symbols like /proc/ksyms used to do in 2.4 kernels ] >> >> 2. Due to the above fact, the sys_call_table symbol should be inside it. >> >> >> In ubuntu, it actually is there, it can be found with a grep. >> >> BUT, i've tested also in Debian, Redhat el4, centos4, and fedora 9, and >> the symbol is NOT inside the kallsyms file. >> >> Can someone explain this behaviour? And, should this symbol be in there >> or not? > > very likely, you saw it in ubuntu kernel because it is not made > hidden. But in fedora, for example, some developers decided to make it > hidden....thus making it hard to create "malicious" software such as > rootkit. As you probably aware off, hooking sys_call_table is one of > the way to intercept and/or manipulate kernel. > > well, it won't stop crackers to do that, but at least it puts more > trouble for them.. > > regards, > > Mulyadi. > Hello Mulyadi, I'm aware of all that about rootkits and hooking, in fact that's what i'm researching on. The question is this: /proc/kallsyms contains all the global symbols, regardless if they are exported or not. In ubuntu, the sys_call_table symbol is NOT exported, exactly like all the other distribution and 2.6 kernel. I understand the reasoning for this and all, what I dont understand is how and why this symbol is not in the /proc/kallsyms file in Debian,Redhat and others. Do these distributions apply a patch somewhere, so that this symbol does not appear in the file? Furthermore, could someone that is running vanilla kernel, check if this symbol is in the kallsyms file? It should be.. Than you for your answer. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkkhjlEACgkQusj5FmsVhIeG0ACfY0Pnb6zt9VgBhXh00Zo5LL+x rk8An36wUZoMWn4Xs4WmkI5hKRPCSwMg =S47G -----END PGP SIGNATURE----- -- To unsubscribe from this list: send an email with "unsubscribe kernelnewbies" to ecartis@xxxxxxxxxxxx Please read the FAQ at http://kernelnewbies.org/FAQ
