the API kallsyms_lookup() is used by the kernel to lookup the APIs
listed in /proc/kallsyms. So if anyone can checkout sys_call_table,
then of course rootkiting is no problem.
on the other hand, if u want to know who printed /proc/kallsyms:
(kernel/kallsyms.c:s_show()):
/* Some debugging symbols have no name. Ignore them. */
if (!iter->name[0])
return 0;
if u compile the kernel, the file vmlinux does have the
sys_call_table, but that file is always not present in production
server, only the vmlinuz is available, which have been stripped of
this symbol.
On Mon, Nov 17, 2008 at 11:31 PM, Giannis Kozyrakis <trv@xxxxxxxxxxx> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Mulyadi Santosa wrote:
>> Hi...
>>
>> On Mon, Nov 17, 2008 at 7:39 PM, Giannis Kozyrakis <trv@xxxxxxxxxxx> wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> I'm doing some research, and i've noticed an odd thing in my opinion:
>>>
>>> 1. According to all references, the /proc/kallsyms file contains all the
>>> global kernel symbols, and those of the modules too. [ NOT just the
>>> exported symbols like /proc/ksyms used to do in 2.4 kernels ]
>>>
>>> 2. Due to the above fact, the sys_call_table symbol should be inside it.
>>>
>>>
>>> In ubuntu, it actually is there, it can be found with a grep.
>>>
>>> BUT, i've tested also in Debian, Redhat el4, centos4, and fedora 9, and
>>> the symbol is NOT inside the kallsyms file.
>>>
>>> Can someone explain this behaviour? And, should this symbol be in there
>>> or not?
>>
>> very likely, you saw it in ubuntu kernel because it is not made
>> hidden. But in fedora, for example, some developers decided to make it
>> hidden....thus making it hard to create "malicious" software such as
>> rootkit. As you probably aware off, hooking sys_call_table is one of
>> the way to intercept and/or manipulate kernel.
>>
>> well, it won't stop crackers to do that, but at least it puts more
>> trouble for them..
>>
>> regards,
>>
>> Mulyadi.
>>
>
> Hello Mulyadi,
>
> I'm aware of all that about rootkits and hooking, in fact that's what
> i'm researching on.
>
> The question is this:
>
> /proc/kallsyms contains all the global symbols, regardless if they are
> exported or not. In ubuntu, the sys_call_table symbol is NOT exported,
> exactly like all the other distribution and 2.6 kernel.
>
> I understand the reasoning for this and all, what I dont understand is
> how and why this symbol is not in the /proc/kallsyms file in
> Debian,Redhat and others.
>
> Do these distributions apply a patch somewhere, so that this symbol does
> not appear in the file?
>
> Furthermore, could someone that is running vanilla kernel, check if this
> symbol is in the kallsyms file? It should be..
>
> Than you for your answer.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkkhjlEACgkQusj5FmsVhIeG0ACfY0Pnb6zt9VgBhXh00Zo5LL+x
> rk8An36wUZoMWn4Xs4WmkI5hKRPCSwMg
> =S47G
> -----END PGP SIGNATURE-----
>
> --
> To unsubscribe from this list: send an email with
> "unsubscribe kernelnewbies" to ecartis@xxxxxxxxxxxx
> Please read the FAQ at http://kernelnewbies.org/FAQ
>
>
--
Regards,
Peter Teoh
--
To unsubscribe from this list: send an email with
"unsubscribe kernelnewbies" to ecartis@xxxxxxxxxxxx
Please read the FAQ at http://kernelnewbies.org/FAQ
