-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Giannis Kozyrakis wrote: > Mulyadi Santosa wrote: >> Hi... > >> On Mon, Nov 17, 2008 at 7:39 PM, Giannis Kozyrakis <trv@xxxxxxxxxxx> wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> I'm doing some research, and i've noticed an odd thing in my opinion: >>> >>> 1. According to all references, the /proc/kallsyms file contains all the >>> global kernel symbols, and those of the modules too. [ NOT just the >>> exported symbols like /proc/ksyms used to do in 2.4 kernels ] >>> >>> 2. Due to the above fact, the sys_call_table symbol should be inside it. >>> >>> >>> In ubuntu, it actually is there, it can be found with a grep. >>> >>> BUT, i've tested also in Debian, Redhat el4, centos4, and fedora 9, and >>> the symbol is NOT inside the kallsyms file. >>> >>> Can someone explain this behaviour? And, should this symbol be in there >>> or not? >> very likely, you saw it in ubuntu kernel because it is not made >> hidden. But in fedora, for example, some developers decided to make it >> hidden....thus making it hard to create "malicious" software such as >> rootkit. As you probably aware off, hooking sys_call_table is one of >> the way to intercept and/or manipulate kernel. > >> well, it won't stop crackers to do that, but at least it puts more >> trouble for them.. > >> regards, > >> Mulyadi. > > > Hello Mulyadi, > > I'm aware of all that about rootkits and hooking, in fact that's what > i'm researching on. > > The question is this: > > /proc/kallsyms contains all the global symbols, regardless if they are > exported or not. In ubuntu, the sys_call_table symbol is NOT exported, > exactly like all the other distribution and 2.6 kernel. > > I understand the reasoning for this and all, what I dont understand is > how and why this symbol is not in the /proc/kallsyms file in > Debian,Redhat and others. > > Do these distributions apply a patch somewhere, so that this symbol does > not appear in the file? > > Furthermore, could someone that is running vanilla kernel, check if this > symbol is in the kallsyms file? It should be.. > > Than you for your answer. Just for informing anyone interested, and for completeness sake, I must say that I finally found out what was causing this weird behavior in Ubuntu. Ubuntu is (as far as I tested) the only major distribution that ships its kernels with the option KALLSYMS_ALL enabled in the kernel's config file. This is what is causing the sys_call_table symbol (and many more too), to appear in the /proc/kallsyms file. I've contacted the Ubuntu folks asking for a reasoning for this. Regards, Giannis Kozyrakis -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkkj9g0ACgkQusj5FmsVhIfqeACbBnmlKGrfDq36/U+/5ayRS4Jo rkcAoINXGh7gHyBJKpWv5rTxecve0Of8 =v/ts -----END PGP SIGNATURE----- -- To unsubscribe from this list: send an email with "unsubscribe kernelnewbies" to ecartis@xxxxxxxxxxxx Please read the FAQ at http://kernelnewbies.org/FAQ
