From: Shachar Shemesh (linux-il_at_nonexisting.hamakor.org.il)
Date: Tue 31 Aug 2004 - 22:04:55 IDT
Muli Ben-Yehuda wrote:
>Agreed, in this specific case. I was thinking ps/top might be doing
>something funky with the /proc/$PID/* files they read, but it looks
>like a very simple open/read/close, e.g.:
>
>open("/proc/6/cmdline", O_RDONLY) = 8
>read(8, "", 2047) = 0
>close(8)
>
>So yeah, hooking only open in LD_PRELOAD could work.
>
>Cheers,
>Muli
>
>
Just to mention that you don't have to set an environment var. You can
also place it in the preload config in /etc.
You can hijack just "open", open an alternative file in /tmp, and unlink
it. This will delete it once the user closes it, leaving you with very
little you need to trace.
I'll just mention that, as far as I know, chkrootkit will find you,
however. Nothing simple you can do about that.
Shachar
-- Shachar Shemesh Lingnu Open Source Consulting ltd. http://www.lingnu.com/ ================================================================= To unsubscribe, send mail to linux-il-request_at_linux.org.il with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail linux-il-request_at_linux.org.il
This archive was generated by hypermail 2.1.7 : Tue 31 Aug 2004 - 22:18:50 IDT