Re: The disappearing sys_call_table export.

Jesse Pollard (jesse@cats-chateau.net)
Wed, 7 May 2003 12:21:11 -0500


On Wednesday 07 May 2003 11:08, petter wahlman wrote:
> On Wed, 2003-05-07 at 18:00, Richard B. Johnson wrote:
> > On Wed, 7 May 2003, petter wahlman wrote:
> > > It seems like nobody belives that there are any technically valid
> > > reasons for hooking system calls, but how should e.g anti virus
> > > on-access scanners intercept syscalls?
> > > Preloading libraries, ptracing init, patching g/libc, etc. are
> >
> > ^^^^^^^^^^^^^^^^^^^
> >
> > |________ Is the way to go. That's how
> >
> > you communicate every system-call to a user-mode daemon that
> > does whatever you want it to do, including phoning the National
> > Security Administrator if that's the policy.
> >
> > > obviously not the way to go.
> >
> > Oviously wrong.
>
> And how would you force the virus to preload this library?

You don't have to... The preload is performed by the program image loader,
before the virus, or even the application, can be started.

You don't really want to do it anyway... Consider a file open (like tar)...
you gonna try to scan the entire archive for a virus????
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/