Dries Kimpe <[EMAIL PROTECTED]> writes: > Hmm, am I right in assuming that all (current) non-LKM rootkits use > write access on /dev/kmem (/dev/mem)? In anycase, patching the kernel that > there's no write access would be a good idea.
Yes, but it's a tremendous task. Quite a few device drivers have bugs which enable root to write kernel memory. OTOH, if somebody obtains root privileges, he can probably plant a kernel in the swapfile and instruct the boot loader to load it on the next reboot. AFAIK, most if not all checksumming tools don't deal properly with such scenarios. -- Florian Weimer [EMAIL PROTECTED] University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898
