Re: sebek as a patch?

On Thu, 06 Oct 2005 13:18:15 +0800, "Daniel J. Axtens" said:

> I am not a kernel/honepot hacker, but, would it be possible, to, at
> the kernel level, redirect /dev/{mem,kmem} to, for example, a stored
> memory dump?

Possible, but not very practical. If *I* were a hacker, and suspected that
I was in a honeypot, and had read access to /dev/*mem, one of the *first*
things I'd do is walk the process chain in memory, and see if it bears any
resemblance to the processes listed as running in /proc. Unless I first looked at
/proc/uptime and the corresponding kernel variables (look at uptime_read_proc()
in fs/proc/proc_misc.c - it's all of 4 lines of executable code). Hardest part
is finding the right copy of System.map and finding where the init_task structure
lives in memory.