Re: help a novelist sound credible?
From: Unruh (unruh-spam_at_physics.ubc.ca)
Date: 05/03/05
- Next message: Sylvain POURRE: "Re: Webcams & videoconf"
- Previous message: David Heddle: "help a novelist sound credible?"
- In reply to: David Heddle: "help a novelist sound credible?"
- Next in thread: Peter T. Breuer: "Re: help a novelist sound credible?"
- Reply: Peter T. Breuer: "Re: help a novelist sound credible?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: 3 May 2005 17:22:37 GMT
"David Heddle" <heddle@fbyg.org> writes:
>Hello,
>I am writing a novel, a sort of techno thriller. So I am a writer, not a
>hacker, although I am fairly computer savvy.
>If you want to verify that I am a writer, not a hacker, see the page for my
>latest book at http://heddle.typepad.com/here_eyeball_this/ and match the
>name and email to what is in this message.
>What I am looking for is a credible way that someone could have hidden
>something in Linux (or any OS) so that a process with a "magic" name could
>run undetected.
The easiest way is to alter the program ps, which reports on the processes
running. The next would be to alter the kernel so that the process is not
reported in /proc/
Thirdly would be to make it part of the kernel itself. the kernel does not
report on itself.
It depends on how well hidden you want it to be-- ie from 90% of Linux
users or from Linus T.
>As I understand it, processes are given an ID and are stored in a hashtable.
>But processes also have names, which I guess is the name of the executable?
>So could a magic name have been (hypothetically) place in the Linux code
>that allowed a process to run but perhaps avoid being placed in the process
>table?
Sure many Linux viruses do just that-- alter ps so that their process is
not reported. Of course one can discover that ps is altered (tripwire, rpm
-Va, ...) but most people do not use those, especially not in a way which
is protected from a root hacker.
>Maybe that's dumb, probably it is, but I think it is enough to make my
>point. I am looking for credible suggestions, even if they only "sound"
>believable--i.e. you experts would know it wasn't possible, but even
>seasoned application (though non-OS) programmers would say, hmm, that might
>be possible, both of these points:
>1) A way that a process could run completely hidden, even from root,
>preferably based on a hidden magic name
>2) How someone might have hidden that "feature" in the linux source
>code, and it remained undetected. I thought about a hash of the magic name
>represented in octal and hidden in a C macro somehow.?
It does not even have to be in the source code. If they had access to the
source code of course it is trivial, except for the fact that lots of
people are constantly pawing they way through the source code.
(With enough eyes all bugs are shallow).
>Also, can a process spawn a clone of itself but with a different name? If
>so, what system function would it call to do so?
- Next message: Sylvain POURRE: "Re: Webcams & videoconf"
- Previous message: David Heddle: "help a novelist sound credible?"
- In reply to: David Heddle: "help a novelist sound credible?"
- Next in thread: Peter T. Breuer: "Re: help a novelist sound credible?"
- Reply: Peter T. Breuer: "Re: help a novelist sound credible?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
