On Monday 02 February 2004 03:42 am, Sebastian Krahmer wrote:
On Sun, 1 Feb 2004, dh wrote:
Hi,
I think this is a false positive from chkrootkit. I downloaded the ps package from ftp://ftp.gwdg.de/pub/linux/suse/apt/SuSE/9.0-i386 and indeed there is "/prof" string in ps and top. But this is ok. The string is inside .text and is executable code. This is:
... 0x8055205: call 0x8049700 strtoul()
0x805520a: mov 0xc(%ebp),%edx 0x805520d: mov %eax,0x1b8(%edx) 0x8055213: mov %eax,(%edx)
0x8055215: movl $0x6f72702f,(%esi) ; /prof 0x805521b: movw $0x2f63,0x4(%esi)
0x8055221: mov 0x226fc(%ebx),%eax 0x8055227: add $0xb,%eax 0x805522a: mov %eax,0x4(%esp,1) 0x805522e: lea 0x6(%esi),%eax 0x8055231: mov %eax,(%esp,1)
0x8055234: call 0x8049780 strcpy() ...
The code in C is:
pid = strtoul(ent->d_name, NULL, 10); memcpy(path, "/proc/", 6); strcpy(path+6, ent->d_name);
and comes from the original ps source. The compiler optimized the memcpy() into a movl+movw since /pro is 32 bit and the left 2 byte are copied via movw. This just yields "/prof" string in .text.
regards, Sebastian
Thanks for the detailed info Sebastian, I sure feel better Have a great day. -- dh