Transcript Rootkit for Linux 2.6.X

Rootkit for Linux 2.6.X
By wzt
<[email protected]>
Linux Rootkit Type
•
•
•
•
/dev/[k]mem Inject
Lkm
Grub
Static Kernel Patch
How to Implement
• /dev/[k]mem
sk13, sk2, sk3, phalanx-b6, mood-nt, boxer etc..
• What’s [k]mem
• How to Inject code into [k]mem from ring3
1st. How to read and write mem file.
open, read, write, lseek
mmap…
2nd. Search kernel symbols in user
space
• /proc/kallsyms
• /boot/system.map
• nm vmlinux |grep xxx
3rd. Copy code into ring0
4th. Execute code in kernel space
• Replace an unused system service entry
exp:
Evil_kernel_entry -> sys_olduname
execute sys_olduname with int 0x80
Lkm rootkit
•
•
•
•
•
Adore-ng, Enyelkm, Dr-rootkit etc...
Sys_call_table
VFS Layer
Inline Hook
Debug registers
Sys_call_table rootkit
• How get sys_call_table address on Linux2.6.x
• User space
cat /proc/kallsyms |grep sys_call_table
cat /boot/System.map|grep sys_call_table
nm vmlinux |grep sys_call_table
Kernel space
Hook system service
VFS Layer rootkit
• Replace fs operation Pointer
• Sys_getdents64
• >> vfs_readdir
• >>file->f_op->readdir
Inline Hook Rootkit
• Enyelkm, Wnps etc …
• Add jmp, push ret instructions.
• Change kernel func offset
Simple Inline Hook
• Jmp xxxxxxxx
Advanced Inline Hook
Enyelkm Rootkit
• System_call:
Replace opcode
• Push $new_idt_addr
• ret
Debugger Register Rootkit
•
•
•
•
DR0-DR3
DR4-DR5
DR6
DR7
Set Break Points Register
Intel Reserved Register
Break Points Status Register
Break Points Control Register
How to Dectecting
• Chkrootkit?
• Rkhunter?
Xhids – A light Host Intrusion Detective
System
•
•
•
•
•
•
Check sys_call_table addr
Check idt table addr
Check inline hook opcode
Check hide port
Check hide process
Check exception file in /dev