Post on 07-Aug-2015
Rootkit 102
cmj @ 2015
1
Kernel-Level Rootkit
2
concept
Cheat and Robust enough
3
Program Bugs
User-Space rootkit
• process hand, not workable or dead
• no one find abnormal
Kernel-Space rootkit
• system crash
• reboot
• … etc
4
Robust is more important than you expected
5
Otherwise, you are attacking the system
6
Linux Kernel
from linux-2.6.x to linux-3.17.x
1. You should know the target kernel version
2. method may significant difference between version and platform
7
Trivial Kernel-Based Rootkit
8
Flow
1. Create a loadable-kernel-module)
2. Decide which syscall you what to hook
3. Implement and debug
9
Flow
1. Create a loadable-kernel-module) - Overcome by yourself
2. Decide which syscall you what to hook
3. Implement and debug - Overcome by yourself
10
Hook Syscall
Concept
1. Find the address of the sys_call_table or syscall
2. Replace the registered syscall
11
sys_call_table
1. Easily way
2. Normal way
3. Violent way
12
sys_call_table
1. Easily way - Find it out in System.map
2. Normal way
3. Violent way
13
System.map
14
sys_call_table
1. Easily way - Find it out in System.map
2. Normal way - Dump on /proc/kallsyms
3. Violent way
15
/proc/kallsyms
16
sys_call_table
1. Easily way - Find it out in System.map
2. Normal way - Dump on /proc/kallsyms
3. Violent way - Force search all kernel-level memory
17
Brust-Force Search
18
Memory usage in kernel-space
• 0xC0000000 - 0xF0000000
• Using export syscall function
• Not always, need to consider the linux version …
19
Hook getdent64
20
MileStone
• Should we always need to replace the syscall - clue in kallsyms
• Should LKM can modified the memory - write protect
21
New tricks,New rootkit
22
You also can hijack
• callback fn - syscall hijack
• data - link-list struct used in kernel
• memory - direct modify data online
• … etc
23
Thanks for your attention ~
24