Rootkit 102

cmj @ 2015

1

Kernel-Level Rootkit

2

concept

Cheat and Robust enough

3

Program Bugs

User-Space rootkit

• process hand, not workable or dead

• no one find abnormal

Kernel-Space rootkit

• system crash

• reboot

• … etc

4

Robust is more important than you expected

5

Otherwise, you are attacking the system

6

Linux Kernel

from linux-2.6.x to linux-3.17.x

1. You should know the target kernel version

2. method may significant difference between version and platform

7

Trivial Kernel-Based Rootkit

8

Flow

1. Create a loadable-kernel-module)

2. Decide which syscall you what to hook

3. Implement and debug

9

Flow

1. Create a loadable-kernel-module) - Overcome by yourself

2. Decide which syscall you what to hook

3. Implement and debug - Overcome by yourself

10

Hook Syscall

Concept

1. Find the address of the sys_call_table or syscall

2. Replace the registered syscall

11

sys_call_table

1. Easily way

2. Normal way

3. Violent way

12

sys_call_table

1. Easily way - Find it out in System.map

2. Normal way

3. Violent way

13

System.map

14

sys_call_table

1. Easily way - Find it out in System.map

2. Normal way - Dump on /proc/kallsyms

3. Violent way

15

/proc/kallsyms

16

sys_call_table

1. Easily way - Find it out in System.map

2. Normal way - Dump on /proc/kallsyms

3. Violent way - Force search all kernel-level memory

17

Brust-Force Search

18

Memory usage in kernel-space

• 0xC0000000 - 0xF0000000

• Using export syscall function

• Not always, need to consider the linux version …

19

Hook getdent64

20

MileStone

• Should we always need to replace the syscall - clue in kallsyms

• Should LKM can modified the memory - write protect

21

New tricks，New rootkit

22

You also can hijack

• callback fn - syscall hijack

• data - link-list struct used in kernel

• memory - direct modify data online

• … etc

23

Thanks for your attention ~

24