Linux Rootkit Conclusion Adrien schischi Schildknecht July 17, - - PowerPoint PPT Presentation

▶

Apr 25, 2023 109 likes •299 views

Linux Rootkit Adrien schischi Schildknecht IDT hooking Syscall hooking Linux Rootkit Conclusion Adrien schischi Schildknecht July 17, 2015 Linux Rootkit Adrien schischi Schildknecht IDT hooking Syscall hooking

SLIDE 1

Linux Rootkit Adrien ’schischi’ Schildknecht IDT hooking Syscall hooking Conclusion

Linux Rootkit

Adrien ’schischi’ Schildknecht July 17, 2015

SLIDE 2

Linux Rootkit Adrien ’schischi’ Schildknecht IDT hooking Syscall hooking Conclusion

Section 1 IDT hooking

SLIDE 3

Linux Rootkit Adrien ’schischi’ Schildknecht IDT hooking Syscall hooking Conclusion

Why?

Main interface between the kernel and the world (userland,

hardware. . . )

SLIDE 4

Linux Rootkit Adrien ’schischi’ Schildknecht IDT hooking Syscall hooking Conclusion

Modifying the IDT

The Address of the IDT is stored in a register; Changing an entries:

Modify the table (RO); Create a new table;

0x0: divide_error() 0x1: debug() 0x2: nmi() ... ... 0x80: system_call() ... system_call() /* execute the syscall */ iret main.c ... int 0x80 ...

IDT

User land (DPL=3) Kernel land (DPL=0)

SLIDE 5

Linux Rootkit Adrien ’schischi’ Schildknecht IDT hooking Syscall hooking Conclusion

Interrupt stack frame

SLIDE 6

Linux Rootkit Adrien ’schischi’ Schildknecht IDT hooking Syscall hooking Conclusion

Pre hook

0x0: divide_error() 0x1: debug() 0x2: nmi() ... ... 0x80: system_call() ... system_call() /* execute the syscall */ iret main.c ... int 0x80 ... fake_hdlr() ret = pre_hook() push fake frame

rig_handler()

pre_hook() ... return ret

IDT

User land (DPL=3) Kernel land (DPL=0)

SLIDE 7

Linux Rootkit Adrien ’schischi’ Schildknecht IDT hooking Syscall hooking Conclusion

Post hook

0x0: divide_error() 0x1: debug() 0x2: nmi() ... ... 0x80: system_call() ... system_call() /* execute the syscall */ iret main.c ... int 0x80 ... fake_hdlr() ret = pre_hook() push fake frame

rig_handler()

pre_hook() ... return ret post_handler() pre_hook() iret post_hook() ... return

IDT

User land (DPL=3) Kernel land (DPL=0)

SLIDE 8

Linux Rootkit Adrien ’schischi’ Schildknecht IDT hooking Syscall hooking Conclusion

Summary

SLIDE 9

Linux Rootkit Adrien ’schischi’ Schildknecht IDT hooking Syscall hooking Conclusion

Section 2 Syscall hooking

SLIDE 10

Linux Rootkit Adrien ’schischi’ Schildknecht IDT hooking Syscall hooking Conclusion

How to make a syscall

3 ways: 32bits: int 0x80, sysenter (Intel), syscall (AMD); 64bits: syscall;

SLIDE 11

Linux Rootkit Adrien ’schischi’ Schildknecht IDT hooking Syscall hooking Conclusion

Int 0x80

SLIDE 12

Linux Rootkit Adrien ’schischi’ Schildknecht IDT hooking Syscall hooking Conclusion

Sysenter

/* Obtain a valid pointer to per cpu data*/

swapgs

/* Setup a stack */

mov $stack_sysenter , %rsp

add %gs:this_cpu_off , %rsp

/* Save registers on the stack */

sub $0x28, %rsp /* Skip exception frame */

SAVE_REGS

/* Fill exception frame */

movl 12(%rbp), %eax /* RIP */

movq %rax, 0x80(%rsp)

movq $0x23, 0x88(%rsp) /* CS */

movq $0x0, 0x90(%rsp) /* RFLAGS */

movl 0x0(%rbp), %eax /* RSP */

movq %rax, 0x98(%rsp)

movq $0x2b, 0xa0(%rsp) /* SS */

mov %rsp, %rdi

/* Set an invalid esp as return addr */

movl $__stringify(0x42cafe42), 12(%rbp)

/* Pre-hook ! */

call *sysenter_pre_hook

RESTORE_REGS

/* Call the original handler without swapgs */

jmp *(sysenter_orig_hdlr + 3)

SLIDE 13

Linux Rootkit Adrien ’schischi’ Schildknecht IDT hooking Syscall hooking Conclusion

Syscall

SLIDE 14

Linux Rootkit Adrien ’schischi’ Schildknecht IDT hooking Syscall hooking Conclusion

Section 3 Conclusion

SLIDE 15

Linux Rootkit Adrien ’schischi’ Schildknecht IDT hooking Syscall hooking Conclusion

Conclusion

1 #define MEGA(S) ((S) * 1024 * 1024) 2 3 int main(int argc, char *argv[]) { 4

char buf[4096];

int fd = open("/home/schischi/foo", O_CREAT | O_WRONLY , 0660);

6 7

if (argc == 2 && !strcmp(argv[1], "-f"))

if (fallocate(fd, 0, 0, MEGA(700)) != 0)

return 1;

for (int i = 0; i < MEGA(700) / sizeof (buf); ++i)

write(fd, buf, 4096);

write(fd, buf, MEGA(700) % sizeof (buf));

13 14

unlink("/home/schischi/foo");

return 0;

16 } 17 1 $ repeat 100; ./a.out 2

./a.out 0.01s user 1.46s system 18% cpu 8.018 total

3 4 $ repeat 100; ./a.out -f

SLIDE 16

Linux Rootkit Adrien ’schischi’ Schildknecht IDT hooking Syscall hooking Conclusion

Conclusion

Questions ? schischi@lse.epita.fr schischi - irc.rezosup.org

SLIDE 17

Linux Rootkit Adrien ’schischi’ Schildknecht IDT hooking Syscall hooking Conclusion

References

FS design

Book "Practical File System Design" by Dominic Giampaolo

VFS

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git http://lwn.net/Kernel/Index/

Journaling, logging

http://pages.cs.wisc.edu/~remzi/OSTEP/file-lfs.pdf http://research.cs.wisc.edu/wind/Publications/sba-usenix05.pdf

Ext4

https://ext4.wiki.kernel.org/index.php/Ext4_Design http://www.ibm.com/developerworks/library/l-anatomy-ext4/

Btrfs

http://video.linux.com/videos/chris-mason-btrfs-file-system http://atrey.karlin.mff.cuni.cz/~jack/papers/lk2009-ext4-btrfs.pdf