linux rootkit
play

Linux Rootkit Conclusion Adrien schischi Schildknecht July 17, - PowerPoint PPT Presentation

Linux Rootkit Adrien schischi Schildknecht IDT hooking Syscall hooking Linux Rootkit Conclusion Adrien schischi Schildknecht July 17, 2015 Linux Rootkit Adrien schischi Schildknecht IDT hooking Syscall hooking


  1. Linux Rootkit Adrien ’ schischi ’ Schildknecht IDT hooking Syscall hooking Linux Rootkit Conclusion Adrien ’ schischi ’ Schildknecht July 17, 2015

  2. Linux Rootkit Adrien ’ schischi ’ Schildknecht IDT hooking Syscall hooking Section 1 Conclusion IDT hooking

  3. Why? Linux Rootkit Adrien ’ schischi ’ Schildknecht IDT hooking Syscall hooking Conclusion Main interface between the kernel and the world (userland, hardware. . . )

  4. Modifying the IDT Linux Rootkit The Address of the IDT is stored in a register; Changing an entries: Adrien ’ schischi ’ Modify the table (RO); Schildknecht Create a new table; IDT hooking User land (DPL=3) Kernel land (DPL=0) Syscall hooking Conclusion IDT 0x0: divide_error() system_call() /* execute the syscall */ 0x1: debug() iret 0x2: nmi() main.c ... ... int 0x80 ... ... 0x80: system_call() ...

  5. Interrupt stack frame Linux Rootkit Adrien ’ schischi ’ Schildknecht IDT hooking Syscall hooking Conclusion

  6. Pre hook Linux Rootkit Adrien ’ schischi ’ Schildknecht User land (DPL=3) Kernel land (DPL=0) IDT hooking fake_hdlr() pre_hook() Syscall ret = pre_hook() ... hooking push fake frame return ret orig_handler() Conclusion IDT 0x0: divide_error() system_call() /* execute the syscall */ 0x1: debug() iret 0x2: nmi() main.c ... ... int 0x80 ... ... 0x80: system_call() ...

  7. Post hook Linux Rootkit Adrien ’ schischi ’ Schildknecht User land (DPL=3) Kernel land (DPL=0) IDT hooking fake_hdlr() pre_hook() Syscall ret = pre_hook() ... hooking push fake frame return ret orig_handler() Conclusion IDT 0x0: divide_error() system_call() /* execute the syscall */ 0x1: debug() iret 0x2: nmi() main.c post_hook() ... ... int 0x80 post_handler() ... ... ... return pre_hook() iret 0x80: system_call() ...

  8. Summary Linux Rootkit Adrien ’ schischi ’ Schildknecht IDT hooking Syscall hooking Conclusion

  9. Linux Rootkit Adrien ’ schischi ’ Schildknecht IDT hooking Syscall hooking Section 2 Conclusion Syscall hooking

  10. How to make a syscall Linux Rootkit Adrien ’ schischi ’ Schildknecht IDT hooking Syscall hooking 3 ways: Conclusion 32bits: int 0x80, sysenter (Intel), syscall (AMD); 64bits: syscall;

  11. Int 0x80 Linux Rootkit Adrien ’ schischi ’ Schildknecht IDT hooking Syscall hooking Conclusion

  12. Sysenter Linux Rootkit /* Obtain a valid pointer to per cpu data*/ 1 swapgs 2 Adrien ’ schischi ’ /* Setup a stack */ 3 Schildknecht mov $stack_sysenter , %rsp 4 add %gs:this_cpu_off , %rsp 5 IDT hooking /* Save registers on the stack */ 6 Syscall sub $0x28, %rsp /* Skip exception frame */ 7 hooking SAVE_REGS 8 Conclusion /* Fill exception frame */ 9 movl 12(%rbp), %eax /* RIP */ 10 movq %rax, 0x80(%rsp) 11 movq $0x23, 0x88(%rsp) /* CS */ 12 movq $0x0, 0x90(%rsp) /* RFLAGS */ 13 movl 0x0(%rbp), %eax /* RSP */ 14 movq %rax, 0x98(%rsp) 15 movq $0x2b, 0xa0(%rsp) /* SS */ 16 mov %rsp, %rdi 17 /* Set an invalid esp as return addr */ 18 movl $__stringify(0x42cafe42), 12(%rbp) 19 /* Pre-hook ! */ 20 call *sysenter_pre_hook 21 RESTORE_REGS 22 /* Call the original handler without swapgs */ 23 jmp *(sysenter_orig_hdlr + 3) 24 25

  13. Syscall Linux Rootkit Adrien ’ schischi ’ Schildknecht IDT hooking Syscall hooking Conclusion

  14. Linux Rootkit Adrien ’ schischi ’ Schildknecht IDT hooking Syscall hooking Section 3 Conclusion Conclusion

  15. Conclusion Linux Rootkit 1 #define MEGA(S) ((S) * 1024 * 1024) 2 Adrien ’ schischi ’ 3 int main(int argc, char *argv[]) { Schildknecht char buf[4096]; 4 int fd = open("/home/schischi/foo", O_CREAT | O_WRONLY , 5 IDT hooking 0660); Syscall 6 hooking if (argc == 2 && !strcmp(argv[1], "-f")) 7 Conclusion if (fallocate(fd, 0, 0, MEGA(700)) != 0) 8 return 1; 9 for (int i = 0; i < MEGA(700) / sizeof (buf); ++i) 10 write(fd, buf, 4096); 11 write(fd, buf, MEGA(700) % sizeof (buf)); 12 13 unlink("/home/schischi/foo"); 14 return 0; 15 16 } 17 1 $ repeat 100; ./a.out ./a.out 0.01s user 1.46s system 18% cpu 8.018 total 2 3 4 $ repeat 100; ./a.out -f

  16. Conclusion Linux Rootkit Adrien ’ schischi ’ Schildknecht IDT hooking Syscall hooking Conclusion Questions ? schischi@lse.epita.fr schischi - irc.rezosup.org

  17. References Linux Rootkit Adrien FS design ’ schischi ’ Schildknecht Book "Practical File System Design" by Dominic Giampaolo IDT hooking VFS Syscall http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git hooking http://lwn.net/Kernel/Index/ Conclusion Journaling, logging http://pages.cs.wisc.edu/~remzi/OSTEP/file-lfs.pdf http://research.cs.wisc.edu/wind/Publications/sba-usenix05.pdf Ext4 https://ext4.wiki.kernel.org/index.php/Ext4_Design http://www.ibm.com/developerworks/library/l-anatomy-ext4/ Btrfs http://video.linux.com/videos/chris-mason-btrfs-file-system http://atrey.karlin.mff.cuni.cz/~jack/papers/lk2009-ext4-btrfs.pdf

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend


More recommend