linux rootkit
play

Linux Rootkit Conclusion Adrien schischi Schildknecht July 17, - PowerPoint PPT Presentation

Apr 25, 2023 •109 likes •297 views

Linux Rootkit Adrien schischi Schildknecht IDT hooking Syscall hooking Linux Rootkit Conclusion Adrien schischi Schildknecht July 17, 2015 Linux Rootkit Adrien schischi Schildknecht IDT hooking Syscall hooking

  1. Linux Rootkit Adrien ’ schischi ’ Schildknecht IDT hooking Syscall hooking Linux Rootkit Conclusion Adrien ’ schischi ’ Schildknecht July 17, 2015

  2. Linux Rootkit Adrien ’ schischi ’ Schildknecht IDT hooking Syscall hooking Section 1 Conclusion IDT hooking

  3. Why? Linux Rootkit Adrien ’ schischi ’ Schildknecht IDT hooking Syscall hooking Conclusion Main interface between the kernel and the world (userland, hardware. . . )

  4. Modifying the IDT Linux Rootkit The Address of the IDT is stored in a register; Changing an entries: Adrien ’ schischi ’ Modify the table (RO); Schildknecht Create a new table; IDT hooking User land (DPL=3) Kernel land (DPL=0) Syscall hooking Conclusion IDT 0x0: divide_error() system_call() /* execute the syscall */ 0x1: debug() iret 0x2: nmi() main.c ... ... int 0x80 ... ... 0x80: system_call() ...

  5. Interrupt stack frame Linux Rootkit Adrien ’ schischi ’ Schildknecht IDT hooking Syscall hooking Conclusion

  6. Pre hook Linux Rootkit Adrien ’ schischi ’ Schildknecht User land (DPL=3) Kernel land (DPL=0) IDT hooking fake_hdlr() pre_hook() Syscall ret = pre_hook() ... hooking push fake frame return ret orig_handler() Conclusion IDT 0x0: divide_error() system_call() /* execute the syscall */ 0x1: debug() iret 0x2: nmi() main.c ... ... int 0x80 ... ... 0x80: system_call() ...

  7. Post hook Linux Rootkit Adrien ’ schischi ’ Schildknecht User land (DPL=3) Kernel land (DPL=0) IDT hooking fake_hdlr() pre_hook() Syscall ret = pre_hook() ... hooking push fake frame return ret orig_handler() Conclusion IDT 0x0: divide_error() system_call() /* execute the syscall */ 0x1: debug() iret 0x2: nmi() main.c post_hook() ... ... int 0x80 post_handler() ... ... ... return pre_hook() iret 0x80: system_call() ...

  8. Summary Linux Rootkit Adrien ’ schischi ’ Schildknecht IDT hooking Syscall hooking Conclusion

  9. Linux Rootkit Adrien ’ schischi ’ Schildknecht IDT hooking Syscall hooking Section 2 Conclusion Syscall hooking

  10. How to make a syscall Linux Rootkit Adrien ’ schischi ’ Schildknecht IDT hooking Syscall hooking 3 ways: Conclusion 32bits: int 0x80, sysenter (Intel), syscall (AMD); 64bits: syscall;

  11. Int 0x80 Linux Rootkit Adrien ’ schischi ’ Schildknecht IDT hooking Syscall hooking Conclusion

  12. Sysenter Linux Rootkit /* Obtain a valid pointer to per cpu data*/ 1 swapgs 2 Adrien ’ schischi ’ /* Setup a stack */ 3 Schildknecht mov $stack_sysenter , %rsp 4 add %gs:this_cpu_off , %rsp 5 IDT hooking /* Save registers on the stack */ 6 Syscall sub $0x28, %rsp /* Skip exception frame */ 7 hooking SAVE_REGS 8 Conclusion /* Fill exception frame */ 9 movl 12(%rbp), %eax /* RIP */ 10 movq %rax, 0x80(%rsp) 11 movq $0x23, 0x88(%rsp) /* CS */ 12 movq $0x0, 0x90(%rsp) /* RFLAGS */ 13 movl 0x0(%rbp), %eax /* RSP */ 14 movq %rax, 0x98(%rsp) 15 movq $0x2b, 0xa0(%rsp) /* SS */ 16 mov %rsp, %rdi 17 /* Set an invalid esp as return addr */ 18 movl $__stringify(0x42cafe42), 12(%rbp) 19 /* Pre-hook ! */ 20 call *sysenter_pre_hook 21 RESTORE_REGS 22 /* Call the original handler without swapgs */ 23 jmp *(sysenter_orig_hdlr + 3) 24 25

  13. Syscall Linux Rootkit Adrien ’ schischi ’ Schildknecht IDT hooking Syscall hooking Conclusion

  14. Linux Rootkit Adrien ’ schischi ’ Schildknecht IDT hooking Syscall hooking Section 3 Conclusion Conclusion

  15. Conclusion Linux Rootkit 1 #define MEGA(S) ((S) * 1024 * 1024) 2 Adrien ’ schischi ’ 3 int main(int argc, char *argv[]) { Schildknecht char buf[4096]; 4 int fd = open("/home/schischi/foo", O_CREAT | O_WRONLY , 5 IDT hooking 0660); Syscall 6 hooking if (argc == 2 && !strcmp(argv[1], "-f")) 7 Conclusion if (fallocate(fd, 0, 0, MEGA(700)) != 0) 8 return 1; 9 for (int i = 0; i < MEGA(700) / sizeof (buf); ++i) 10 write(fd, buf, 4096); 11 write(fd, buf, MEGA(700) % sizeof (buf)); 12 13 unlink("/home/schischi/foo"); 14 return 0; 15 16 } 17 1 $ repeat 100; ./a.out ./a.out 0.01s user 1.46s system 18% cpu 8.018 total 2 3 4 $ repeat 100; ./a.out -f

  16. Conclusion Linux Rootkit Adrien ’ schischi ’ Schildknecht IDT hooking Syscall hooking Conclusion Questions ? schischi@lse.epita.fr schischi - irc.rezosup.org

  17. References Linux Rootkit Adrien FS design ’ schischi ’ Schildknecht Book "Practical File System Design" by Dominic Giampaolo IDT hooking VFS Syscall http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git hooking http://lwn.net/Kernel/Index/ Conclusion Journaling, logging http://pages.cs.wisc.edu/~remzi/OSTEP/file-lfs.pdf http://research.cs.wisc.edu/wind/Publications/sba-usenix05.pdf Ext4 https://ext4.wiki.kernel.org/index.php/Ext4_Design http://www.ibm.com/developerworks/library/l-anatomy-ext4/ Btrfs http://video.linux.com/videos/chris-mason-btrfs-file-system http://atrey.karlin.mff.cuni.cz/~jack/papers/lk2009-ext4-btrfs.pdf

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Linux Security State of Linux Security in 2016 Michael Boelen michael.boelen@cisofy.com DBLUG,

Linux Security State of Linux Security in 2016 Michael Boelen michael.boelen@cisofy.com DBLUG,

Linux Security State of Linux Security in 2016 Michael Boelen michael.boelen@cisofy.com DBLUG, 7 December 2016 Michael Boelen Open Source Lynis, Rootkit Hunter Business and Community Founder of CISOfy Board member and

454 views • 18 slides
Undermining the Linux Kernel: Malicious Code Injec:on via /dev/mem Anthony Lineberry

Undermining the Linux Kernel: Malicious Code Injec:on via /dev/mem Anthony Lineberry

Undermining the Linux Kernel: Malicious Code Injec:on via /dev/mem Anthony Lineberry anthony.lineberry@gmail.com Black Hat Europe 2009 Overview What is a rootkit? Why is protec:on difficult? Current protec:on mechanisms/bypasses

638 views • 52 slides
Dont Tell Joanna, The Virtualized Rootkit Is Dead Agenda Who we are and what we do

Dont Tell Joanna, The Virtualized Rootkit Is Dead Agenda Who we are and what we do

Dont Tell Joanna, The Virtualized Rootkit Is Dead Agenda Who we are and what we do Virtualization 101 Vitriol/Hyperjacking (and other HVM Rootkits) Why detecting HVMs arent as difficult as you think Pro Forma Punditry

428 views • 41 slides
Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client

Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client

Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client and a server? What is Linux? Linux generally refers to a group of Unix-like free and open-source operating system distributions that use the Linux

562 views • 53 slides
Under the microscope: Linux security tools Lessons learned from 500+ projects Michael Boelen

Under the microscope: Linux security tools Lessons learned from 500+ projects Michael Boelen

Under the microscope: Linux security tools Lessons learned from 500+ projects Michael Boelen michael.boelen@cisofy.com NLLGG, September 2018 Michael Boelen Open Source Lynis, Rootkit Hunter Business Founder of CISOfy

778 views • 30 slides
Linux from Sensors to Servers ! When is Linux Not Linux? ! 1 1 Linux runs across a huge range

Linux from Sensors to Servers ! When is Linux Not Linux? ! 1 1 Linux runs across a huge range

Linux from Sensors to Servers ! When is Linux Not Linux? ! 1 1 Linux runs across a huge range of systems ! CC BY-SA 2.0 FHKE, Flickr 2 Whats the difference between Linux on a big thing and Linux on a little thing? ! 3 ! Whats the

900 views • 52 slides
Computing using Linux: The Good and the Bad Christoph Lameter HPC and Linux Most of the

Computing using Linux: The Good and the Bad Christoph Lameter HPC and Linux Most of the

High Performance Computing using Linux: The Good and the Bad Christoph Lameter HPC and Linux Most of the supercomputers today run Linux. All of the computational clusters in corporations that I know of run Linux. Support for

419 views • 12 slides
Linux Overview Amir Hossein Payberah payberah@gmail.com 1 Agenda Linux Overview Linux

Linux Overview Amir Hossein Payberah payberah@gmail.com 1 Agenda Linux Overview Linux

Linux Overview Amir Hossein Payberah payberah@gmail.com 1 Agenda Linux Overview Linux Distributions Linux vs Windows Linux Architecture Linux Security 2 What is Linux? Similar Operating System To Microsoft Windows, Sun

1.11k views • 55 slides
Interviews with Different Users About Their Linux Setups Steven Ovadia My Linux Rig

Interviews with Different Users About Their Linux Setups Steven Ovadia My Linux Rig

The State of Desktop Linux: Interviews with Different Users About Their Linux Setups Steven Ovadia My Linux Rig www.mylinuxrig.com @steven_ovadia *** Associate Professor/Web Services Librarian LaGuardia Community College About My Linux

458 views • 27 slides
Introduction to Linux Fundamentals of Computer Science Outline Operating Systems Linux

Introduction to Linux Fundamentals of Computer Science Outline Operating Systems Linux

Introduction to Linux Fundamentals of Computer Science Outline Operating Systems Linux History Linux Architecture Logging in to Linux Command Format Linux Filesystem Directory and File Commands Wildcard Characters

686 views • 19 slides
Introduction to Linux Aline Abler Aline Abler Linux, whats that? The pieces of a Linux

Introduction to Linux Aline Abler Aline Abler Linux, whats that? The pieces of a Linux

Linux, whats that? The pieces of a Linux system Linux Concepts Distributions Desktop environments Switching to Linux Epilogue Introduction to Linux Aline Abler Aline Abler Linux, whats that? The pieces of a Linux system Linux

766 views • 57 slides
Multi-Aspect Profiling of Kernel Rootkit Behavior Ryan Riley, Xuxian Jiang, Dongyan Xu Purdue

Multi-Aspect Profiling of Kernel Rootkit Behavior Ryan Riley, Xuxian Jiang, Dongyan Xu Purdue

Multi-Aspect Profiling of Kernel Rootkit Behavior Ryan Riley, Xuxian Jiang, Dongyan Xu Purdue University, North Carolina State University EuroSys 2009 Nrnberg, Germany Rootkits Stealthy malware Hide attacker Modifying the OS

674 views • 53 slides
GNU/Linux Why use it? What is Linux? Linux is a UNIX-like, GPL-licensed open-source kernel. The

GNU/Linux Why use it? What is Linux? Linux is a UNIX-like, GPL-licensed open-source kernel. The

GNU/Linux Why use it? What is Linux? Linux is a UNIX-like, GPL-licensed open-source kernel. The GNU userland consists of libc, the init system (SystemD) X11 GUI toolkits etc. Ask the audience Who has used

442 views • 22 slides
Linux You Can Drive My Car Embedded Linux Conference

Linux You Can Drive My Car Embedded Linux Conference

Linux You Can Drive My Car Embedded Linux Conference 2017 Walt Miner ( @VStarWalt ) Community Manager, AGL , The Linux FoundaGon

721 views • 55 slides
Linux For Beginners April 26, 2016 Dualboot Linux and Windows Dualboot Linux and Windows

Linux For Beginners April 26, 2016 Dualboot Linux and Windows Dualboot Linux and Windows

Linux For Beginners April 26, 2016 Dualboot Linux and Windows Dualboot Linux and Windows Reinstall usually keeps personal files Advantages of Linux More secure Package manager Software installation is easy, fast and secure Keeps

528 views • 15 slides
Linux Kung Fu Stephen James UBNetDef, Spring 2017 Introduction What is Linux? What is the

Linux Kung Fu Stephen James UBNetDef, Spring 2017 Introduction What is Linux? What is the

Linux Kung Fu Stephen James UBNetDef, Spring 2017 Introduction What is Linux? What is the difference between a client and a server? What is Linux? Linux generally refers to a group of Unix-like free and open-source operating system

607 views • 48 slides
4/22/2009 Virtualization Memory virtualization Process feels like it has its own address

4/22/2009 Virtualization Memory virtualization Process feels like it has its own address

4/22/2009 Virtualization Memory virtualization Process feels like it has its own address space Created by MMU, configured by OS Distributed Systems Storage virtualization Logical view of disks connected to a machine

407 views • 3 slides
Guest-Transparent Instruction Authentication Dannie M. Stanley for Self-Patching Kernels Purdue

Guest-Transparent Instruction Authentication Dannie M. Stanley for Self-Patching Kernels Purdue

Guest-Transparent Instruction Authentication Dannie M. Stanley for Self-Patching Kernels Purdue University / CERIAS 09/20/12 Dannie Stanley Rick Porter Shane Snyder Zhui Deng Systems &amp; Security Research CERDEC Applied Communication

434 views • 39 slides
When E.T. comes into Windows Mobile 6 a.k.a. PoC(k)ET Cedric Halbronn Sogeti / ESEC R&amp;D

When E.T. comes into Windows Mobile 6 a.k.a. PoC(k)ET Cedric Halbronn Sogeti / ESEC R&amp;D

When E.T. comes into Windows Mobile 6 a.k.a. PoC(k)ET Cedric Halbronn Sogeti / ESEC R&amp;D cedric(at)security-labs.org Hack.lu 2009 Context / Objectives Technical aspects of WM6 Implementation Demo Conclusion Context / Objectives 1

859 views • 59 slides
Machine Virtualization: Efficient Hypervisors, Stealthy Malware Muli Ben-Yehuda Technion &amp;

Machine Virtualization: Efficient Hypervisors, Stealthy Malware Muli Ben-Yehuda Technion &amp;

Machine Virtualization: Efficient Hypervisors, Stealthy Malware Muli Ben-Yehuda Technion &amp; Hypervisor Technologies and Consulting Ltd Muli Ben-Yehuda (Technion &amp; Hypervisor) Efficient Hypervisors, Stealthy Malware Cyberday, 2013 1 /

553 views • 21 slides
Advances in PassiveDNS Replication FIRST 24, Malta 19 June 2012 Architecture: Robert Edmonds

Advances in PassiveDNS Replication FIRST 24, Malta 19 June 2012 Architecture: Robert Edmonds

Advances in PassiveDNS Replication FIRST 24, Malta 19 June 2012 Architecture: Robert Edmonds Presented by: Eric Ziegast Internet Systems Consortium, Inc. Agenda Review of PassiveDNS Replication How it works, Why it's useful, History,

884 views • 39 slides
This talk will also be broadcast next Wednesday on the Salzburg Free Radio Radiofabrik, and

This talk will also be broadcast next Wednesday on the Salzburg Free Radio Radiofabrik, and

This talk will also be broadcast next Wednesday on the Salzburg Free Radio Radiofabrik, and be available as a podcast on Chaostreff Salzburgs Lets Netz; der Chaostalk Technik, Web, Politik (

540 views • 16 slides
Implementation and Evaluation of Moderate Parallelism in the BIND9 DNS Server JINMEI, Tatuya /

Implementation and Evaluation of Moderate Parallelism in the BIND9 DNS Server JINMEI, Tatuya /

Implementation and Evaluation of Moderate Parallelism in the BIND9 DNS Server JINMEI, Tatuya / Toshiba Paul Vixie / Internet Systems Consortium [Supported by SCOPE of the Ministry of Internal Affairs and Communications, Japan.] June 2006 |

600 views • 8 slides
Cryptography Cipher Schemes A cryptographic scheme is an example of a code. The special

Cryptography Cipher Schemes A cryptographic scheme is an example of a code. The special

10.4 Cryptography P. Danziger Cryptography Cipher Schemes A cryptographic scheme is an example of a code. The special requirement is that the encoded mes- sage be difficult to retrieve without some special piece of information, usually

499 views • 27 slides

More recommend