Académique Documents
Professionnel Documents
Culture Documents
by Nitesh Dhanjani
nitesh(at)dhanjani.com Hack In The Box Conference, December 2003 Kuala Lumpur, Malaysia.
Introduction to LKMs
Linux == Monolithic kernel. Read http://www.dina.dk/~abraham/Linus _vs_Tanenbaum.html for lots of fun and entertainment on this topic. LKMs can add and/or change kernel functionality on-the-fly. However, code must be statically linked in some cases.
Advantages
No need to recompile kernel. Easier to debug and develop. Modules can be loaded and unloaded on demand. Why bloat the kernel?
Loading On-Demand
Kernel thread (kmod) executes modprobe to load modules on demand. This program handles module dependencies. The modprobe program uses the modules.dep file to calculate dependencies. The modules.dep file is created by depmod which is usually executed during startup.
(c) Nitesh Dhanjani 6
Library Functions
Library functions are linked to programs and are more portable. They wrap around system calls to perform certain operations. Example: fopen() in-turn calls sys_open() to actually open a file. Use the strace program to look at the system calls being invoked by an executable.
(c) Nitesh Dhanjani 11
Library Functions
Simple C program to display /etc/passwd:
#include <stdio.h> int main(void) { if(!(myfile=fopen("/etc/passwd","r"))) { exit(1); } while(!feof(myfile)) { /*code to read and write from myfile here*/ } exit(0); }
(c) Nitesh Dhanjani 12
Library functions
Run strace on the executable:
[bash]$ strace -o strace_output ./a.out
Continued..
(c) Nitesh Dhanjani 20
Redhat 9 Kernel
Redhat 9s kernel does not export sys_call_table. To export it: Edit /usr/src/linux/kernel/ksysms.c and add the line: EXPORT_SYMBOL(sys_call_table) Then, recompile and re-install your kernel Reboot. Or, compile your own v2.4 stock kernel.
(c) Nitesh Dhanjani 23
Continued
(c) Nitesh Dhanjani 25
DEMO
28
Annoying Backdoor
Remote backdoor to listen on a TCP port. When a connection is made to a certain port, access to a particular file is prohibited by using our previous example. When another connection in made to the port, access to the file is allowed again. Not a particularly lethal backdoor, but a first-step implementation towards a very annoying one :-)
(c) Nitesh Dhanjani 29
Annoying Backdoor
init_module(void) { flag =1; original_sys_open = sys_call_table[__NR_open]; socket_create(..); bind(..); listen(..); kernel_thread(do_server,); }
(c) Nitesh Dhanjani 30
Annoying Backdoor
int do_server(..) { while(1) { accept(..); if(flag==1) { /*intercept sys_open and hide our file*. Set flag to 0*/} else{ /*Restore sys_open. Set flag to 1*/} }
}
(c) Nitesh Dhanjani 31
Annoying Backdoor
For more information on socket programming within kernel threads, read The Design of kHTTPd by Allesandro Rubini [http://www.linux.it/kerneldocs/khttpd/khttpd.htm] Also, see kHTTpd source-code for more tricks.
(c) Nitesh Dhanjani 32
Annoying Backdoor
DEMO
33
/proc/ksyms
Contains the Kernel Symbol Table. For example:
cat /proc/ksysms | grep open
will display information about our fake sys_open call. Use EXPORT_NO_SYMBOLS macro in order to not export symbols. Or, do partial file hiding (intercept sys_open).
(c) Nitesh Dhanjani 34
/proc/modules
Contains list of currently loaded modules. For example, try:
cat /proc/modules | more
Do partial file hiding by intercepting sys_open. Much more stealthy: alter kernel module structure on-the-fly. See Plaguezs paper in Phrack 52, article 18.
35
THCs tutorial
(nearly) Complete Linux Loadable Kernel modules by pragmatic (THC) [http://packetstormsecurity.nl/docs/hack/LKM_H ACKING.html] Hiding Processes: Manipulate access to /proc. /dev/kmem Hiding Modules. Pitfalls: User and Kernel Space memory management. And lots of other advanced techniques.
(c) Nitesh Dhanjani 36
modexecvehash
Developed by me during an independent study course at Purdue University with Professor Gustavo Rodriguez-Rivera. LKM that protects important executables against rootkits by verifying hashes on-the-fly. Proof-of-concept only. At this stage of development, this module may be by-passed by using advanced techniques such as raw memory and disk access.
(c) Nitesh Dhanjani 37
modexecvehash
Intercept sys_execve() and compute inode of file being executed. Compare this inode with that present in a database. If a match is found proceed further, otherwise return by calling the original sys_execve(). Compute hash of program being executed and compare it against the hash in the database. If they dont match, return an error. Else, return by calling the original sys_execve(). Other features.
(c) Nitesh Dhanjani 38
modexecvehash
Obtain source from http://dhanjani.com/presentations/hwlkm/ Untar modexecvehash.tar.gz in /root (important). Read README. Run make. Run ./makehashdb.sh > /root/hashdb Run insmod ./execvehash.o Test: Create backup of /usr/bin/passwd, replace it with /bin/ls, and then attempt to execute /usr/bin/passwd. It will not be allowed to execute. Dont forget to restore /usr/bin/passwd when done.
(c) Nitesh Dhanjani 39
Source Code
Source code for examples in this presentation can be obtained from: http://dhanjani.com/presentations/hwlkm/
41
???
42
Resources
(nearly) Complete Linux Loadable Kernel Modules by pragmatic (THC) [http://packetstormsecurity.nl/docs/hack/LKM_HACKING .html] Loadable Kernel Module Programming and System Call Interception by Nitesh Dhanjani & Gustavo RodriguezRivera [http://www.linuxjournal.com/article.php?sid=4378] The Design of kHTTPd by Alessandro Rubini [http://www.linux.it/kerneldocs/khttpd/khttpd.html]
(c) Nitesh Dhanjani 43
Resources
Kernel System Calls by Alessandro Rubini [http://www.linux.it/kerneldocs/ksys/ksys.html] Linux Device Drivers by Alessandro Rubini [http://www.xml.com/ldd/chapter/book/] The Linux Kernel Module Programming Guide by Peter Jay Salzman [http://www.faqs.org/docs/kernel/] Weakening the Linux Kernel by plaguez [http://www.phrack.org/phrack/52/P52-18]
(c) Nitesh Dhanjani 44
Special Thanks
45
Also Recommended
Advanced Kernel Keylogger by Red Dragon (RD) of THC. HITB, December 2003.
46
Thank-You
;-)
47