linux rootkit
play

Linux Rootkit Conclusion Adrien schischi Schildknecht July 17, - PowerPoint PPT Presentation

Apr 25, 2023 •109 likes •297 views

Linux Rootkit Adrien schischi Schildknecht IDT hooking Syscall hooking Linux Rootkit Conclusion Adrien schischi Schildknecht July 17, 2015 Linux Rootkit Adrien schischi Schildknecht IDT hooking Syscall hooking

  1. Linux Rootkit Adrien ’ schischi ’ Schildknecht IDT hooking Syscall hooking Linux Rootkit Conclusion Adrien ’ schischi ’ Schildknecht July 17, 2015

  2. Linux Rootkit Adrien ’ schischi ’ Schildknecht IDT hooking Syscall hooking Section 1 Conclusion IDT hooking

  3. Why? Linux Rootkit Adrien ’ schischi ’ Schildknecht IDT hooking Syscall hooking Conclusion Main interface between the kernel and the world (userland, hardware. . . )

  4. Modifying the IDT Linux Rootkit The Address of the IDT is stored in a register; Changing an entries: Adrien ’ schischi ’ Modify the table (RO); Schildknecht Create a new table; IDT hooking User land (DPL=3) Kernel land (DPL=0) Syscall hooking Conclusion IDT 0x0: divide_error() system_call() /* execute the syscall */ 0x1: debug() iret 0x2: nmi() main.c ... ... int 0x80 ... ... 0x80: system_call() ...

  5. Interrupt stack frame Linux Rootkit Adrien ’ schischi ’ Schildknecht IDT hooking Syscall hooking Conclusion

  6. Pre hook Linux Rootkit Adrien ’ schischi ’ Schildknecht User land (DPL=3) Kernel land (DPL=0) IDT hooking fake_hdlr() pre_hook() Syscall ret = pre_hook() ... hooking push fake frame return ret orig_handler() Conclusion IDT 0x0: divide_error() system_call() /* execute the syscall */ 0x1: debug() iret 0x2: nmi() main.c ... ... int 0x80 ... ... 0x80: system_call() ...

  7. Post hook Linux Rootkit Adrien ’ schischi ’ Schildknecht User land (DPL=3) Kernel land (DPL=0) IDT hooking fake_hdlr() pre_hook() Syscall ret = pre_hook() ... hooking push fake frame return ret orig_handler() Conclusion IDT 0x0: divide_error() system_call() /* execute the syscall */ 0x1: debug() iret 0x2: nmi() main.c post_hook() ... ... int 0x80 post_handler() ... ... ... return pre_hook() iret 0x80: system_call() ...

  8. Summary Linux Rootkit Adrien ’ schischi ’ Schildknecht IDT hooking Syscall hooking Conclusion

  9. Linux Rootkit Adrien ’ schischi ’ Schildknecht IDT hooking Syscall hooking Section 2 Conclusion Syscall hooking

  10. How to make a syscall Linux Rootkit Adrien ’ schischi ’ Schildknecht IDT hooking Syscall hooking 3 ways: Conclusion 32bits: int 0x80, sysenter (Intel), syscall (AMD); 64bits: syscall;

  11. Int 0x80 Linux Rootkit Adrien ’ schischi ’ Schildknecht IDT hooking Syscall hooking Conclusion

  12. Sysenter Linux Rootkit /* Obtain a valid pointer to per cpu data*/ 1 swapgs 2 Adrien ’ schischi ’ /* Setup a stack */ 3 Schildknecht mov $stack_sysenter , %rsp 4 add %gs:this_cpu_off , %rsp 5 IDT hooking /* Save registers on the stack */ 6 Syscall sub $0x28, %rsp /* Skip exception frame */ 7 hooking SAVE_REGS 8 Conclusion /* Fill exception frame */ 9 movl 12(%rbp), %eax /* RIP */ 10 movq %rax, 0x80(%rsp) 11 movq $0x23, 0x88(%rsp) /* CS */ 12 movq $0x0, 0x90(%rsp) /* RFLAGS */ 13 movl 0x0(%rbp), %eax /* RSP */ 14 movq %rax, 0x98(%rsp) 15 movq $0x2b, 0xa0(%rsp) /* SS */ 16 mov %rsp, %rdi 17 /* Set an invalid esp as return addr */ 18 movl $__stringify(0x42cafe42), 12(%rbp) 19 /* Pre-hook ! */ 20 call *sysenter_pre_hook 21 RESTORE_REGS 22 /* Call the original handler without swapgs */ 23 jmp *(sysenter_orig_hdlr + 3) 24 25

  13. Syscall Linux Rootkit Adrien ’ schischi ’ Schildknecht IDT hooking Syscall hooking Conclusion

  14. Linux Rootkit Adrien ’ schischi ’ Schildknecht IDT hooking Syscall hooking Section 3 Conclusion Conclusion

  15. Conclusion Linux Rootkit 1 #define MEGA(S) ((S) * 1024 * 1024) 2 Adrien ’ schischi ’ 3 int main(int argc, char *argv[]) { Schildknecht char buf[4096]; 4 int fd = open("/home/schischi/foo", O_CREAT | O_WRONLY , 5 IDT hooking 0660); Syscall 6 hooking if (argc == 2 && !strcmp(argv[1], "-f")) 7 Conclusion if (fallocate(fd, 0, 0, MEGA(700)) != 0) 8 return 1; 9 for (int i = 0; i < MEGA(700) / sizeof (buf); ++i) 10 write(fd, buf, 4096); 11 write(fd, buf, MEGA(700) % sizeof (buf)); 12 13 unlink("/home/schischi/foo"); 14 return 0; 15 16 } 17 1 $ repeat 100; ./a.out ./a.out 0.01s user 1.46s system 18% cpu 8.018 total 2 3 4 $ repeat 100; ./a.out -f

  16. Conclusion Linux Rootkit Adrien ’ schischi ’ Schildknecht IDT hooking Syscall hooking Conclusion Questions ? schischi@lse.epita.fr schischi - irc.rezosup.org

  17. References Linux Rootkit Adrien FS design ’ schischi ’ Schildknecht Book "Practical File System Design" by Dominic Giampaolo IDT hooking VFS Syscall http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git hooking http://lwn.net/Kernel/Index/ Conclusion Journaling, logging http://pages.cs.wisc.edu/~remzi/OSTEP/file-lfs.pdf http://research.cs.wisc.edu/wind/Publications/sba-usenix05.pdf Ext4 https://ext4.wiki.kernel.org/index.php/Ext4_Design http://www.ibm.com/developerworks/library/l-anatomy-ext4/ Btrfs http://video.linux.com/videos/chris-mason-btrfs-file-system http://atrey.karlin.mff.cuni.cz/~jack/papers/lk2009-ext4-btrfs.pdf

Recommend

Linux Security State of Linux Security in 2016 Michael Boelen michael.boelen@cisofy.com DBLUG,

Linux Security State of Linux Security in 2016 Michael Boelen michael.boelen@cisofy.com DBLUG,

Linux Security State of Linux Security in 2016 Michael Boelen michael.boelen@cisofy.com DBLUG, 7 December 2016 Michael Boelen Open Source Lynis, Rootkit Hunter Business and Community Founder of CISOfy Board member and

454 views • 18 slides
Undermining the Linux Kernel: Malicious Code Injec:on via /dev/mem Anthony Lineberry

Undermining the Linux Kernel: Malicious Code Injec:on via /dev/mem Anthony Lineberry

Undermining the Linux Kernel: Malicious Code Injec:on via /dev/mem Anthony Lineberry anthony.lineberry@gmail.com Black Hat Europe 2009 Overview What is a rootkit? Why is protec:on difficult? Current protec:on mechanisms/bypasses

638 views • 52 slides
Dont Tell Joanna, The Virtualized Rootkit Is Dead Agenda Who we are and what we do

Dont Tell Joanna, The Virtualized Rootkit Is Dead Agenda Who we are and what we do

Dont Tell Joanna, The Virtualized Rootkit Is Dead Agenda Who we are and what we do Virtualization 101 Vitriol/Hyperjacking (and other HVM Rootkits) Why detecting HVMs arent as difficult as you think Pro Forma Punditry

428 views • 41 slides
Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client

Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client

Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client and a server? What is Linux? Linux generally refers to a group of Unix-like free and open-source operating system distributions that use the Linux

562 views • 53 slides
Under the microscope: Linux security tools Lessons learned from 500+ projects Michael Boelen

Under the microscope: Linux security tools Lessons learned from 500+ projects Michael Boelen

Under the microscope: Linux security tools Lessons learned from 500+ projects Michael Boelen michael.boelen@cisofy.com NLLGG, September 2018 Michael Boelen Open Source Lynis, Rootkit Hunter Business Founder of CISOfy

778 views • 30 slides
Linux from Sensors to Servers ! When is Linux Not Linux? ! 1 1 Linux runs across a huge range

Linux from Sensors to Servers ! When is Linux Not Linux? ! 1 1 Linux runs across a huge range

Linux from Sensors to Servers ! When is Linux Not Linux? ! 1 1 Linux runs across a huge range of systems ! CC BY-SA 2.0 FHKE, Flickr 2 Whats the difference between Linux on a big thing and Linux on a little thing? ! 3 ! Whats the

900 views • 52 slides
Computing using Linux: The Good and the Bad Christoph Lameter HPC and Linux Most of the

Computing using Linux: The Good and the Bad Christoph Lameter HPC and Linux Most of the

High Performance Computing using Linux: The Good and the Bad Christoph Lameter HPC and Linux Most of the supercomputers today run Linux. All of the computational clusters in corporations that I know of run Linux. Support for

419 views • 12 slides
Linux Overview Amir Hossein Payberah payberah@gmail.com 1 Agenda Linux Overview Linux

Linux Overview Amir Hossein Payberah payberah@gmail.com 1 Agenda Linux Overview Linux

Linux Overview Amir Hossein Payberah payberah@gmail.com 1 Agenda Linux Overview Linux Distributions Linux vs Windows Linux Architecture Linux Security 2 What is Linux? Similar Operating System To Microsoft Windows, Sun

1.11k views • 55 slides
Interviews with Different Users About Their Linux Setups Steven Ovadia My Linux Rig

Interviews with Different Users About Their Linux Setups Steven Ovadia My Linux Rig

The State of Desktop Linux: Interviews with Different Users About Their Linux Setups Steven Ovadia My Linux Rig www.mylinuxrig.com @steven_ovadia *** Associate Professor/Web Services Librarian LaGuardia Community College About My Linux

458 views • 27 slides
Introduction to Linux Fundamentals of Computer Science Outline Operating Systems Linux

Introduction to Linux Fundamentals of Computer Science Outline Operating Systems Linux

Introduction to Linux Fundamentals of Computer Science Outline Operating Systems Linux History Linux Architecture Logging in to Linux Command Format Linux Filesystem Directory and File Commands Wildcard Characters

686 views • 19 slides
Introduction to Linux Aline Abler Aline Abler Linux, whats that? The pieces of a Linux

Introduction to Linux Aline Abler Aline Abler Linux, whats that? The pieces of a Linux

Linux, whats that? The pieces of a Linux system Linux Concepts Distributions Desktop environments Switching to Linux Epilogue Introduction to Linux Aline Abler Aline Abler Linux, whats that? The pieces of a Linux system Linux

767 views • 57 slides
Multi-Aspect Profiling of Kernel Rootkit Behavior Ryan Riley, Xuxian Jiang, Dongyan Xu Purdue

Multi-Aspect Profiling of Kernel Rootkit Behavior Ryan Riley, Xuxian Jiang, Dongyan Xu Purdue

Multi-Aspect Profiling of Kernel Rootkit Behavior Ryan Riley, Xuxian Jiang, Dongyan Xu Purdue University, North Carolina State University EuroSys 2009 Nrnberg, Germany Rootkits Stealthy malware Hide attacker Modifying the OS

674 views • 53 slides
GNU/Linux Why use it? What is Linux? Linux is a UNIX-like, GPL-licensed open-source kernel. The

GNU/Linux Why use it? What is Linux? Linux is a UNIX-like, GPL-licensed open-source kernel. The

GNU/Linux Why use it? What is Linux? Linux is a UNIX-like, GPL-licensed open-source kernel. The GNU userland consists of libc, the init system (SystemD) X11 GUI toolkits etc. Ask the audience Who has used

442 views • 22 slides
Linux You Can Drive My Car Embedded Linux Conference

Linux You Can Drive My Car Embedded Linux Conference

Linux You Can Drive My Car Embedded Linux Conference 2017 Walt Miner ( @VStarWalt ) Community Manager, AGL , The Linux FoundaGon

721 views • 55 slides
Linux For Beginners April 26, 2016 Dualboot Linux and Windows Dualboot Linux and Windows

Linux For Beginners April 26, 2016 Dualboot Linux and Windows Dualboot Linux and Windows

Linux For Beginners April 26, 2016 Dualboot Linux and Windows Dualboot Linux and Windows Reinstall usually keeps personal files Advantages of Linux More secure Package manager Software installation is easy, fast and secure Keeps

528 views • 15 slides
Linux Kung Fu Stephen James UBNetDef, Spring 2017 Introduction What is Linux? What is the

Linux Kung Fu Stephen James UBNetDef, Spring 2017 Introduction What is Linux? What is the

Linux Kung Fu Stephen James UBNetDef, Spring 2017 Introduction What is Linux? What is the difference between a client and a server? What is Linux? Linux generally refers to a group of Unix-like free and open-source operating system

607 views • 48 slides
AOS Linux Tutorial Introduction to Linux Michael Havas Dept. of Atmospheric and Oceanic Sciences

AOS Linux Tutorial Introduction to Linux Michael Havas Dept. of Atmospheric and Oceanic Sciences

AOS Linux Tutorial Introduction to Linux Michael Havas Dept. of Atmospheric and Oceanic Sciences McGill University September 15, 2011 Outline 1 Introduction to Linux Benefits of Linux What Exactly is Linux? The Free-Software Philosophy 2

898 views • 69 slides
The State of the Linux Desktop An OSDL Perspective John Cherry OSDL Desktop Linux (DTL)

The State of the Linux Desktop An OSDL Perspective John Cherry OSDL Desktop Linux (DTL)

The State of the Linux Desktop An OSDL Perspective John Cherry OSDL Desktop Linux (DTL) September 23, 2006 1 2 The State of the Linux Desktop Riding the Open Software Wave The Linux Desktop Markets Linux Desktop Market Data The Linux

543 views • 40 slides
Linux Basics 2 Pre-Lab Everyone installed Linux on their

Linux Basics 2 Pre-Lab Everyone installed Linux on their

Computer Systems and Networks ECPE 170 Jeff Shafer University of the Pacific Linux Basics 2 Pre-Lab Everyone installed Linux on

617 views • 25 slides
Power Your Car with Automo0ve Grade Linux Automo&amp;ve Linux

Power Your Car with Automo0ve Grade Linux Automo&amp;ve Linux

Power Your Car with Automo0ve Grade Linux Automo&amp;ve Linux Summit 2017 Walt Miner ( @VStarWalt ) Community Manager, AGL , The Linux

594 views • 37 slides
Mostafa Z. Ali Mostafa Z. Ali mzali@just.edu.jo 1 1 The Linux Utilities Linux did not

Mostafa Z. Ali Mostafa Z. Ali mzali@just.edu.jo 1 1 The Linux Utilities Linux did not

Fall 2009 Lecture 5 Operating Systems: Configuration &amp; Use CIS345 The Linux Utilities Mostafa Z. Ali Mostafa Z. Ali mzali@just.edu.jo 1 1 The Linux Utilities Linux did not have a GUI. It ran on character based terminals only,

1.16k views • 70 slides
Virtual Memory and Linux Alan Ott Embedded Linux Conference April 4-6, 2016 About the Presenter

Virtual Memory and Linux Alan Ott Embedded Linux Conference April 4-6, 2016 About the Presenter

Virtual Memory and Linux Alan Ott Embedded Linux Conference April 4-6, 2016 About the Presenter Linux Architect at SoftIron 64-bit ARM servers and data center appliences Linux Kernel Firmware Userspace Training USB

1.05k views • 71 slides
RCU Usage in Linux History of Concurrency in Linux Multiprocessor support 15 years ago - via

RCU Usage in Linux History of Concurrency in Linux Multiprocessor support 15 years ago - via

CS510 Concurrent Systems Jonathan Walpole RCU Usage in Linux History of Concurrency in Linux Multiprocessor support 15 years ago - via non-preemption in kernel mode Today's Linux - fine-grain locking - lock-free data structures - per-CPU

600 views • 36 slides
What is GNU/Linux? GNU/Linux is a free operating system Other operating systems:

What is GNU/Linux? GNU/Linux is a free operating system Other operating systems:

What is GNU/Linux? GNU/Linux is a free operating system Other operating systems: Microsoft windows Apple Mac OS X Sun Solaris FreeBSD/OpenBSD AIX And many more..... GNU/Linux history GNU project started by

330 views • 9 slides

More recommend