Feed on
Subscription

Announce baleful Linux kernel module is how to work

Tuesday, March 03, 2009 by rain



If be in,inbreak in incident investigation,Traditional tool is complete invalidation,How should you do?Coping with the person that inbreak when me already when the kernel module of to load,Was immersed in this kind of predicament.Because upgrade to kernel space from user space,Of LKM means inbreak changed what use before to inbreak response technology.Once kernel space is destroyed,The influence will cover whole user space,The person that such inbreaking need not alter the action that systematic program can dominate them.And although the user uploads authentic kit the lead plane that is inbreaked,These tools also no longer authentic.My general announces below how does baleful kernel module work,And give out the copes with this kind to inbreak tool of a few my development.

LKM overview

The existence of LKM is a good news to systematic manager,Detecting to inbreaking is a nightmare however.LKM is used by the design at first need not be started afresh and change the kernel in moving,Provide a few dynamic functions thereby.The additional support that dynamic kernel provided the facility such as type of system of new to such as document and net card.In addition,What can visit a kernel as a result of kernel module is all call with memery block,It can not suffer control ground to alter each place of whole operating system,Consequently all calling and the structure of memory permanent has the risk that is revised by baleful kernel module.

A of LKM notorious example is Knark.Once Knark is compiled and to load arrives inbreak lead plane,The action that calls change system the watch to change an operating system thereby.The system calls watch permanent in kernel space,Basically be the entry that provides user rank order to visit an operating system.The official definition that most Unix system gives a Syscalls in the second part of manual.Once the kernel serves as user space to move,OS general mixes all commands that move on command travel in calling image to call a list to the system.Because this is become,user jussive also was changed to carry out when Knark changes a system to call a list.Knark altered the following important system is called.

The catalog that * Getdents - wins target way content (namely file and subdirectory) .Through revising this to call,Knark implementation conceals file and catalog to user program.

* Kill - sends signal to the process,It is to kill a process normally.Has revised calling will use useless signal 31,Spark setting process is "hidden" condition.When Hidden condition when the process,It is in / the record in Proc is deleted,Came true to command concealed body to Ps thereby.Signal 32 be used to remove lock position.

* Read - reads the content that takes target file.The join of the person that Knark inbreaks through revising this to call implementation to be concealed to Netstat.

The condition of file of change of * Ioctl - and equipment.Through revising this to call,What Knark can conceal a net to get stuck is jumbly,Inserted the function that conceals a document in call at the same time.

New process of derive of * Fork - .Knark is revised with what will conceal derive of place of process of a hidden father all child process.

* Execve - executes an order.Every time the user is inputted below command travel call when the command.Once this is called,be hijacked,Kernel module can be controlled jussive chooses and move.The person that Knark makes inbreak can point to a program another,Like joining as the symbol,And do not leave evidence of a crime.After Knark controlled Execve,Any substitute that you hope executive order is the person that inbreak likely.

* Settimeofday - sets systematic time.The time that Knark uses monitoring to book.When these book one of time to be sent this system to call,Knark can spark certain management job perhaps gifts instantly the user of current user Root and group Id.Win Root limits of authority with respect to the Shell that need not change Suid directly so.

Because the system is called,be changed,Those functions that govern a tool also were changed.The jumbly mode that Netstat will not report the net gets stuck forever,The join that comes from specific dot also is concealed.Ps and Top command won't report hidden process,Because / there is information in Proc.Ls will jump over hidden file and catalog.All these,Because this kind of tool relies on an operating system to provide information,be,And after the person that inbreak was controlling an operating system can feedback to the request that comes from user space false information,And need not alter Netstat, ps, the binary file of Top and Ls program.Because of this,Tool of a kind file system desired result is opposite Tripwire invalidation of this kind of tool general,Also cannot guard against the execution of Knark weighs directional function.If inbreak person to Cat Hackme join,Every time Cat is called,It is Hackme is being carried out actually.Such,Cat still is withheld on the system,Code of Md5 desired result also was not changed,But executive function was changed however.

Worse is,The lead plane that new tool uploads to be inbreaked by Knark also of no help.Even if the system should be used to call like authentic tool,Then they also become no longer authentic.The trap that still cannot bypass the person that inbreak is fastened in kernel class at present,Unless we also enter kernel airspace.Be based on this,The tool that I developed testing system to whether install baleful LKM.

There is one to nod us to did not allude before,Lsmod conference report laded Knark.o module.Unfortunate is,The person that inbreak can easily this information efface.Knark still included another LKM to be called Modhide at the same time,Can conceal oneself and a module.Once module is concealed,If do not weigh the machine that start,cannot uninstall,And detect without simple method to the to load of module,All pertinent information disappeared.Introduce before no less than,All functions of Knark make his make culminating and secret weapon.

Preventive

Preventing LKM to destroy is optimal solution apparently.We have a few kinds of methods to be able to prevent LKM ahead of schedule.The evil-minded LKM that can call a watch to prevent much through protection system.We can construct a simple LKM,Time perhaps call a list in the supervisory system when other module to load.If it discovers the system called a watch to change, can inform a system the administrator will call a watch to alter an original value even.The job with the can very good example below is mixed in Linux 2.2 2.4 on.If your machine has a processor,Can compile with following commands:Gcc -D __SMP__ -c Syscall_sentry.c.If be single processor,Take out - D __SMP__ went.After compiling a success,With Insmod to load.Specific consult the example below.





??

? ? / * 
? ? * This LKM Is Designed To Be A Tripwire For The Sys_call_table.   
? ? */ 
? ? #define MODULE_NAME %26quot;Syscall_sentry %26quot; 
??/* This definition is the time between periodic checks. */ 

? ? #define TIMEOUT_SECS 10 
? ? #define MODULE 
? ? #define __ KERNEL __   
? ? #include%26lt;linux/module.h%26gt; 
? ? #include%26lt;linux/config.h%26gt; 
? ? #include%26lt;linux/version.h%26gt; 
? ? #include%26lt;linux/kernel.h%26gt; 
? ? #include%26lt;linux/sys.h%26gt; 
? ? #include%26lt;linux/param.h%26gt; 
? ? #include%26lt;linux/sched.h%26gt; 
? ? #include%26lt;linux/timer.h%26gt; 
? ? #include%26lt;sys/syscall.h%26gt; 
??/* This function is a simple string comparison function */ 

? ? Static Int Mystrcmp( Const Char *str1,   const Char *str2) 
? ? { 
? ? While(*str1 %26amp;%26amp; *str2) 
??if (*(str1++) != *(str2++)) 

? ? Return - 1; 
? ? Return 0; 
? ? } 
? ? / * This Function Builds A Timer Struct For Versions Of Linux ? ? * 
Less Than Linux 2.4.   It Is Used To Set A Timer 
? ? */ 
? ? #if Linux_VERSION_CODE %26lt; KERNEL_VERSION(2,4,0) ? ? / * Initializes A 
Timer */ ? ? Void Init_timer(struct Timer_list * Timer) 
? ? { 
? ? Timer-%26gt;next = NULL; 
? ? Timer-%26gt;prev = NULL; 
? ? } 
? ? #endif 
??/* This is our timer */ 

? ? Static Struct Timer_list Syscall_timer; 
? ? / * This Is The System ' S Syscall Table */ 
? ? Extern Void *sys_call_table[]; 
??/* This is the saved, valid syscall table */ 

? ? Static Void *orig_sys_call_table[ NR_syscalls ] ; ? ? / * This 
Function Is Needed To Protect Yourself */ ? ? Static Unsigned Long 
(*orig_init_module) (Const Char * ,   struct Module*); ? ? / * This 
Function Checks The Syscalls For Changes ? ? * And Changes Them Back To 
The Original If It Has 
? ? * Been Changed.   
? ? */ 
? ? Static Int Check_syscalls( Void Void 
? ? { 
? ? Int I; 
??/* Add a new timer for our next check */ 

? ? Del_timer( %26amp;syscall_timer ) ; 
? ? Init_timer( %26amp;syscall_timer ) ; 
? ? Syscall_timer.function = (Void *)check_syscalls; ? ? 
Syscall_timer.expires = Jiffies + TIMEOUT_SECS * HZ; 
? ? Add_timer( %26amp;syscall_timer ) ; 
? ? For ? ? For I = 0; I %26lt; NR_syscalls - 1; I++ I++ 
? ? { 
? ? If (Orig_sys_call_table[i] ! = Sys_call_table[i] ) 
? ? { 
? ? Printk(KERN_INFO ? ? Printk(KERN_INFO SysCallSentry - Sys_call_table 
Has Been 
? ? Modified In Entry %d!   %26quot;,   i); 
? ? Sys_call_table[i] = Orig_sys_call_table[i]; 
? ? } 
? ? } 
? ? Return 1; 
? ? } 
??/* Check sys_call_table anytime a new module is loaded. */ 

? ? Static Int Long Sys_init_module_wrapper( Const Char *name,   struct 
? ? Module *mod *mod 
? ? { 
? ? Int I; 
? ? Int Res = (*orig_init_module)(name, mod); 
? ? For ? ? For I = 0; I %26lt; NR_syscalls - 1; I++ I++ 
? ? { 
? ? If (Orig_sys_call_table[i] ! = Sys_call_table[i] ) 
? ? { 
? ? Printk( KERN_INFO KERN_INFO SysCallSentry - Sys_call_table Has Been 
? ? Modified In Entry %d!   %26quot;,   i); 
? ? Sys_call_table[i] = Orig_sys_call_table[i]; 
? ? } 
? ? } 
? ? Return Res; 
? ? } 
??/* Module Init Code */ 

? ? Static Int Init_module (Void) 
? ? { 
? ? Int I; 
? ? Printk(KERN_INFO ? ? Printk(KERN_INFO SysCallSentry Inserted %26quot;) ; ? 
? / * Initiate The Periodic Timer */ 
? ? Init_timer( %26amp;syscall_timer ) ; 
??/* Save the old values of the sys_call_table */ 

? ? Orig_init_module = Sys_call_table[SYS_init_module]; ? ? / * Wrap The 
Init_module Syscall.   This Will Check To See ? ? * If Any Calls Have Been 
Altered When A New Module Loads.   
? ? */ 
? ? Sys_call_table[SYS_init_module] = Sys_init_module_wrapper; 
? ? For ? ? For I=0; I %26lt; NR_syscalls - 1; I++ I++ 
? ? { 
? ? Orig_sys_call_table[i] = Sys_call_table[i]; 
? ? } 
??/* Start our first check */ 

? ? Check_syscalls(); 
? ? Return(0); 
? ? } 
??/* Module Cleanup Code */ 

? ? Static Void Cleanup_module (Void) 
? ? { 
??/* Return system status to the original */ 

? ? Sys_call_table[SYS_init_module] = Orig_init_mo



Posted in System security | comment:0 | Read: Tags:

Related:

    Submit: