Linux Rootkits

(nearly) Complete Linux Loadable Kernel Modules, pragmatic/THC

An old but detailed LKM rootkit tutorial:
https://www.thc.org/papers/LKM_HACKING.html

See also Phrack 58:6 and Phrack 59:5 .

Helpful: the cross-referenced Linux code http://lxr.free-electrons.com/ , http://kernelnewbies.org/ .

Runtime kernel kmem patching & Unix ELF parasites and virus, by Silvio Cesare

http://vxheaven.org/lib/vsc01.html
http://vxheaven.org/lib/vsc07.html

The Linux kernel is itself an ELF file and obeys the standard linking conventions (this fact can be. It depends on them for the ability to load modules into the running kernel (the lack of this ability for earlier Windows made necessary the continual reboots after installing software or hardware). With write access to memory, this mechanism can be manipulated, just as any other userland program's address space (compare next link). See Phrack 58:7 for further development of these ideas.

Runtime process infection, Anonymous

Phrack 59:8

Modifying (infecting) one user process from another. In principle, this is not different from what one can do with a good debugger, and indeed the author describes elements of the normal OS support for debugging, but he (she?) also points out the data structures to be patched. Compare this with the _kernel_ modification (above links).

Making System Calls from Kernel Space, Alessandro Rubini

http://www.linux.it/~rubini/docs/ksys/ksys.html

The practicalities of implementing services in the Linux kernel, specifically a fast in-kernel HTTP server, but the same technique can be applied to in-kernel backdoors. More details on in-kernel programming in http://www.linux.it/~rubini/docs/khttpd/khttpd.html

Random links and notes

http://www.cs.dartmouth.edu/~sergey/cs258/rootkits/
http://www.cs.dartmouth.edu/~sergey/cs258/2012/kernel-modules-hooks-and-rootkits.txt

Defensive patches

Kfence.c, ins1der

http://packetstorm.linuxsecurity.com/linux/security/Kfence.c

A hackish ad-hoc 2.4 kernel strengthening patch, installed by patching the live kernel though /dev/kmem in the system call dispatcher procedure. Finds the location of the syscall table by looking up the int80 handler in the Interrupt Descriptor Table (IDT) and inserts its own ad-hoc checks in front of the kernel's entry.S code, written in assembly. For more info on using the IDT: Phrack 59:4 and the follow-up Phrack 59:10.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License