Advanced hiding technology in Linux environment

information about Linux is shared by the brother company

Abstract: This paper analyzes in depth Advanced stealth technology for files, processes, and modules in Linux, including:Linux Offload module programming technology, modify memory image directly to modify the system call technology, through the virtual file system proc technology that hides a particular process.

hiding technology is widely used in computer system security, especially in network attacks, when an attacker successfully invades a system, it is important to effectively hide the attacker's files, processes, and modules that are loaded. This article will discuss the advanced hiding technology of files, processes and modules in Linux system, some of which have been widely used in various backdoor or security detection programs, while others are just starting, still in the discussion stage, and seldom applied.

1. Stealth Technology

interrupt control and system invocation at 1.1.Linux

Intel x86 series microcomputer supports The four kinds of interrupts, in order to make the processor easier to identify each interrupt source, the number from the 0~256 , which is given an interrupt type code N,intel call it the interrupt vector.

Linuxuse an interrupt vector ( -or0x80) To implement system calls, all system calls through a unique portalSystem_callto enter the kernel, when the user dynamic process executes aint 0x80when assembling instructions,CPUswitch to the kernel state and start executingSystem_callfunction,System_callfunction again through the system call tablesys_call_tableto get the address of the corresponding system call to execute. System Call Tablesys_call_tableaddress of all system call functions, each of which can be indexed using the system call number, for exampleSys_call_table[nr_fork]The index is the system callsys_fork() address.

Linux uses interrupt descriptors (8 bytes) to represent information about each interrupt in the following format:

offset ... . the Some flags, type codes, and reserved bits

segment Selector Offset ... . 0

all interrupt descriptors are stored in a contiguous address space called the Interrupt descriptor ( IDT) whose starting address is stored in the Interrupt Descriptor Descriptor Register (IDTR) in the following format:

Base Value Limit

The corresponding links of each structure can be indicated as follows:

Through the above instructions can be obtained through IDTR Register to find the system_call function Address: According to the IDTR Register to find the interrupt descriptor, interrupt descriptor 0x80 The entry is the address of the system_call function, which will be applied in a later discussion.

1.2.Linux LKM(loadable kernel module) technology

in order for the kernel to maintain a smaller size and to facilitate functional expansion,Linuxthe system provides a module mechanism. Modules are part of the kernel, but are not compiled into the kernel, they are compiled into target files and are dynamically inserted into the kernel or removed from the kernel as needed during the run. Since the module is inserted after insertion asLinuxpart of the kernel to run, so module programming is essentially kernel programming, so you can use some of the kernel-derived resources in the module, such asLinux2.4.18version of the previous kernel Export system call table (sys_call_table), so that the entry of the system call can be modified directly from that address to change the system call. In the module programming must have the initialization function and the clear function, in general, these two functions default toInit_module ()as wellClearup_module (), from2.3.13At the beginning of the kernel version, the user can also rename the two functions, the initialization function is called when the module is inserted into the system, where functions and symbols can be registered, the purge function is called when the module removes the system, and some recovery work is usually done in the function.

memory image under 1.3.Linux

/dev/kmem is a character device, which is an image of the main memory of a computer, through which it can test and even modify the system, which can be modified when the kernel does not export the sys_call_table address, or if the module is not allowed to be inserted. This enables the purpose of hiding files, processes, or modules.

1.4.proc File System

Proc file System is a virtual file system, which is implemented through the interface of the file system, which is used to output the system running state. It provides an interface for communication between the operating system itself and the application process in the form of a file system, enabling the application to safely and easily obtain the internal data information of the system's current health, and to modify the configuration information of some systems. Because proc is implemented as a file system interface, it can be accessed as if it were a normal file, but it only exists in memory.

2. Technical Analysis

2.1 hidden files

LinuxSystem calls to query file information in the system aresys_getdents, this can be done byStraceto observe, for examplestrace lsthe commands are listedlssystem calls, which can be found in thelsis throughsys_getedentsto perform the operation. When querying information about a file or directory,LinuxSystem withsys_getedentsto perform the corresponding query operation, and to pass the obtained information to the user space running program, so if modify the system call, remove the results and some specific files related information, then all the system called by the program will not see the file, thus achieving the hidden purpose. First introduce the original system call, the prototype is:

int sys_getdents (unsigned int fd, struct dirent *dirp,unsigned int count)

where fd is a file descriptor pointing to the directory file, the function reads the corresponding dirent structure According to the directory file pointed to by the fd , and puts in Dirp , where count is the amount of data returned in dirp , and is correct when the function returns a value of padding to dirp number of bytes. is the modified system call hacked_getdents execution process.

the hacked_getdents function in the diagram actually calls the original system call and then from the resulting di

Advanced hiding technology in Linux environment