How to Use gdb to detect the kernel rootkit in Linux (1)

Source: Internet
Author: User
Tags md5 hash

The technical principles involved in this article are not new, and there is no special value for researchers. However, it is a new method for engineering personnel to respond to emergencies.

Understanding attack vectors]

The first two paragraphs of nonsense pass directly... it's a waste of feelings -_-!

The kernel rookit is usually targeted at system calls for two reasons:

A. in kernel mode hijacking, system calls can control the entire system at a small cost, without requiring too many things;

B. Most functions in the application layer are encapsulated in different forms by one or more system calls. Changing system calls means that the upper-Layer

All functions are spoofed;

In kernel-2.4.27, there are more than 230 system calls, And in kernel-2.6.9, there are more than 290 system calls. The number of system calls depends on the kernel version. the complete system call list can be found in/usr/include/asm/unistd. h. in addition, it should be noted that intruders do not change all system calls, but simply replace some of them with useful ones. as shown in table 1, these system calls can be monitored by system administrators and intrusion detection systems (OS kernel-level IDS). You can use man commands to get a complete description of each system call.

System call nameShort descriptionID

Bytes -------------------------------------------------------------------------------------------

Sys_readused for reading from files 3

Sys_writeused for writing to files 4

Sys_openused to create or open files 5

Sys_getdents/sys_getdents64used to list a content of directories (also/proc) 141/220

Sys_socketcallused for managing sockets102

Sys_query_moduleused for querying loaded modules 167

Sys_setuid/sys_getuidused for managing UIDs 23/24

Sys_execveused for executing binary files 11

Sys_chdirused to change the directory 12

Sys_fork/sys_cloneused to create a child process 2/120

Sys_ioctlused to control devices 54

Sys_kreceivsed to send signal to processes 37

Note that the system call numbers in the preceding table are all for kernel-2.4.18-3.

All examples in this article are tested on Redhat7.3 kernel-2.4.18-3. We can also use similar steps in other versions, including the latest 2.6.x, the difference may be in some internal structures of 2.6. For example, the address of the system call table is originally included in the system_call routine of the system call processing routine and is now changed to the syscall_call function.

Change System Call table]

The current system call address is saved in the system call table, which is located in the memory space reserved by the operating system for the kernel (the virtual address is up to 1 GB ), the system call entry address is stored in the same order as/usr/include/asm/unistd. h. Given that the original article is a lot of nonsense, I will skip the translation or summarize the translation. If you are interested, you can find a book on the Linux kernel (e. g: ULK2)

Before the 0x80 Soft Interrupt occurs, the corresponding system call number is pushed into the eax register. For example, when sys_write is called, the corresponding system call ID: 4 is pushed to eax.

The first method used by intruders is to change the system call address in the system call table, so that when a system call occurs, the system jumps to the function compiled by the attacker for execution. By observing the system call entry address in the system call table, we can easily detect such attacks using gdb.

The original system call address is specified in the kernel compilation phase and will not be changed. By comparing the original system call address and the system call address in the current kernel state, we can see whether the system call has been changed. The original system call address is written into two files during the compilation phase:. system. map this file contains all the symbolic addresses, and the system call also contains B. when the system is initialized, the kernel image file first read into the memory. The vmlinux-2.4.xvmlinux-2.4.x file is usually stored in the/boot directory in a compressed format, so the file must be decompressed before comparison. Another problem is: the premise of our comparison is to assume that system. map and vmlinuz image are not modified by intruders. Therefore, it is safer to create a trusted copy of the two files and create the md5 hash of the files when the system is clean.

The original Article also lists a kernel module [gcc-c scprint. c-I/usr/src/'uname-R'/include/] use this module to print the system call address and automatically write syslogs. This allows real-time comparison.

In most cases, the kernel is changed only after system initialization, the change occurs after the module loaded with rootkit or the on-the-fly kernel patch implanted with direct read/dev/kmem. In general, rootkit does not change vmlinuz and system. map these two files, so print the symbolic addresses in these two files to know the original system call address, the system call address currently running in the system (may be changed) it can be obtained from the kcore file in/proc. You can obtain the result by comparing the two files.

1. First, find the address of the system call table:

[Root @ rh8 boot] # cat System. map-2.4.18-13 | grep sys_call_table c0302c30 D sys_call_table

2. Run the nm command to print all the symbolic addresses in the image file that has not been strip:

[Root @ rh8 boot] # nm vmlinux-2.4.18-13 | grep sys_call_table

C0302c30 D sys_call_table

You can use gdb to print out all the system call entry addresses, which are defined in the entry. S file of the kernel source code. For example:

Entry 0 (0xc01261a0) is a sys_ni_syscall system call.

Entry 1 (0xc011e1d0) is a sys_exit system call.

Entry 2 (0xc01078a0) is a sys_fork system call.

# Gdb/boot/vmlinux-2.4 .*

(Gdb) x/255 0xc0302c30

0xc0302c30: 0xc01261a0 0xc011e1d0 0xc01078a0 0xc013fb70

0xc0302c40: 0xc013fcb0 0xc013f0e0 0xc013f230 0xc011e5b0

0xc0302c50: 0xc013f180 0xc014cb10 0xc014c670 0xc0107940

0xc030260: 0xc013e620 0xc011f020 0xc014bcd0 0xc013e9a0

...

You can also print the system call address by using the system call name:

(Gdb) x/x sys_ni_syscall

0xc01261a0: 0xffffdab8

(Gdb) x/x sys_fork

0xc01078a0: 0x8b10ec83

To print the system call address in the current running system, we must add two parameters to gdb:

A. the first parameter is the kernel image file vmliux-2.4.x

B. The second parameter is the/proc/kcore binary file.

# Gdb/boot/vmlinux-2.4. */proc/kcore

(Gdb) x/255x 0xc0302c30

0xc0302c30: 0xc01261a00xc011e1d00xc01078a00xc88ab11a <--

0xc0302c40: 0xc013fcb00xc013f0e00xc013f2300xc011e5b0

0xc0302c50: 0xc013f1800xc014cb100xc014c6700xc0107940

0xc030260: 0xc013e6200xc011f0200xc014bcd00xc013e9a0

...

We noticed that the address 0xc88ab11a at the end of the first line is obviously abnormal. This is a system call with system call number 3, that is, sys_read (the system call starts from 0)

We can say that it is abnormal because its address is higher than 0xc8xxxxxx. Linux uses a 4 GB linear address by default. The maximum 1GB0x00000000-0xffffffff is reserved for the kernel. When a module is inserted into the kernel, the vmalloc function allocates an address space for it. The address usually starts from 0xc8800000... it's already obvious here, right?


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.