Security Basics mailing list archives
Re: Bug in chkrootkit ?
From: Juraj Ziegler <e () hq sk>
Date: Thu, 31 Jul 2003 01:40:35 +0200
i'm not sure, but i believe that a lkm is clever enough (ie. very good programmed), it can really 'wipe' a file/process/??? from the system, so it's hard sometimes to diagnose your server
It really can. I never did it (too lazy :), but the concept of doing it is rather simple. You create a kernel module that "interrupts" the relevant syscalls- open(), read(), etc. Interrupting here means it changes the syscall table to call my_open() in place of open(). What my_open() is it checks the parameters whether they match a "wiped" file. If yes, it returns a value that would indicate the file does not exits. If not, it just calls the original open() and returns its return value. The following code shows how to interrupt ptrace() calls. My less lazy friend wrote it after we came with the idea to use it to work-around the recent ptrace() bug in the Linux kernel. <CODE> #define MODULE #define __KERNEL__ #include <linux/module.h> #include <linux/kernel.h> #include <linux/modversions.h> #include <linux/smp_lock.h> #include <linux/types.h> #include <linux/dirent.h> #include <linux/string.h> #include <linux/mm.h> #include <linux/sched.h> #include <sys/syscall.h> /* The list of system calls */ MODULE_LICENSE("GPL"); extern void *sys_call_table[]; /*sys_call_table is exported, so we can access i t */ int (*orig_sys_ptrace)(long request, long pid, long addr, long data); #define is_dumpable(tsk) ((tsk)->task_dumpable && (tsk)->mm->dumpable) int hacked_sys_ptrace (long request, long pid, long addr, long data) { return -EPERM; } int init_module (void) /*module setup */ { orig_sys_ptrace = sys_call_table[SYS_ptrace]; sys_call_table[SYS_ptrace] = hacked_sys_ptrace; return 0; } void cleanup_module (void) /*module shutdown */ { sys_call_table[SYS_ptrace] = orig_sys_ptrace; /*set ptrace syscall to the orig al one */ } </CODE> Focus on init_modue() and hacked_sys_ptrace(). [e] -- _______________________________________________________________________________
e () hq sk< /(bb|[^b]{2})/ >http://hq.sk/~euro<
"always know what you say, but do not always say what you know"
Attachment:
_bin
Description:
Current thread:
- Bug in chkrootkit ? Michael Weber (Jul 30)
- RE: Bug in chkrootkit ? Todd Mitchell - lists (Jul 30)
- Re: Bug in chkrootkit ? Michael Weber (Jul 30)
- RE: Bug in chkrootkit ? Todd Mitchell - lists (Jul 30)
- Re: Bug in chkrootkit ? Michael Weber (Jul 30)
- Re: Bug in chkrootkit ? Alex 'CAVE' Cernat (Jul 30)
- Re: Bug in chkrootkit ? Alex 'CAVE' Cernat (Jul 30)
- Re: Bug in chkrootkit ? Juraj Ziegler (Jul 31)
- Re: Bug in chkrootkit ? Douglas J Hunley (Jul 30)
- Re: Bug in chkrootkit ? shrek-m () gmx de (Jul 30)
- Re: Bug in chkrootkit ? entmoot (Jul 30)
- Re: Bug in chkrootkit ? Tony Meman (Jul 30)
- RE: Bug in chkrootkit ? Todd Mitchell - lists (Jul 30)