Security Basics mailing list archives

Re: Bug in chkrootkit ?

From: Juraj Ziegler <e () hq sk>
Date: Thu, 31 Jul 2003 01:40:35 +0200

i'm not sure, but i believe that a lkm is clever enough (ie. very good
programmed), it can really 'wipe' a file/process/??? from the system, so
it's hard sometimes to diagnose your server


It really can. I never did it (too lazy :), but the concept of doing it is
rather simple. You create a kernel module that "interrupts" the relevant
syscalls- open(), read(), etc. Interrupting here means it changes the syscall
table to call my_open() in place of open(). What my_open() is it checks the
parameters whether they match a "wiped" file. If yes, it returns a value that
would indicate the file does not exits. If not, it just calls the original
open() and returns its return value.

The following code shows how to interrupt ptrace() calls. My less lazy friend
wrote it after we came with the idea to use it to work-around the recent
ptrace() bug in the Linux kernel.

<CODE>
#define MODULE
#define __KERNEL__
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/modversions.h>
#include <linux/smp_lock.h>
#include <linux/types.h>
#include <linux/dirent.h>
#include <linux/string.h>
#include <linux/mm.h>
#include <linux/sched.h>
#include <sys/syscall.h>  /* The list of system calls */

MODULE_LICENSE("GPL");


extern void *sys_call_table[];  /*sys_call_table is exported, so we can access
i t */


int (*orig_sys_ptrace)(long request, long pid, long addr, long data);

#define is_dumpable(tsk) ((tsk)->task_dumpable && (tsk)->mm->dumpable) 

int
hacked_sys_ptrace (long request, long pid, long addr, long data)
{
                  return -EPERM; 
}

int
init_module (void) /*module setup */
{
  orig_sys_ptrace = sys_call_table[SYS_ptrace];
  sys_call_table[SYS_ptrace] = hacked_sys_ptrace;
  return 0;
}

void
cleanup_module (void) /*module shutdown */
{
  sys_call_table[SYS_ptrace] = orig_sys_ptrace; /*set ptrace syscall to the
orig al one */
}

</CODE>

Focus on init_modue() and hacked_sys_ptrace().

[e]

-- 
_______________________________________________________________________________

e () hq sk<                   /(bb|[^b]{2})/                 >http://hq.sk/~euro<

        "always know what you say, but do not always say what you know"

Attachment: _bin
Description:

Current thread:

Bug in chkrootkit ? Michael Weber (Jul 30)
- RE: Bug in chkrootkit ? Todd Mitchell - lists (Jul 30)
  - Re: Bug in chkrootkit ? Michael Weber (Jul 30)
    - RE: Bug in chkrootkit ? Todd Mitchell - lists (Jul 30)
- Re: Bug in chkrootkit ? Alex 'CAVE' Cernat (Jul 30)
- Re: Bug in chkrootkit ? Alex 'CAVE' Cernat (Jul 30)
  - Re: Bug in chkrootkit ? Juraj Ziegler (Jul 31)
- Re: Bug in chkrootkit ? Douglas J Hunley (Jul 30)
- Re: Bug in chkrootkit ? shrek-m () gmx de (Jul 30)
- Re: Bug in chkrootkit ? entmoot (Jul 30)
- Re: Bug in chkrootkit ? Tony Meman (Jul 30)