Re: DR Linux 2.6 rootkit released

[Joanna Rutkowska <joanna () invisiblethings org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[resending from my DD-known address]

Bas Alberts wrote:
> The rootkit engine (DR.c) was written by Bas Alberts and consists of a
> debug register based hooking engine that does not modify the IDT or
> syscall table at all.

Sorry for being lazy and not looking into your source code, but one of the 2
most important question one should ask is: what do you hook to handle #DB in
your code? Choices are:
1) IDT
2) Linux IDT handler (or some other Linux *code* modification)
3) some function pointer that is used by Linux kernel during #DB handling
(registering for #DB delivery as some callback would be a variation of this)
4) something that is neither a code nor a function pointer (?!)

You said it was not #1. No #2 is not interesting at all (trivially detectable by
code hashing). So I assume you do #3, right?

> Detection
> =========
>
> In it's current form there is no prevention of someone else accessing
> the debug registers. This could be easily added with GD access flag
> control, however this is left as an exercise to the reader.

Ho ho :) GD flag allows you to detect that others want to use the debug
registers. But this is only the beginning of the story -- the real question is
what you do next? You have two options:
1) "emulate" reads/writes to DRx (but don't touch the physical register)
2) stop using given DRx and give it back to the system

One might be tempted to go with #1 as it sounds easy, but this is trivially
detectable by a simple program that sets e.g. a read access breakpoint somewhere
in its code and then tries if that breakpoint actually *works*.

So, option #2 is a better choice. But then the problem is: how do you know when
the OS stops using the DRx so that you can claim it back? Not an easy problem as
Rafal found out when he was coding his First Xen Hypervisor Rootkit (he also
coded The Second XHR), incidentally also called the DR rootkit :)

You can find Rafal's presentation here:

http://invisiblethingslab.com/bh08/part2.pdf

and also a working code (with full GD support with DRx give-back):
http://invisiblethingslab.com/bh08/code/part1/xen-subvert-0.8.2.tgz

There is also a paper Rafal wrote about this for all the people that like to
read something before going sleep:
http://invisiblethingslab.com/bh08/papers/part1-subverting_xen.pdf

(You can also read about a different Xen Hypervsior Rootkit implementation there).

> References
> ==========
>
> 1) The IA32 Software Developers Manual Vol. 3B, Chapter 18
> 2) Mistifying the debugger, Phrack 65-8, halfdead

For sure I wasn't the first one using DRx for rootkit/backdoor coding, but I
think my 2006 Black Hat presentation predates this Phrack article:

http://invisiblethings.org/papers/joanna%20rutkowska%20-%20subverting%20vista%20kernel.ppt

(slide #41)

:)

joanna.
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkjAVrkACgkQORdkotfEW84xEACdGFI9rr7CiBWYY88CFMADWcnu
eDsAn1641FvBefIr9OKyoInziGHEM+0T
=ghzM
-----END PGP SIGNATURE-----
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave