Dailydave mailing list archives
Re: DR Linux 2.6 rootkit released
From: Joanna Rutkowska <joanna () invisiblethings org>
Date: Thu, 04 Sep 2008 23:44:27 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [resending from my DD-known address] Bas Alberts wrote:
The rootkit engine (DR.c) was written by Bas Alberts and consists of a debug register based hooking engine that does not modify the IDT or syscall table at all.
Sorry for being lazy and not looking into your source code, but one of the 2 most important question one should ask is: what do you hook to handle #DB in your code? Choices are: 1) IDT 2) Linux IDT handler (or some other Linux *code* modification) 3) some function pointer that is used by Linux kernel during #DB handling (registering for #DB delivery as some callback would be a variation of this) 4) something that is neither a code nor a function pointer (?!) You said it was not #1. No #2 is not interesting at all (trivially detectable by code hashing). So I assume you do #3, right?
Detection ========= In it's current form there is no prevention of someone else accessing the debug registers. This could be easily added with GD access flag control, however this is left as an exercise to the reader.
Ho ho :) GD flag allows you to detect that others want to use the debug registers. But this is only the beginning of the story -- the real question is what you do next? You have two options: 1) "emulate" reads/writes to DRx (but don't touch the physical register) 2) stop using given DRx and give it back to the system One might be tempted to go with #1 as it sounds easy, but this is trivially detectable by a simple program that sets e.g. a read access breakpoint somewhere in its code and then tries if that breakpoint actually *works*. So, option #2 is a better choice. But then the problem is: how do you know when the OS stops using the DRx so that you can claim it back? Not an easy problem as Rafal found out when he was coding his First Xen Hypervisor Rootkit (he also coded The Second XHR), incidentally also called the DR rootkit :) You can find Rafal's presentation here: http://invisiblethingslab.com/bh08/part2.pdf and also a working code (with full GD support with DRx give-back): http://invisiblethingslab.com/bh08/code/part1/xen-subvert-0.8.2.tgz There is also a paper Rafal wrote about this for all the people that like to read something before going sleep: http://invisiblethingslab.com/bh08/papers/part1-subverting_xen.pdf (You can also read about a different Xen Hypervsior Rootkit implementation there).
References ========== 1) The IA32 Software Developers Manual Vol. 3B, Chapter 18 2) Mistifying the debugger, Phrack 65-8, halfdead
For sure I wasn't the first one using DRx for rootkit/backdoor coding, but I think my 2006 Black Hat presentation predates this Phrack article: http://invisiblethings.org/papers/joanna%20rutkowska%20-%20subverting%20vista%20kernel.ppt (slide #41) :) joanna. -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkjAVrkACgkQORdkotfEW84xEACdGFI9rr7CiBWYY88CFMADWcnu eDsAn1641FvBefIr9OKyoInziGHEM+0T =ghzM -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- DR Linux 2.6 rootkit released Bas Alberts (Sep 03)
- Message not available
- Re: DR Linux 2.6 rootkit released Bas Alberts (Sep 04)
- Message not available
- Re: DR Linux 2.6 rootkit released Joanna Rutkowska (Sep 04)
- Re: DR Linux 2.6 rootkit released Piotr Bania (Sep 05)
- <Possible follow-ups>
- Re: DR Linux 2.6 rootkit released Pierre Falda (Sep 04)
- Re: DR Linux 2.6 rootkit released Bas Alberts (Sep 04)
- Re: DR Linux 2.6 rootkit released Bas Alberts (Sep 04)
- Re: DR Linux 2.6 rootkit released Mohammad Hosein (Sep 04)
- Re: DR Linux 2.6 rootkit released Valdis . Kletnieks (Sep 04)
- Re: DR Linux 2.6 rootkit released Jon Oberheide (Sep 05)
- Re: DR Linux 2.6 rootkit released Curt Wilson (Sep 05)
- Re: DR Linux 2.6 rootkit released Mohammad Hosein (Sep 04)