Mar 23, 2011

Kernel Mode Testing Plann

--[ 0x01 Introduction

    In this article I will show you the basic technique that rootkits use,
    which we can use to hook system calls in kernel mode. I will deal only
    with Linux 2.6 x86-32 and Linux 2.6 x86-64. In the end we are going to
    hook the setuid system call which when takes a "magic" uid as an
    argument it will give root to the process.



--[ 0x02 Kernel mode hooking basic theory

    The modern Operating Systems that work in x86 architecture, use the
    well-known protected mode. In protected mode there are 4 different
    privilege levels, 0 to 3 (a.k.a ring0 - ring3). The highest-level (the
    least privileged) is the userland (ring3) and the lowest-level (the
    highest privileged) is the kernel mode (ring0). Applications run in
    userland and they use an interrupt to tell to the kernel which system
    call have to execute. This interrupt in Linux x86-32 is the instruction
    "int $0x80" and in Linux x86-64 is the instruction "syscall". When the
    CPU takes the interrupt, it switch from ring3 to ring0 and it calls the
    system_call. Lets see the source code for x86-32.

3 comments:

  1. oblique@gentoo ~/hello_kernel $ ls
    hello_kernel.c Makefile
    oblique@gentoo ~/hello_kernel $ make
    make -C /lib/modules/2.6.34-zen1/build M=/home/oblique/hello_kernel modules
    make[1]: Entering directory `/usr/src/linux-2.6.34-zen1-r2'
    CC [M] /home/oblique/hello_kernel/hello_kernel.o
    Building modules, stage 2.
    MODPOST 1 modules
    CC /home/oblique/hello_kernel/hello_kernel.mod.o
    LD [M] /home/oblique/hello_kernel/hello_kernel.ko
    make[1]: Leaving directory `/usr/src/linux-2.6.34-zen1-r2'
    oblique@gentoo ~/hello_kernel $ sudo insmod hello_kernel.ko
    oblique@gentoo ~/hello_kernel $ dmesg
    ...
    ...
    [60947.072113] Hello kernel!
    oblique@gentoo ~/hello_kernel $ sudo rmmod hello_kernel
    oblique@gentoo ~/hello_kernel $ dmesg
    ...
    ...
    [60947.072113] Hello kernel!
    [61105.613280] Bye bye kernel!
    oblique@gentoo ~/hello_kernel $

    ReplyDelete