--[ 0x01 Introduction
In this article I will show you the basic technique that rootkits use,
which we can use to hook system calls in kernel mode. I will deal only
with Linux 2.6 x86-32 and Linux 2.6 x86-64. In the end we are going to
hook the setuid system call which when takes a "magic" uid as an
argument it will give root to the process.
--[ 0x02 Kernel mode hooking basic theory
The modern Operating Systems that work in x86 architecture, use the
well-known protected mode. In protected mode there are 4 different
privilege levels, 0 to 3 (a.k.a ring0 - ring3). The highest-level (the
least privileged) is the userland (ring3) and the lowest-level (the
highest privileged) is the kernel mode (ring0). Applications run in
userland and they use an interrupt to tell to the kernel which system
call have to execute. This interrupt in Linux x86-32 is the instruction
"int $0x80" and in Linux x86-64 is the instruction "syscall". When the
CPU takes the interrupt, it switch from ring3 to ring0 and it calls the
system_call. Lets see the source code for x86-32.
test lagi
ReplyDeleteoblique@gentoo ~/hello_kernel $ ls
ReplyDeletehello_kernel.c Makefile
oblique@gentoo ~/hello_kernel $ make
make -C /lib/modules/2.6.34-zen1/build M=/home/oblique/hello_kernel modules
make[1]: Entering directory `/usr/src/linux-2.6.34-zen1-r2'
CC [M] /home/oblique/hello_kernel/hello_kernel.o
Building modules, stage 2.
MODPOST 1 modules
CC /home/oblique/hello_kernel/hello_kernel.mod.o
LD [M] /home/oblique/hello_kernel/hello_kernel.ko
make[1]: Leaving directory `/usr/src/linux-2.6.34-zen1-r2'
oblique@gentoo ~/hello_kernel $ sudo insmod hello_kernel.ko
oblique@gentoo ~/hello_kernel $ dmesg
...
...
[60947.072113] Hello kernel!
oblique@gentoo ~/hello_kernel $ sudo rmmod hello_kernel
oblique@gentoo ~/hello_kernel $ dmesg
...
...
[60947.072113] Hello kernel!
[61105.613280] Bye bye kernel!
oblique@gentoo ~/hello_kernel $
Testing Hahaha!
ReplyDelete