kernelinstrumentationusingkprobes-elfmaster2010

Kernel instrumentation using kprobes

November 17, 2010

Notes
kprobes
kernel patching
rootkit
backdoor
file hiding
kprobes.txt https://www.kernel.org/doc/Documentation/kprobes.txt
Linux kernel
debugging
x86
debug register
breakpoint
Three types of probes: kprobes, jprobes, kretprobes (aka return probes)
function trampoline
SMP
SMP safety
/sys/kernel/debug/kprobes/list
/sys/kernel/debug/kprobes/enabled 0 or 1
sys_mprotect
syscall
register
asmlinkage
task_pt_regs
struct jprobe
register_jprobe
opcode
LKM
register_kretprobe
kallsyms_lookup_name
return address
stack
int3
trap
function prologue, function epilogue
eip
Linus Torvalds
Chuck Norris
stack_addr() macro
memcpy
filldir64
struct dirent
jprobe_return
copy_to_user
ls command
GNU coreutils
lstat64
stderr
/dev/null
super user
sys_write
get_task_comm
file descriptor
volatile datatype
pop, push instructions
__kprobe in function prototype cannot be hooked with kprobe
function prototype
CR0
WRITE_PROTECT
.rodata
sys_call_table
const
disable_wp()/enable_wp() – set or unset cr0 bit
instrumentation
“Return probe elite” idea
W^X
mprotect, mmap restructions
PaX
no_exec_pages/NX
burneye
shiva
Elfcrypt
text segment
stub
GPL MODULE_LICENSE
VMA
hooks
sysfs
rootkits designed solely with kprobes can be easily detected
greetz: kad, Silvio, chrak, nynex, mayhem, grugq, halfdead, jimjones (UNIX Terrorist),
scrippie, pronsa, abh, digitalnerds, EFnet, #bitlackeys, RuxCon

References
Handling interrupt descriptor table for fun and profit http://www.phrack.org/issues.html?issue=59&id=4#article
Mystifying the debugger for ultimate stealthness http://www.phrack.org/issues.html?issue=65&id=8#article
Kernel function hijacking (Function trampolines) http://vxheavens.com/lib/vsc08.html
kprobes.txt https://www.kernel.org/doc/Documentation/kprobes.txt

Recent Posts