Transcript
Rootkit 101 - 2nd Edition
cmj @ 2015
1
> rootkit
rootkit is a stealthy type of software, typically malicious, designed to hide some running processes / files / network connections
2
Tamper and Hide
3
Simple Rootkit Design - lv1
• You can cheat the user
• Replace the command used to get resource status
• ls / ps / top / …etc
• You DID NOT exactly tamper the tool, only cheat the user
4
Cheat ls
5
Simple Rootkit Design - lv2
• Replace the tool used to get the resource
• A wrapper of the original tool
• Rebuild the tool
• … etc
6
Replacement
7
• All of the previous tool are reply the unusual response
• Color / syntax missing
• Layout not match
• … etc
• We NEED to keep mysterious and unknown
8
Useful Rootkit Design - lv3
• Understand how ls work - ls will call …
• opendir
• readdir
• … etc
• You can trace by strace / dtruss / …etc
9
Shared Library Hookusing LD_PRELOAD
10
LD_PRELOAD Hook
11
But still can find the clue on the system
• The extra library on configure / environment
• Still can find out the file / folder
If I direct using dlopen / dlsym like the rootkit do …
12
Robust Rootkit design - lv4
• Tamper from the kernel-level
• Directly replace the response as deeper as possible
• You will never find the rootkit if the response comes from rootkit
13
朕不給,你不能搶 ∼
14
cmj
NEVER know the kernel programming XD
15
Concept
1. Hijack the syscall table
2. Hijack the response function
3. Hijack the data in kernel
4. … etc
16
Thanks for your attention ~
17
top related