lkmlecture.html

黑客培训教程

<HTML>
<HEAD>
      <TITLE>Loadable Kernel Modules [LKM] Lecture</TITLE>
</HEAD>
<BODY>
<br>
<CENTER>
<HR SIZE=1 NOSHADE WIDTH="45%">
Loadable Kernel Modules [LKM] Lecture<br>
By <a href="mailto:the__unknown_@hotmail.com">Unknown</a><br>
HTML by <a href="mailto:rammal81@hotmail.com">Mikkkeee</a><br>
For <A HREF="http://blacksun.box.sk">Blacksun Research Facility
[BSRF]</A><br>

<A HREF="http://blacksun.box.sk">http://blacksun.box.sk</A><br>

<HR SIZE=1 NOSHADE WIDTH="61%"><br></center>

<P><B>LKM file can be downloaded from <A HREF="http://blacksun.box.sk/mirror/LKM.zip">http://blacksun.box.sk/mirror/LKM.zip</A></B>

<P>&lt;sts|> a zip ???
<BR>&lt;Mikkkeee> guys the lecture started?
<BR>&lt;Hijack> 5k
<BR>&lt;mezzano> it's mikkkeee sup man told you I wouldn't miss this one
;)
<BR>&lt;SpiderMan> around 5k
<BR>&lt;SpiderMan> not large at all
<BR>&lt;Syrup> anyone know how juno password algorithm works?
<BR>&lt;Phr3k> small
<BR>&lt;Mikkkeee> guys the lecture started?
<BR>&lt;SpiderMan> not yet Mikkkeee
<BR>&lt;SpiderMan> just told everyone to download the file
<BR>*** Mikkkeee sets mode: +v unknown
<BR>&lt;unknown> No it starts now
<BR>&lt;Revelant-Angel> i can read anything all messages are flying passed
me
<BR>*** Retrieving #bsrf info...
<BR>*** Revelant-Angel has quit IRC (Quit:)
<BR>&lt;feds> what is it???
<BR>&lt;Syrup> yay lecture
<BR>*** DarkneSs has joined #bsrf
<BR>&lt;Mikkkeee> its a zip unknown set up
<BR>*** bulgarinche has joined #bsrf
<BR>&lt;Mikkkeee> http://blacksun.box.sk/mirror/LKM.zip
<BR>&lt;Phr3k> i dunno what LKM even is
<BR>&lt;Mikkkeee> loadable kernel modules
<BR>&lt;unknown> I will explain every thing
<BR>&lt;freakOVER> don't get excited kids!
<BR>&lt;freakOVER> :)
<BR>&lt;feds> hey
<BR>&lt;feds> me 2!
<BR>&lt;Mikkkeee> well someone log this too
<BR>&lt;}{exadecimal> LKM = Loadable Kernel Module
<BR>*** optimum has quit IRC (Quit: )
<BR>&lt;Phr3k> is this lecture aplicable to even beginners
<BR>* freakOVER is loggin
<BR>&lt;freakOVER> ;)
<BR>&lt;}{exadecimal> i'm logging Mikkkeee
<BR>&lt;Phr3k> i'm a beginner beginner
<BR>&lt;Dustin> obviously
<BR>*** wascy has joined #bsrf
<BR>&lt;Mikkkeee> ---------beginning of lecture---------------
<BR>&lt;feds> any other celeb like u
<BR>*** Mikkkeee sets mode: +m
<BR>&lt;Mikkkeee> if anyone wants voice msg an op
<BR>*** Mikkkeee sets mode: -m
<BR>&lt;unknown> OK lets start
<BR>&lt;ControlC> SWEET
<BR>*** _jacs- is now known as jacs
<BR>&lt;D|GiTaLM0nKe3> k
<BR>&lt;wascy> me, pls.
<BR>&lt;Mikkkeee> wait who wants voice
<BR>&lt;}{exadecimal> do we need a c compiler? theres a c file in that
zip
<BR>&lt;sts|> wich kernelversion?
<BR>&lt;sts|> 2.2 2.4?
<BR>&lt;Dustin> i owuld like voice
<BR>&lt;D|GiTaLM0nKe3> I do
<BR>&lt;twix> me
<BR>&lt;Phr3k> i want voice
<BR>&lt;|StYxX|> no one talk for a sec
<BR>&lt;wascy> i'd like. thx.
<BR>&lt;freakOVER> ouch
<BR>&lt;snider> }{exadecimal: If you use linux you have gcc, if you don't
use linux the LKM won't compile anyways
<BR>*** Mikkkeee sets mode: +v Phr3k
<BR>*** Mikkkeee sets mode: +m
<BR>&lt;unknown> you need GCC
<BR>&lt;Mikkkeee> unknown you can begin
<BR>&lt;unknown> LKM(loadable kernel modules) are used to increase
<BR>&lt;unknown> the kernel's functionality on run time.
<BR>*** Mikkkeee sets mode: +v mezzano
<BR>&lt;unknown> which means you dont have to recompile the entire kernel
to
<BR>&lt;unknown> use load it.
<BR>&lt;unknown> This is why it is used for many device drivers.
<BR>&lt;unknown> Because LKM are used as part of the kernel it
<BR>&lt;unknown> give us endless ways to use it for our benifits :)
<BR>*** SpiderMan has quit IRC (Ping timeout: 180 seconds)
<BR>&lt;freakOVER> are LKMs slower to load?
<BR>*** SpiderMan has joined #bsrf
<BR>*** ChanServ sets mode: +o SpiderMan
<BR>&lt;unknown> Every LKM contains 2 main functions
<BR>*** h4x0r3d has joined #bsrf
<BR>&lt;unknown>&nbsp; int init_module(void) and cleanup_module
<BR>*** jacs has joined #bsrf
<BR>*** _sokrates- has quit IRC (Quit: Leaving)
<BR>&lt;unknown> init_module is called when the module is loaded and cleanup_module
<BR>&lt;unknown> is called when you remove it. init_module should return
0
<BR>&lt;unknown> to signal that everything is OK.
<BR>&lt;unknown> e also must define MODULE and include linux/module.h for
<BR>&lt;unknown> module configurations,definitions,macros etc.
<BR>*** Phish has joined #bsrf
<BR>&lt;unknown> o now we can code our first helloworld LKM
<BR>&lt;unknown> look at helloworld.c see of you understand everything.
<BR>&lt;unknown> (it should be easy).
<BR>&lt;unknown> If u wonder why i used printk and not printf its
<BR>&lt;unknown> because we are running in kernel mode which
<BR>&lt;unknown> means we can use restricted set of functions
<BR>&lt;unknown> A list of useful funcs is in func_list.txt.
<BR>*** D|GiTaLM0nKe3 has left #bsrf
<BR>&lt;unknown> questions ?
<BR>*** snider sets mode: -m
<BR>&lt;mezzano> that was deep ;)
<BR>&lt;freakOVER> ya
<BR>&lt;freakOVER> are LKMs slower to load up than if u just compiled the
kernel with them?
<BR>&lt;freakOVER> hey it's just a question :P
<BR>&lt;unknown> You load it into lernel space in run-time
<BR>&lt;snider> feds: i'll send the files
<BR>&lt;sts|> you load them.. then they run like they were compiled into
the kernel
<BR>&lt;freakOVER> ah ok
<BR>&lt;feds> i have them
<BR>&lt;Hijack> passwords can be captured using the LKM
<BR>&lt;unknown> Yes
<BR>&lt;Hijack> have them sent through e-mail
<BR>&lt;unknown> you can do almost everything using LKM
<BR>&lt;}{exadecimal> so how do we use the lkm?
<BR>&lt;unknown> OK
<BR>&lt;feds> it says it can't find DEVCPP.exe
<BR>&lt;unknown> So let continue
<BR>&lt;suspect> lol
<BR>&lt;Mikkkeee> unknown would these files run as vxd files?
<BR>&lt;Dustin> unknown: but they would need to RUN your lkm first to steal
passes?
<BR>&lt;SpiderMan> feds: just open it up in notepad for now
<BR>&lt;unknown> So lets continue
<BR>*** snider sets mode: +m
<BR>&lt;freakOVER> feds: open it using notepad
<BR>&lt;unknown> You can also hack the sever and load it yourself
<BR>&lt;unknown> It almost like VxD but in linux
<BR>&lt;Mikkkeee> are you going to give us an example in real time?
<BR>&lt;unknown> Yes
<BR>&lt;Mikkkeee> man vxd hacking is hot
<BR>*** Dustin has left #bsrf
<BR>&lt;unknown> So compile helloworld.c with gcc -O3 -c helloworld.c
<BR>*** pitpat has joined #bsrf
<BR>&lt;unknown> This will create helloworld.o
<BR>*** Syrup has quit IRC (Quit:)
<BR>&lt;unknown> to insert the LKM do "insmod helloworld.o"
<BR>*** dg-2 has quit IRC (Quit: )
<BR>&lt;unknown> Now do lsmod
<BR>&lt;unknown> this will list the modules loaded into the kernel
<BR>&lt;unknown> Later we will see how to make our LKM
<BR>&lt;unknown> Unremovabe &amp; invisible
<BR>&lt;unknown> to remove it do "rmmod helloworld"
<BR>&lt;unknown> questions?
<BR>*** DG-2 has joined #bsrf
<BR>&lt;unknown> questions?
<BR>&lt;mezzano> nope seems pretty intuitive ;)
<BR>&lt;unknown> KO
<BR>&lt;unknown> OK
<BR>*** SpiderMan sets mode: -m
<BR>&lt;Hijack> so is there any solutions for removing it if i were a system
admin
<BR>&lt;}{exadecimal> no voice
<BR>&lt;Hijack> ?
<BR>&lt;unknown> OK now because our LKM is running in kernel space
<BR>&lt;unknown> we cant access user space memory.
<BR>&lt;unknown> So lets say one of our functions gets as
<BR>&lt;unknown> an argument a pointer to user space
<BR>&lt;unknown> we must move it to kernel space before we try
<BR>&lt;unknown> to use data it points to.
<BR>&lt;_miketr0nix-> hello
<BR>*** SpiderMan sets mode: +m
<BR>&lt;unknown> to use data it points to.
<BR>&lt;unknown> He can remove it on run-time he can restart the box
<BR>&lt;unknown> so the module will not be loaded
<BR>*** Mikkkeee sets mode: +o unknown
<BR>*** ChanServ sets mode: -o unknown
<BR>&lt;Mikkkeee> shit
<BR>&lt;unknown> but first he has to find it
<BR>* mezzano thinks mikkkeee needs to pimp-slap chanserv ;)
<BR>&lt;unknown> If you what you can put some script to insmod it when
the box starts
<BR>&lt;unknown> In order to move user data to ke rnel data we have several
functions
<BR>*** ControlC has quit IRC (Quit: )
<BR>&lt;unknown> get_user(kernel_dest,user_pointer) - gets the value user_pointer
points to
<BR>&lt;unknown> and put it in kernel_dest(old kernels use dest=get_user(src)).
<BR>&lt;unknown> put_user(kernel_src,user_pointer) - note that kernel_src
<BR>&lt;unknown> is not a pointer)
<BR>&lt;unknown> copy_from_user(kernel_dest_ptr,src_ptr,size)
<BR>&lt;unknown> copy_to_user(user_dest_ptr,src_ptr,size)
<BR>*** DG-2 has quit IRC (Quit: Leaving)
<BR>*** pitpat has quit IRC (Quit: )
<BR>*** Mikkkeee sets mode: +o unknown
<BR>*** optimum has joined #bsrf
<BR>&lt;unknown> For example look at _h_lkm.c at line 78
<BR>*** suspect has quit IRC (Ping timeout: 180 seconds)
<BR>&lt;unknown> this function copies string from user
<BR>*** Dustin has joined #bsrf
<BR>&lt;unknown> (GET_U is a macro for get_user())
<BR>&lt;unknown> questions ?
<BR>*** [phRoZen] has joined #BSRF
<BR>*** SpiderMan sets mode: -m
<BR>&lt;Hijack> none at the moment
<BR>*** optimum is now known as optimum[d
<BR>&lt;Neophyte> im fine
<BR>&lt;}{exadecimal> yeah
<BR>*** zaxil has joined #bsrf
<BR>&lt;zaxil> hey everyone
<BR>&lt;}{exadecimal> why do we keep losing our voices?
<BR>*** bulgarinche has quit IRC (Ping timeout: 180 seconds)