lkmlecture.html

黑客培训教程

<BR>&lt;unknown> OK lets continue
<BR>&lt;Neophyte> he sets moderation
<BR>&lt;Mikkkeee> cause you interupt
<BR>*** optimum[d is now known as optimum[downloading]
<BR>&lt;i-o> the printk, where can i see it??
<BR>&lt;}{exadecimal> i know what he does but why
<BR>*** Mikkkeee sets mode: +m
<BR>&lt;unknown> Moving on to symbol table.
<BR>&lt;unknown> The symbol table is a file found in /proc/ksyms which
contains exported
<BR>&lt;unknown> kernel symbols(functions for example) that can be used
<BR>&lt;unknown> by our LKM and kernel.
<BR>&lt;unknown> The reason we should care about this file is that it will
also contain
<BR>&lt;unknown> our LKM functions so a good admin will be able to spot
<BR>&lt;unknown> our LKM. It can also be used by us to spot and admin LKM
<BR>*** Drager has quit IRC (Ping timeout: 180 seconds)
<BR>&lt;unknown> If he monitors the entire system with some super LKM
<BR>&lt;unknown>&nbsp; we should reconsider our actions).
<BR>&lt;unknown> BTW If you encounter and detect this kind of LKM try
<BR>&lt;unknown> to DoS the machine and make it restart many admins
<BR>&lt;unknown> dont activate the LKM's on init.
<BR>*** count_chocula has joined #bsrf
<BR>&lt;unknown> Anyway to control the exported symbols all have to do
is to
<BR>&lt;unknown> is to use macros defined in module.h (in old kernel
<BR>&lt;unknown> we need to include /linux/symtab_begin.h and
<BR>&lt;unknown> use register_symtab(NULL) if we dont want to
<BR>&lt;unknown> export symbols).
<BR>*** _Altus- has joined #bsrf
<BR>&lt;unknown> The macros are 'EXPORT_NO_SYMBOLS' if dont want to export
<BR>&lt;unknown> symbols.
<BR>&lt;unknown> If we want to export something define EXPORT_SYMTAB
<BR>&lt;unknown> and use 'EXPORT_SYMBOL(name)' macro.
<BR>&lt;unknown> questions?
<BR>*** Mikkkeee sets mode: -m
<BR>&lt;feds> is it works on win kernel?
<BR>&lt;unknown> No
<BR>&lt;Mikkkeee> no
<BR>&lt;SpiderMan> no, for windows use VxDs
<BR>&lt;feds> dam
<BR>&lt;Mikkkeee> vxds can be discovered
<BR>&lt;feds> where do i get it?
<BR>&lt;mezzano> strictly *nix baby ;)
<BR>&lt;Hijack> the same manner can be applied in window s vxds
<BR>&lt;Dustin> vxd == lkm for win?
<BR>&lt;unknown> OK lets continue
<BR>&lt;Mikkkeee> yah
<BR>&lt;Hijack> yes , very true
<BR>&lt;feds> where can i get it?
<BR>*** Mikkkeee sets mode: +m
<BR>&lt;unknown> Now the interesting part - system calls
<BR>&lt;unknown> Every OS has built in functions that are used for every
operation
<BR>&lt;unknown> on the system in linux those functions are called system
calls.
<BR>&lt;unknown> So if we control the system calls we can control the entire
<BR>&lt;unknown> system.
<BR>&lt;unknown> To see a list of all the system calls look in
<BR>&lt;unknown> look in /usr/include/bits/syscall.h(or run a search for
<BR>&lt;unknown> syscall.h).
<BR>&lt;unknown> so lets say we want to find which system call
<BR>&lt;unknown> is used to list files(which system call is used by ls).
<BR>&lt;unknown> Do 'strace ls'.
<BR>&lt;unknown> strace will give you all the system calls used by ls.
<BR>&lt;unknown> Most of the functions are obvious and many repeat many
times
<BR>&lt;unknown> but look at getdents it shows only twice and the second
<BR>&lt;unknown> argument stats "* entries" if you check this is
<BR>&lt;unknown> the number of files + folders + hidden files
<BR>&lt;unknown> in the folder.
<BR>&lt;unknown> * is a number
<BR>&lt;unknown> So we can assume that this is the system call.
<BR>&lt;unknown> Now the next step is to try to 'man getdents'.
<BR>&lt;unknown> Getdents has manual entry so it explains what it
<BR>&lt;unknown> does and we were right :)
<BR>*** Norton has joined #bsrf
<BR>&lt;unknown> If there isnt man entry you can search the kernel sources
<BR>&lt;unknown> (you should always search the sources to see how something
works
<BR>&lt;unknown>&nbsp; before replacing it).
<BR>&lt;unknown> Next we will replace it and modify it to hide every file
or folder
<BR>&lt;unknown> that starts with _h_.
<BR>&lt;unknown> questions?
<BR>*** SpiderMan sets mode: -m
<BR>&lt;_miketr0nix-> hi
<BR>&lt;Dustin> yes
<BR>&lt;_miketr0nix-> i have a question
<BR>&lt;Dustin> getdents is a program like strace?
<BR>*** XarZ has quit IRC (Ping timeout: 180 seconds)
<BR>&lt;_miketr0nix-> i want to know things about how to stop my ping
<BR>&lt;unknown> getdents is a system call
<BR>&lt;_miketr0nix-> but i am in windows
<BR>&lt;Mikkkeee> stop your ping?
<BR>&lt;_miketr0nix-> yes
<BR>&lt;zaxil> get a firewall to blok them
<BR>&lt;_miketr0nix-> like someone is trying to ping me
<BR>&lt;Dustin> lets save this for another time, shall we?
<BR>&lt;unknown> strace can be used to out which functions are used
<BR>*** _miketr0nix- has quit IRC (Quit: )
<BR>&lt;Norton> heh
<BR>&lt;unknown> strace can be used to fing out which functions are used
<BR>&lt;Hijack> unknown
<BR>*** fatboyjoe has joined #bsrf
<BR>&lt;snider> i have a q..
<BR>&lt;unknown> by a program
<BR>&lt;Dustin> then what is getdents for
<BR>&lt;Hijack> one question before i leave , which is not related to LKM
<BR>&lt;unknown> getdents is used to get a list of files and folder from
<BR>&lt;unknown> a directory
<BR>&lt;unknown> ls uses it to get its data
<BR>&lt;snider> unknown: i use kernel 2.4.1 which is too old to load that
helloworld module.. how come? how can the system see that its been written
for a newer kernel version?
<BR>&lt;Dustin> oh ls uses a syscall called 'getdents'?
<BR>&lt;Hijack>&nbsp; will the topic ACK Tunnelling be brought up in future
lectures?
<BR>&lt;Mikkkeee> yah
<BR>*** zaxil has quit IRC (Quit:)
<BR>&lt;unknown> Dustin: yes
<BR>&lt;Dustin> ok, it becomes clear
<BR>&lt;Mikkkeee> hijack maybe in the later weeks
<BR>&lt;unknown> So if we will replace getdents system call we can hide
files
<BR>&lt;Hijack> thanks mikkkeee , it s the seccond attack which i fear
most behind LKM / VxD hacking
<BR>&lt;Mikkkeee> hehe ack tunneling
<BR>*** _fatboyjoe- has quit IRC (Ping timeout: 180 seconds)
<BR>*** Hijack has quit IRC (Quit: )
<BR>&lt;unknown> and process (since processes are listed in /proc)
<BR>&lt;unknown> and processes (since processes are listed in /proc)
<BR>&lt;h4x0r3d> heh
<BR>&lt;unknown> So lets continue
<BR>&lt;Dustin> oh, so getdents() could be programmed to leave out files
that begin in !
<BR>&lt;unknown> yes
<BR>&lt;Dustin> ok, plz continue
<BR>&lt;unknown> thats our purpose
<BR>*** Mikkkeee sets mode: +m
<BR>&lt;unknown> To intercept system calls you need to know that the kernel
<BR>&lt;unknown> exports a table that lists all the system calls.
<BR>&lt;unknown> The var is 'void *sys_call_table[]'.
<BR>&lt;unknown> Each entry in this array is a pointer to a system call.
<BR>&lt;unknown> You can look in syscall.h to find its number.
<BR>&lt;unknown> So if we want to replace getdents system call we can
<BR>&lt;unknown> use this code:
<BR>&lt;unknown> ...
<BR>&lt;unknown> extern void *sys_call_table[];
<BR>&lt;unknown> int (*o_getdents)(unsigned int,struct dirent *,unsigned
int);
<BR>&lt;unknown> int h_getdents("same vars"){
<BR>&lt;unknown>&nbsp;&nbsp;&nbsp;&nbsp; your code
<BR>&lt;unknown> }
<BR>&lt;unknown> ...
<BR>&lt;unknown> int init_module(){
<BR>&lt;unknown> ...
<BR>&lt;unknown> o_getdents = sys_call_table[SYS_getdents];
<BR>&lt;unknown> sys_call_table[SYS_getdents] = h_getdents;
<BR>&lt;Phr3k> excellent
<BR>&lt;unknown> ...
<BR>&lt;unknown> }
<BR>&lt;unknown> void cleanup_module(){
<BR>&lt;unknown> ...
<BR>&lt;unknown> sys_call_table[SYS_getdents] = o_getdents;
<BR>&lt;unknown> ...
<BR>&lt;unknown> }
<BR>&lt;unknown> We need to save the original system call because we might
<BR>&lt;unknown> use it and because we need to restore it when
<BR>&lt;unknown> we remove the module (unless ou want to fuck up the system
<BR>&lt;unknown> Questions?
<BR>*** SpiderMan sets mode: -m
<BR>&lt;mezzano> so after loading this LKM then all susequent file listing
requests would exclude those we don't want them to see then correct?
<BR>&lt;unknown> Yes if code it properly
<BR>&lt;unknown> Yes if u code it properly
<BR>&lt;Dustin> this is all well and good, but wouldnt you need root access
to load a lkm?
<BR>&lt;Dustin> and if you had root whqats the point
<BR>&lt;snider> what is the purpose of&nbsp;&nbsp;&nbsp; o_getdents = sys_call_table[SYS_getdents];&nbsp;
?
<BR>&lt;Dustin> of going thru all the trouble
<BR>&lt;freakOVER> well if u had gotten into a system
<BR>&lt;freakOVER> for like
<BR>&lt;freakOVER> a backdoor
<BR>&lt;unknown> Dustin: Lets say you want to put a sniffer
<BR>&lt;snider> oh.. nevermind me
<BR>&lt;unknown> on the system and make it totaly invisible
<BR>*** JamesBONG has joined #bsrf
<BR>&lt;Dustin> ok point taken
<BR>&lt;Dustin> oyu cant to that with a program cause a task mgr would
list it
<BR>&lt;freakOVER> mmhmm
<BR>&lt;JamesBONG> does anybody here use macs?
<BR>&lt;unknown> what?
<BR>&lt;h4x0r3d> lol
<BR>&lt;Mikkkeee> hehe no
<BR>&lt;freakOVER> $ jobs
<BR>&lt;freakOVER> maybe might list it
<BR>&lt;Dustin> yeah
<BR>*** rs has quit IRC (Ping timeout: 180 seconds)
<BR>&lt;freakOVER> or another prog that lists tasks
<BR>&lt;freakOVER> LKMs aren't listed as jobs right?
<BR>&lt;Dustin> top
<BR>&lt;Dustin> ps
<BR>&lt;freakOVER> just processes maybe?
<BR>*** Norton has quit IRC (Ping timeout: 180 seconds)
<BR>&lt;unknown> top and ps wont list it
<BR>&lt;Dustin> why not
<BR>&lt;Mikkkeee> what can list them then
<BR>&lt;snider> because its not a userspace program
<BR>&lt;Mikkkeee> third party program?
<BR>&lt;snider> lsmod lists the loaded kernel modules
<BR>&lt;freakOVER> ahh
<BR>&lt;Dustin> wait, are we talking about a lkm sniffer or a 'real' sniffer
<BR>&lt;unknown> Because we will make the kernel do it
<BR>&lt;Dustin> ok
<BR>&lt;unknown> i will get to that later
<BR>&lt;freakOVER> ok ok i think i'm gettin' this
<BR>&lt;unknown> a real sniffer
<BR>&lt;Dustin> so to disguise from lsmod you would put the lkm sniffer
piggybacked with getdents or something
<BR>&lt;unknown> What i will do is to replace getdents and query_module
system calls
<BR>*** suspect has joined #bsrf
<BR>&lt;unknown> so they will remove the what we want from the list
<BR>&lt;unknown> OK?