lkmlecture.html

黑客培训教程

<BR>&lt;Dustin> you do need root access first to do all this right?
<BR>&lt;Dustin> ok
<BR>&lt;snider> yeah, but then after you can hide files from the *right*
root of the box
<BR>&lt;Mikkkeee> yup
<BR>&lt;Dustin> ok
<BR>&lt;freakOVER> heehee
<BR>&lt;freakOVER> deviousness!
<BR>&lt;unknown> You can also spread it as a virus
<BR>&lt;unknown> but will get to that
<BR>*** snider sets mode: +m
<BR>&lt;unknown> SO lets continue
<BR>&lt;Mikkkeee> wait can you write a worm to do this for u?
<BR>*** Guy_SJS has joined #bsrf
<BR>*** ChanServ sets mode: +o Guy_SJS
<BR>&lt;unknown> you can intercept DCC or FTP sessions
<BR>&lt;unknown> and add code for executalbes
<BR>&lt;unknown> so it will be loaded when the file executed by root
<BR>*** SpiderMan has quit IRC (Ping timeout: 180 seconds)
<BR>*** DElTa_SquaD has joined #bsrf
<BR>*** SpiderMan has joined #bsrf
<BR>*** ChanServ sets mode: +o SpiderMan
<BR>&lt;unknown> u can c how to hide files on line 172 in _h_lkm.c
<BR>*** dataholic has joined #bsrf
<BR>*** ChanServ sets mode: +v dataholic
<BR>&lt;unknown> Some of the code there is used to hide processes i will
explain it later
<BR>&lt;unknown> I also replaced chdir system call so in order
<BR>&lt;unknown> to execute or read files from hidden folders
<BR>&lt;unknown> you must give full path.
<BR>&lt;unknown> Try to read it if you got questions ask
<BR>&lt;unknown> I commented most of the code so it will be easy to understand
<BR>&lt;unknown> questions?
<BR>&lt;Phr3k> i gotta go
<BR>&lt;mezzano> none yet...the code is pretty easy to read &lt;IMHO>
<BR>&lt;Phr3k> someone send me log later
<BR>*** Phr3k has quit IRC (Quit: )
<BR>&lt;unknown> OK so lets continue
<BR>&lt;dataholic> wait wait
<BR>* dataholic lights up a cigg
<BR>* dataholic puts on a nice mp3
<BR>&lt;dataholic> ok go with tha flow!
<BR>&lt;dataholic> :)
<BR>&lt;unknown> As you know /proc contains a folder named with
<BR>&lt;unknown> the process id for each process.
<BR>&lt;unknown> To list process with 'ps' for example
<BR>&lt;unknown> ps goes through the /proc dir.
<BR>&lt;unknown> So If we want to hide a process
<BR>&lt;unknown> we check if a process goes through /proc
<BR>&lt;unknown> folder so we need to look for the pid of the process we
want to hide
<BR>&lt;unknown> and remove from the list getdents returns.
<BR>&lt;unknown> :)
<BR>* Guy_SJS bums a cig off dataholic
<BR>&lt;dataholic> lol
<BR>&lt;Mikkkeee> heh
<BR>&lt;unknown> the /proc&nbsp; folder contains PID's
<BR>&lt;unknown> To do it we need to get the inode in which getdents
<BR>&lt;unknown> is suppose to scan and if its /proc recover the task name
of
<BR>&lt;unknown> each pid and if it starts with _h_ remove it from the
list.
<BR>&lt;unknown> To get the inode we will use the 'current' pointer
<BR>&lt;unknown> which points to data of the current process (that issused
the call)
<BR>&lt;unknown> and its definition is 'struct task_struct *current'(to
see
<BR>&lt;unknown> struct task_struct look in linux/sched.h).
<BR>&lt;unknown> PROC_ROOT_INO is the inode of /proc and its defined in
linux/proc_fs.h.
<BR>&lt;unknown> The MAJOR and MINOR macros are used to check if it the
right device
<BR>&lt;unknown> I will explain more about major and minor numbers in
<BR>&lt;unknown> the 'coding LKM devices' lecture.
<BR>&lt;unknown> Go through the source if you got questions ask.
<BR>*** DElTa_SquaD has joined #bsrf
<BR>&lt;unknown> Questions?
<BR>&lt;Guy_SJS> ok
<BR>*** Mikkkeee sets mode: -m
<BR>&lt;Guy_SJS> wow
<BR>&lt;Guy_SJS> long lecture
<BR>&lt;Dustin> can you kill a process by rmdir /proc/911
<BR>&lt;h4x0r3d> when will the 'coding LKM devices' be?
<BR>&lt;Mikkkeee> next week
<BR>&lt;Mikkkeee> maybe
<BR>&lt;h4x0r3d> ok, =]
<BR>&lt;Dustin> if rmdir is a cmd ;0
<BR>&lt;h4x0r3d> heh
<BR>*** DElTa_SquaD has left #bsrf
<BR>&lt;Dustin> rm -r
<BR>&lt;h4x0r3d> well, thanx man, ima go now, peace all!
<BR>&lt;dataholic> y'all evil minded ppl :))))
<BR>*** h4x0r3d has quit IRC (Quit: i luv box.sk)
<BR>&lt;Dustin> suckup
<BR>&lt;Mikkkeee> lol
<BR>&lt;Guy_SJS> rm -rf /home/dataholc
<BR>&lt;freakOVER> he loves the server
<BR>&lt;freakOVER> i wanna hit him :(
<BR>&lt;Guy_SJS> hope u had a backup.
<BR>&lt;dataholic> lol
<BR>&lt;dataholic> to dev/null with you!
<BR>&lt;unknown> OK lets continue
<BR>&lt;Guy_SJS> lol
<BR>*** mezzano has quit IRC (Quit: )
<BR>*** Mikkkeee sets mode: +m
<BR>&lt;unknown> so we have hidden our files,folders and processes
<BR>&lt;unknown> but the admin can still see our lkm using lsmod
<BR>&lt;unknown> and remove it. There are several methods to
<BR>&lt;unknown> hide our modules.
<BR>&lt;unknown> One of them (suggested in Phrack 52) is
<BR>&lt;unknown> to manipulate struct module and set the size,refs and
<BR>&lt;unknown> the name of the module to 0. But when i tried it
<BR>&lt;unknown> it didnt work(I think it works only with old kernel,
<BR>&lt;unknown> other wise the kernel is loaded but when you lsmod
<BR>&lt;unknown> some errors occur).
<BR>&lt;unknown> Another way is to intercept sys_query_module system call
<BR>&lt;unknown> you can strace lsmod to see it.
<BR>&lt;unknown> Its easy to implement(almost like getdents).
<BR>&lt;unknown> Look at it in line 321 in _h_lkm.c.
<BR>&lt;unknown> To make it unremovable look intercept int delete_module(char
*name)
<BR>&lt;unknown> and if name is the matches the LKM name return -ENOENT
<BR>&lt;unknown> which means the module is not loaded.
<BR>&lt;unknown> Questions?
<BR>&lt;snider> brilliant
<BR>*** snider sets mode: -m
<BR>&lt;Dustin> devious little schemer you
<BR>&lt;unknown> No questions? so lets continue
<BR>&lt;freakOVER> RAWR
<BR>&lt;freakOVER> i'm hungry :(
<BR>&lt;freakOVER> but linux is sexier :\
<BR>&lt;dataholic> lol
<BR>*** Mikkkeee sets mode: +m
<BR>&lt;unknown> Another cool idea from phrack is redirection of execve
<BR>&lt;unknown> for example let say you what that every
<BR>&lt;unknown> time login is executed it will execute you login instead
<BR>&lt;unknown> so what you is replacing execve and each time login is
<BR>&lt;unknown> called you call /hiddenpath/my_login.
<BR>&lt;unknown> But ididnt implement it in this module
<BR>&lt;unknown> A few notes about execve.
<BR>&lt;unknown> To replace execve you must put it in some other
<BR>&lt;unknown> place in the sys_call_table(I put it in the end
<BR>&lt;unknown> but you can loop and look for the first NULL)
<BR>&lt;unknown> and modify the registers before calling it
<BR>&lt;unknown> since it expects the data in specific registers.
<BR>&lt;unknown> I wrote an asm code to do it in my LKM.
<BR>&lt;unknown> If anyone knows a better way to do it please
<BR>&lt;unknown> share.
<BR>&lt;unknown> I dont recall which line
<BR>&lt;unknown> look for it
<BR>&lt;snider> 260
<BR>&lt;unknown> What it does is wait till sh is executed and if the last
<BR>&lt;unknown> argument is ___h___ then it gives you root
<BR>&lt;unknown> Someother ideas could be preventing SYS_write from
<BR>&lt;unknown> writing certain IPs, make your file
<BR>&lt;unknown> totaly unaccessable by replacing open system calls
<BR>&lt;unknown> unless you have magic uid, record every thing
<BR>&lt;unknown> the admin does and many other things be creative!!!
<BR>&lt;unknown> TTY hijacking is a cool thing to do.
<BR>&lt;unknown> (I will show how to it in my next lecture)
<BR>&lt;unknown> Questions?
<BR>*** snider sets mode: -m
<BR>&lt;jacs> l
<BR>&lt;snider> i guess not
<BR>*** stenas has joined #bsrf
<BR>&lt;unknown> another important system call is socket(int call,unsigned
long *args)).
<BR>&lt;unknown> I didnt implemented it due to a lack of time but i will
<BR>&lt;unknown> explain how it works.
<BR>&lt;unknown> The socket system call handles all the socket operations
<BR>&lt;unknown> (recv,send,connect etc.). Its call argument is the type
<BR>&lt;unknown> of action.
<BR>&lt;unknown> One thing you can do with it is to intercept
<BR>&lt;unknown> RECVFROM call and wait for a packet with
<BR>&lt;unknown> magic size and magic content and then
<BR>&lt;unknown> open a shell on some port to get root.
<BR>&lt;unknown> This idea is implemented by plaguez in Phrack 52.
<BR>&lt;unknown> But this kind of backdoor will not work
<BR>&lt;unknown> if there a firewall on the system.
<BR>&lt;Dustin> unless oyu have physical access
<BR>*** royanee has quit IRC (Quit: )
<BR>&lt;unknown> Sure
<BR>&lt;unknown> but you can overcome this
<BR>*** stenas is now known as royanee
<BR>&lt;unknown> For example you can look for packet that contain
<BR>&lt;unknown> some string lets say &lt;123Order321>
<BR>&lt;unknown> and remove it from the stream
<BR>*** insulted has joined #bsrf
<BR>&lt;unknown> This method
<BR>&lt;insulted> hi
<BR>&lt;unknown> can work without open connection
<BR>&lt;Dustin> ./mode #bsrf +m
<BR>&lt;unknown> because it will be removed from the stream anyway
<BR>*** wascy is now known as wascy|at|work|even|s
<BR>&lt;}{exadecimal> gtg, send me a log
<BR>&lt;unknown> you can hide the ip of these packets by replacing the
write system call
<BR>&lt;Mikkkeee> log will be on the bsrf site
<BR>&lt;Neophyte> 5-1
<BR>*** SpiderMan sets mode: +m
<BR>&lt;unknown> OK that it for now if got questions about the source
<BR>&lt;unknown> ask
<BR>*** SpiderMan sets mode: -m
<BR>&lt;snider> i have a kernel too old to load that helloworld module..
how can the system see that its been written for a newer kernel version
(even when it's as simple as helloworld.c)?
<BR>&lt;snider> thats my only question
<BR>&lt;Dustin> it uses a call not implemented in older kernels?
<BR>*** CoolMoDee has joined #bsrf
<BR>&lt;unknown> What is the messages?
<BR>&lt;unknown> What is the message?
<BR>&lt;snider> that the module was compiled for.. oh wait.. i replaced
my kernel src with the 2.4.7 one a while back
<BR>&lt;Mikkkeee> unknown would this work for bsd boxes?
<BR>&lt;snider> hehe.. nevermind
<BR>*** Saito has joined #bsrf
<BR>&lt;unknown> OK so you understood every thing?
<BR>&lt;unknown> I didnt try but i shouldnt be hard
<BR>*** BooTERROR has joined #bsrf
<BR>&lt;snider> okay, so the lecture is at end=
<BR>&lt;unknown> Well yes
<BR>--- End of Lecture---
</BODY>
</HTML>