home >> kernelland >> syscall table

Syscall interception by directly modifying the Syscall table

The syscall table is generally an array of function pointers; these function pointers can be redirected to point to functions implemented in the rootkit, often times an LKM. This type of kernel rootkit is easy to detect compared to other kernel rootkits. A hands on approach is to analyze /proc/kcore with gdb and verify the syscalls against the System.map (A file created at kernel compilation time for debugging purposes). A simpler approach is to run a tool like ktraq, which also has the benefit of disabling this type of rootkit by resetting the syscall function pointers.

A kernel rootkit of this nature would initialize the syscall hooks by using code like the following, which assumes we want to intercept the sys_write, and sys_ioctl syscalls; perhaps we intercept sys_write so that a specific line of text is not written to stdout from /etc/passwd, and sys_getdents64 to hide files.

First define function pointers to point to the original syscalls:


 asmlinkage int (*old_write) (int, const void *, size_t);
asmlinkage int (*old_getdents64) (unsigned int, struct dirent *, unsigned int);

Next we would create new syscalls which serve evil purposes i.e.


 asmlinkage int new_write(int fd, const void *buf, size_t bytes)
 {
   ... evil code ...
   printk(KERN_INFO "This syscall has been hijacked");

   ... Call original syscall ...
   return old_write(fd, buf, bytes);
 }

We would do the same with getdents64 -- however this is not a guide on writing rootkits so I will not cover the real details involved.

To perform the actual syscall interception within a kernel module you would do:


 -- module_init() --
 /* save original */
 old_write = (void *) sys_call_table[__NR_write];
 /* redirect pointer to new code */
 sys_call_table[__NR_write] = (void *) new_write;

 /* same thing */
 old_getdents64 = (void *) sys_call_table[__NR_getdents64];
 sys_call_table[__NR_getdents64] = (void *) new_getdents64;

Now future calls to sys_write and sys_getdents64 are going to be executing the code located at new_write and new_getdents64, which will transfer execution over to the original syscall code once finished.

Once the kernel module is removed the syscalls should be reset:


 -- module_exit() --
 sys_call_table[__NR_write] = (void *)old_write;
 sys_call_table[__NR_getdents64] = (void *)old_getdents64;

This type of kernel rootkit is still common, but is not as stealth as certain newer methods. There are several tools which can detect this type of kernel rootkit, and even one that can disable them like ktraq which is featured on http://www.bitlackeys.com -- there are however times when a tool like this may not be available etc. Here is a method that is useful for detecting this type of infection:


 # grep sys_call_table /boot/System.map 

(or /proc/kallsyms if the option for all kernel symbols is enabled)
Assuming the result is: c048d720


 # gdb /usr/src/linux/vmlinux

Then within gdb you could do

(gdb) x/10 0xc048d720 0xc048d720 : 0xc0127460 0xc011f950 0xc01021a0 0xc01646f0 0xc048d730 : 0xc0164760 0xc0162340 0xc0163320 0xc011f1c0 0xc048d740 : 0xc0162380 0xc016d4b0 (gdb)

Although instead of doing x/10 you would want to do x/N whereas N is the number of syscalls which you can find in /usr/include/asm/unistd.h generally.
In another console you will want to open up /proc/kcore, you can do this by doing


 # gdb /usr/src/linux/vmlinux /proc/kcore

You would have to follow the same steps :

Core was generated by `BOOT_IMAGE=2.6.25-nosmp ro root=803 acpi=off nomsi'.


 #0  0x00000000 in ?? ()
 (gdb) x/10 0xc048d720
 0xc048d720 :  0xc0127460  0xc011f950  0xc01021a0  0xc01646f0
 0xc048d730 :  0xf897f6d0  0xf897f5d0  0xc0163320  0xc011f1c0
 0xc048d740 :  0xc0162380  0xc016d4b0
 (gdb)

Notice the 5th entry has changed from 0xc0164760 to 0xf897f6d0; that is because sys_write has been hijacked.

This type of analysis can also be useful for other types of kernel infection including syscall interception by overwriting the first several bytes of a syscall with a jmp or a push/ret. In Linux one must be careful not to mistake changes for runtime patches -- which have a very specific set of alternative instructions for memory barriers and SMP replacements.

EvilFingers Arsenal




Socialize with RootkitAnalytics

Twitter Feed Blogspot

Links

Rootkits & Enterprise: Enterprise is a major victim to rootkits. What could rootkits do to them?[read more]

Rootkits & Home-users: Do home-users know the seriousness of rootkits? What should a home-user know about rootkits?[read more]

Rootkits & Information Warfare: What does the silent war of intelligence and national security, got to do with rootkit analysis?[read more]

Userland Rootkits: What should one know about userland rootkits?[read more]

Kernelland Rootkits: What should one know about kernelland rootkits?[read more]

ElfStat: ElfStat is a tool designed for detecting any kernel malware that modifies the text segment of the kernel in memory...[read more]

Syscall/Kernel function interception: This is a more stealth method of syscall hijacking without having to directly modify the syscall table; instead the first several bytes of the syscall are overwritten with a jump to the new code...[read more]

Syscall Interception: What should you know about Syscall interception by directly modifying the Syscall table?[read more]

KsiD [Kernel Symbol Interception Detection]: This tool is designed to detect kernel rootkits and kernel malware which hijack syscalls and kernel functions ...[read more]

IDT /dev/kmem rootkit method: This can be done using several methods including overwriting the first several bytes of the syscall with a jump to other code, or modifying the function pointers.[read more]

Hidden Process Detection: Hidden Process Detection [HPD] using Direct NT System Call Implemenation, PIDB (Process ID Bruteforce) method, CSRSS Process Handle Enumeration and other methods...[read more]

Hidden Registry Detection: Reason for Hiding the Registry Entries, Rootkit techniques to hide, and Detecting Hidden Registry Entries Using Direct NT System Call Method and Directly Reading Hives Method...[read more]

Hidden Service Detection: Hidden Rootkit Services Detection Methods...Enumerating Processes with 'NtControlPipe', Hook Bypass Method through Mapped Image, Services Enumerating Child Processes of Services.exe, Enumerating Services Registry Key...[read more]

Syscall Handler Checker [SHC]: This tool simply verifies whether or not the system call handler system_call() has been patched to call a phony sys_call_table. If a phony sys_call_table appears to be in use, a tool like elfstat can be used for further analysis...[read more]

Firmware Rootkits: Firmware is a small static code that runs on devices ranging from consumer electronics to anything that controls heavy machinery...[read more]

Hypervisor Rootkits: This comes under both firmware and hardware rootkits. The reason being, hypervisor is a virtual environment that runs on the hardware, but basically it is a firmware. Hence, we have drawn the line and dropped this rootkit in the firmware category of rootkits...[read more]

Publications: In this section, we are planning to list all the papers that we have published so far that are rootkit related.

Backdoor Ultimate Defender: In this paper (Backdoor.Win32.UltimateDefender.gtz - Reversing) we analyze install.exe that presents the typical structure of an Medium Evoluted Malware, with basical Obfuscated-Dummy Code...[read more]

Socialize: You could socialize with us by many ways...[read more]

About: Learn about rootkit analytics here...[read more]

Contact us: How can you reach us...[read more]

Our Team: Read more about the rootkit analytics team...[read more]

dwtf v1.0: dwtf is a DLL copying engine ... [read more]

Exploring ADS: Alternate Data Stream (ADS) is the lesser known feature of Windows NTFS file system which...[read more]

Installations [from RootkitAnalytics.com]

ToolsCount
~~~~~~~~~~~~~~~~~~~
Elfstat5779
dwtf4868
KsiD4301
SHC3390

NOTE: Our tools are listed in many sites and torrents, which makes it hard for us to track all downloads. Hence, we are listing only the total installations from our website.

Socialize with EvilFingers

Twitter Feed Blogspot LinkedIn Delicious Google

Tweets