Linux Kernel Module Rootkits

My first presentation in a security conference, was at H2HC 3rd edition and it was titled “Kernel-Land Rootkits for Linux 2.6 over x86”. Back then I was doing some research on LKM rootkits and I thought I had discovered/invented the SIDT trick for hooking syscalls (a major change between 2.4 and 2.6 kernels was that 2.6 no longer exported ‘sys_call_table[]‘, demanding more creative ways to do the hooking). Later I found out that sd and devik had introduced that technique years before, with Phrack’s excellent text ‘Linux on-the-fly kernel patching without LKM’ and SucKIT. That didn’t stop me from doing the presentation anyway, where I also demonstrated a new technique to bypass St. Michael, a rootkit detector maintained by the conference’s organizer, BSDaemon (I did it for the lulz ;D). I did this presentation under the flag of the now extinct rfdslabs, a group of friends that discussed hacking and technology, and also released the codes for two projects: ‘Captain Hook’ and ‘Tick-Tock, The Croc’.

Captain Hook is a proof-of-concept LKM rootkit for Linux 2.6, developed to illustrate my points during the presentation. It has a very light and yet flexible design: it’s simply an UDP server that can receive and then execute binaries. It also hides itself (i.e. the file ‘capnhook.ko’) to illustrate the syscall hooking technique.

Tick-Tock, The Croc, is a naive proof-of-concept rootkit detector. Its idea is that any LKM containing the SIDT instruction in its code is malicious and therefore should not be loaded into the kernel. Tick-Tock is a LKM itself, that hooks the ‘init_module’ and, each time a module is to be inserted, performs a simple code analysis to check for the presence of SIDT. Tick-Tock uses a minimalist, customized version of bastard’s libdisasm to do the disassembly and it performs quite well against real-world example. Despite being very easy to fool (e.g. by using self-modifying/encrypted code or by executing SIDT in ring3, prior to inserting the LKM), I believe the concept behind Tick-Tock could still be applied at least against legitimate modules as general means of enforcing correctness of LKMs. A simple example of such uses would be, for instance, blocking a module that does floating-point arithmetics (since the internal state of the x87 FPU shouldn’t be messed with in kernel-land).

Downloads:

  • Presentation slides
  • “Captain Hook” code
  • “Tick-Tock, The Croc” code