rootkit 101
TRANSCRIPT
![Page 1: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/1.jpg)
Rootkit 101 - 僅適合新⼿手的 rootkit
cmj @ 2015.07.19
1
![Page 2: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/2.jpg)
適合新⼿手
• 如果你會寫 rootkit - 你可能太晚聽了~
• 如果你沒⽤用過 Linux - 你可能太早聽了~
2
![Page 3: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/3.jpg)
內容 - 這次獻給⼤大家的~
✤ 根據經驗,我所看過的 rootkit
✤ 延伸 rootkit 原本的概念
✤ 概念性的 rootkit
3
![Page 4: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/4.jpg)
能不能用,我也不知道 >.^
4
![Page 5: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/5.jpg)
WARNING
投影⽚片內容可能包含不適合您閱讀的成⼈人⽂文章,請確定擁有⾜足夠的⼼心智與判斷能⼒力,了解並分析接下來的內容是否正確與合法。︒。本著作的作者不負擔任何您,因本著作⽽而衍伸的任何法律問題:包含但不限於因任意⽂文字的排列組合與圖⽰示造成⼼心智與/或財產的損失。︒。
5
![Page 6: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/6.jpg)
在開始之前,讓我們欣賞∼
6
![Page 7: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/7.jpg)
電影:我是誰
7
![Page 8: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/8.jpg)
8
![Page 9: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/9.jpg)
我是誰:沒有絕對安全的系統德國電影
9
![Page 10: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/10.jpg)
rootkit - wiki
Rootkit是指其主要功能為:隱藏其他程式⾏行程的軟體,可能是⼀一個或⼀一個以上的軟體組合;廣義⽽而⾔言,Rootkit也可視為⼀一項技術。︒。
10
![Page 11: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/11.jpg)
竄改 & 隱藏
11
![Page 12: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/12.jpg)
12
![Page 13: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/13.jpg)
Simple Rootkit Design - lv1
✤ 簡單的欺騙 User
✤ 替換掉常⽤用的指令
✤ ls / ps / top / … etc
✤ 你不需要太多程式技巧
13
![Page 14: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/14.jpg)
欺騙
14
![Page 15: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/15.jpg)
簡單,好用,萬解
15
![Page 16: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/16.jpg)
Simple Rootkit Design - lv2
✤ 替換程式
✤ 需要點程式技巧
✤ ⽅方法
✤ 直接替換程式 (直接換掉 binary)
✤ 寫個 wrapper (多疊⼀一層)
16
![Page 17: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/17.jpg)
隱藏 (替換)
17
![Page 18: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/18.jpg)
好用,萬解
18
![Page 19: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/19.jpg)
しかし
✤ 除⾮非使⽤用者不跟主機直接互動
✤ 明顯的操作上差異
✤ ⽤用起來會怪怪的
19
![Page 20: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/20.jpg)
回憶一下
20
![Page 21: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/21.jpg)
是否感到奇怪
21
![Page 22: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/22.jpg)
排版 / 顏色 / ⋯ etc
22
![Page 23: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/23.jpg)
設計點有點難度的 rootkit
23
![Page 24: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/24.jpg)
Useful Rootkit Design - lv3
✤ 修改程式底層
✤ 修改程式的函式庫
✤ 概念
✤ strace / dtruss / debuger / … etc
24
![Page 25: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/25.jpg)
程式設計師的⾃自我修養:連結、載⼊入、程式庫
來點修養吧 ~
25
![Page 26: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/26.jpg)
C
✤ C 程式執⾏行的時候,可以:
✤ 呼叫⾃自⼰己撰寫的邏輯 (function)
✤ 呼叫現成的邏輯 (Library)
✤ 你會⾃自⼰己寫 open file 嘛 …
26
![Page 27: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/27.jpg)
C
✤ C 程式執⾏行的時候,可以:
✤ 呼叫⾃自⼰己撰寫的邏輯 (function)
✤ 呼叫現成的邏輯 (Library)
✤ 你會⾃自⼰己寫 open function 嘛 …
27
![Page 28: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/28.jpg)
Shared Library Hookusing LD_PRELOAD
28
![Page 29: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/29.jpg)
LD_PRELOAD Hook
29
![Page 30: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/30.jpg)
好用,但不卍解
30
![Page 31: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/31.jpg)
休息一下 ∼
31
![Page 32: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/32.jpg)
rootkit 的世界
朕不給你,你不能搶!
32
![Page 33: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/33.jpg)
基本概念
劫持
✤ 指令
✤ 資料
✤ syscall
33
![Page 34: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/34.jpg)
Other Idea ?
34
![Page 35: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/35.jpg)
依然是劫持 ls
✤ 如果你看到的資料其實不是你看到的
✤ FUSE (File system in USEr space)
35
![Page 36: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/36.jpg)
啊∼ 再深一點∼∼∼
36
![Page 37: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/37.jpg)
如果就根本上 (OS) 資料就不存在...
37
![Page 38: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/38.jpg)
Kernel-Level Rootkit
38
![Page 39: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/39.jpg)
Program Bugs
User-Space
✤ crash - Segment Fault / Abort
✤ core-dump
Kernel-Space
✤ Call-Trace
39
![Page 40: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/40.jpg)
Robust is more important than you expected
40
![Page 41: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/41.jpg)
Kernel Rootkit Design - lv4
1. 開發環境
2. 決定 rootkit 的核⼼心技巧
3. 開發與除錯
41
![Page 42: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/42.jpg)
Kernel Rootkit Design - lv4
1. 開發環境
2. 決定 rootkit 的核⼼心技巧
3. 開發與除錯
42
![Page 43: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/43.jpg)
Hook Syscall
43
![Page 44: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/44.jpg)
Hook Syscall
流程
✤ 找到 syscall_table
✤ 竄改呼叫的 callback function
44
![Page 45: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/45.jpg)
sys_call_table
1. Easily way
2. Normal way
3. Violent way
45
![Page 46: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/46.jpg)
sys_call_table
1. Easily way - Find it out in System.map
2. Normal way
3. Violent way
46
![Page 47: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/47.jpg)
System.map
47
![Page 48: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/48.jpg)
sys_call_table
1. Easily way - Find it out in System.map
2. Normal way - Dump on /proc/kallsyms
3. Violent way
48
![Page 49: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/49.jpg)
/proc/kallsyms
49
![Page 50: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/50.jpg)
sys_call_table
1. Easily way - Find it out in System.map
2. Normal way - Dump on /proc/kallsyms
3. Violent way - Force search all kernel-level memory
50
![Page 51: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/51.jpg)
Brute-Force Search
51
![Page 52: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/52.jpg)
假設我們找到 syscall_table
52
![Page 53: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/53.jpg)
syscall_table
實作上
✤ syscall_table 是⼀一個 function pointer 陣列
✤ 根據 syscall 編號依序排列
53
![Page 54: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/54.jpg)
Hook getdent64
54
![Page 55: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/55.jpg)
挫折 ** n
55
![Page 56: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/56.jpg)
可不可以頂到肺∼
56
![Page 57: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/57.jpg)
BIOS rootkit design - lv5
57
![Page 58: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/58.jpg)
BIOS rootkit design - lv5
我要很誠實的說:我不會
⽽而且今天是 rootkit - 101,講 BIOS 就太誇張了~
58
![Page 59: Rootkit 101](https://reader031.vdocuments.mx/reader031/viewer/2022020113/587a727a1a28abf0468b45a7/html5/thumbnails/59.jpg)
Q & A
Thanks for your attention ~
59