Fork: 1
miura250 / linux_kernel_hacking
Transfer to URL with SHA Find file
Newer
Older
linux_kernel_hacking / 3_RootkitTechniques / 3.2_kill_signalling / README.md
@Harvey Phillips Harvey Phillips on 24 Mar 2021 1 KB added further info links and missed credits
Raw Blame History

Linux Kernel Hacking

3.2: Custom Signals To Hide/Reveal LKMs

Updated to use ftrace instead of directly modifying kernel memory

We can use the same syscall hijacking method from Section 3.1 to hijack the sys_kill syscall rather than sys_mkdir. This lets us implement our own custom signals to call different functions within the rootkit. In this case, we use signal 64 (normally unused) to tell the module to hide or unhide itself (using the hideme() and showme() functions from Section 3.0).

NOTE: While experimenting with this module, I found that the kernel kept panicking and crashing if I probed the calls to sys_kill too often, i.e. trying to printk every call signal send to every pid. I think this is probably something to do with a race condition somewhere, but I'm not certain.

To use:

  • Build with make
  • Load with insmod rootkit.ko
  • Send signal 64 to any pid, e.g. kill -64 1
    • Note that the signal won't actually be sent to the pid you specify, so any number will do!
  • Observe the rootkit is missing from the output of lsmod
    • While the module is hidden, you will be unable unload it!
  • Send signal 64 to any pid again e.g. `kill -64 1'
  • Observe that the rootkit is back in the output of lsmod
  • Unload with rmmod rootkit

Inspired, in part, by the Diamorphine repo.