Fork: 1
miura250 / linux_kernel_hacking
Transfer to URL with SHA Find file
Newer
Older
linux_kernel_hacking / 3_RootkitTechniques / 3.7_char_interfering / README.md
@Harvey Phillips Harvey Phillips on 6 Sep 2020 1 KB interfering with random and urandom read requests works!
Raw Blame History

Linux Kernel Hacking

3.6: Interfering with /dev/random and /dev/urandom

Both /dev/random and /dev/urandom are character devices defined in drivers/char/random.c. In particular, we care about the random_fops and urandom_fops structs which tell us which functions are to be called whenever a process tries to read/write/seek/etc the random and urandom "files".

Line 1989 onwards tells us that random_read() and urandom_read() are responsible.

The function hooks only have to call the original read functions, fill a buffer with 0x00, then copy back this buffer into userspace. All this is achieved with copy_from_user() and copy_to_user().

To use:

  • Build with make
  • Load with insmod rootkit.ko
  • Read some bytes from /dev/random with dd if=/dev/random bs=1 count=128 | xxd
  • Read some bytes from /dev/urandom with dd if=/dev/urandom bs=1 count=128 | xxd
  • Observe that both reads return nothing but 0x00!
  • Unload with rmmod rootkit