Fork: 1
miura250 / linux_kernel_hacking
Download ZIP 71 commits
Transfer to URL with SHA
linux_kernel_hacking / 3_RootkitTechniques / 3.7_char_interfering /
latest commit 9ee84770a8
@Harvey Phillips Harvey Phillips authored on 6 Sep 2020
..
Makefile interfering with random and urandom read requests works! 5 years ago
README.md image in readme 5 years ago
ftrace_helper.h interfering with random and urandom read requests works! 5 years ago
random.png image in readme 5 years ago
rootkit.c interfering with random and urandom read requests works! 5 years ago
README.md

Linux Kernel Hacking

3.6: Interfering with /dev/random and /dev/urandom

Both /dev/random and /dev/urandom are character devices defined in drivers/char/random.c. In particular, we care about the random_fops and urandom_fops structs which tell us which functions are to be called whenever a process tries to read/write/seek/etc the random and urandom "files".

Line 1989 onwards tells us that random_read() and urandom_read() are responsible.

The function hooks only have to call the original read functions, fill a buffer with 0x00, then copy back this buffer into userspace. All this is achieved with copy_from_user() and copy_to_user().

To use:

  • Build with make
  • Load with insmod rootkit.ko
  • Read some bytes from /dev/random with dd if=/dev/random bs=1 count=128 | xxd
  • Read some bytes from /dev/urandom with dd if=/dev/urandom bs=1 count=128 | xxd
  • Observe that both reads return nothing but 0x00!
  • Unload with rmmod rootkit

random