2016 - Gregory Fudge - Hooking the Linux Kernel without getting caught

hopefully cool um so I'm is that the mic sweet that's not too bad um so I'm Greg doing Linux stuff um how many just Qui quick query how many devs have we got of like any devs and how many pentesters and how many people who think both cool anybody C++ familiar C familiar excellent this isn't going to be as bad as I thought it' be um cool so Hing this kenel probably self-explanatory so why why do it because it's fun um and also you can do a lot of stuff once you're in the kernel because you got basically you're in the system you got really really complex system code that's cannot fail and you've got um a lot of potential

opportunity to do lots of interesting things um and this is done quite these days root kits are pretty [ __ ] so they tend to do this sorry I swear a lot by the way um they're not very good good and they tend to do lots of things that's just good enough to do like the bare minimum um and people tend to like just bring in the root K and stuff so was root kit um generally used obviously to maintain privilege on a system so if you p a system and you find you want to put a back door so you can get there in the future part of that is you don't want to get caught so you need something

super stealthy um you might want to do coms you might want to talk to someone else you might want to be able to talk to it um and you might to monitor the system see if someone's running some cool stuff AV or anything like that and it anything else um yeah so it's it's literally just a program it's just a piece of Kernel code that does stuff at high privilege um which has pros and cons so why are we picking Linux because we use on backend servers we use it on mobile Android other stuff embedded devices internet things I don't need to explain that and because I really hate Windows ddk because it's super super super hard um

it takes like a day to get that sh set up so yeah so in terms of the general threat um persistence it's like 100% of it because persistence is a big threat if you don't know it's on your system and it's not doing anything dodgy how do you know it's there how are you ever going to find that it's there so we need to get um be aware of that um yeah gener like 99% of the time it's not doing anything it's just like dead code it's just sitting there waiting to to be triggered um so and and rot kit detection is super hard because you're in the kernel so you can change anything so if somebody wants to find out what

you're running you can pretty much tell them the start off um cool so how so the two main methods of doing this uh using kernel modules so loadable kernel modules any you familiar with that basically the same as Windows drivers um you just put in a piece of code into the kernel does some fun stuff and way you go um there's some cool stuff as well on module infection so rather than actually writing a dedicated module you can actually infect an existing module by basically the way the the loader works in the kernel um so that you can pretty much hook that other thing so when some generic non-signed uh user driver for thinkpads or Whatever Gets um you can

inject into that when that gets loaded your codes in there as well so you've not even got any trace of it and it's super easy to start um direct kernel object manipulation is the other way the old school way of doing it which kind of works some some systems is you have these two devices called Dev km which is the kernel memory and devm which is the normal memory so you can read and write to those and do normal IO control type stuff um which means that you can basically read the kernel memory search for a structure you want a structure you want and you can manipulate it um as long as you can find the structure that

you want to manipulate dma you hear about all sorts of cool dma TXS like thunder strike to something like that um where if you have access to memory you can just start writing over stuff same principle um and yeah you can some of those you can do from userland or used to be able to do from userland so bunch of stuff these is all things you can do ignore that um sorry uh so yeah the whole point of Kernel modules is so the Linux kernel is quite modular so the smallest version of Linux kernel is pretty small and you can add things in as you need them as one your PC fit and it's loaded into actual kernel

memory so you've got um specific addressable space to write into that uh so usually you build a kernel module against a specific version of the Linux kernel that has some interesting implications because that makes it considerably less portable so that's something we'll have to consider um and you can load that whenever the Kels running you can load that at startup you can load it runtime like main runtime stuff like that kind is super hard it's sucks um so loading you can use in ins mod and RM mod which will load and unload load your driver that just calls a kernel loading function which basically takes your uh loading routine and your exit routine just calls them uh and just just Maps it

in um interesting thing is you can see what's loaded from proc modules so if you're whereare of the proc virtual file system uh it Maps your module as like a little object with a bunch of information um so first thing we have to hide it from that because if obviously if it appears then that's kind of OB that we're running a kernel a root G so yeah it has name module size in byes of the module uh how many I say instances that's that's wrong it's how many people are using that module so how many people have gone and said I want to use this module because it can't unload it if that number is greater than zero um the

number of module dependencies so what um we'll talk about kernel symbol later what symbols does the module require uh the state of the module so is it loading is it currently live or is it unloading um usually it's either live or it's not there at all and the offset in kernel memory so it's a virtual address um that the kernel is loaded into so you know where it is so that's you can see that yeah so that's our little shitty back door thing that is there you can see um the module name you can see the size of it you can see it's live and you can see where it's loaded into the address very

in mind you have to use pseudo to do this you can do it without pseudo but it won't give you the address it will just tell you it's there so you from usand you can see that something's there but if you run it as pseudo as a root user um you can see exactly where it is still so to hide it uh we use the compiler macros because compiler macros are good because writing your own code is like effort um and basically there's a link list of modules that goes around in the kernel and that's how the kernel enumerates things and you go in say I need to delete that item from the list and I want you to reinitialize and that

doesn't unload the module the module's still in there any hooks you've put in are still there everything is the same it just means the K kernel has no way of pointing to your module which is great for us um so that will get rid of proc modules and that get rid of lsod and then the other virtu file system uh CFS is CIS module which is another special inmemory file system weird stuff um and it has a ton of information about kernel so it just kind of enumerates all those similar things but with like a folder structure uh so yeah if you run I mean that that's just run with like this a [ __ ] user you can see our back door

there you can see that Roots running it you can blah blah blah that's basically just a directory we can go in there and and [ __ ] around with it um so we can also get rid of this uh there's a thing called a k object just a kernel object we can um delete the kernel object basically so you go up to the parent the kind of object the thing has a reference to it and you say I want you to delete that reference to me so you're actually deleting the link and that means that when it goes through the parent and looks says what have I got loaded it goes there and it's like oh

there's nothing here because there's no address that's cool um kernel symbols so you got ton of addresses to like random stubs in kernel memory and you need to be able to reference them so the way the Kel does this is it has a uh in boot system. map you have this map of Kernel symbols to the the address that it's expected to be at so your kernel can rather than say like if if you if you modify a structure in your kernel you add something you delete something where that ends up in main memory is going to change so this is a direct map to Kernel memory that we can then reference so we're using the where

the system knows that it is rather than just like randomly blindly guessing which we'll do later um so the um so so basically when you compile your kernel if if anybody knows anything about compilers linkers when you compile your kernel and you link it which you don't do um it has a bunch of undefined symbols and those are things that are patched up by the loader when you install your module so it goes in and says okay you want this uh symbol let me find the address for that patches it up and it patches all your code like that um which is great but it means if we're doing dodgy stuff with weird symbols and

some Mar analyst picks up this object um col object then he can look at it and say okay you're using these weird really weird things that we totally know why what you're doing for they don't even have to like do any disassembly um yeah so these are the undefined references so UND undefined reference uh the defined ones are all the other ones and those are like uh non-static parameters in the file because this is really quick and dirty so this is this is just reading the symbol table of the um the elf binary because kind object elf binaries so it's super easy to re um but it's also super portable because you haven't got that dependency on specific

addresses you don't you have to know what stuff is that was the thing if you're running internal functions you want to keep it as static as possible um so the static key keyword will make sure that that symbol that address doesn't go anywhere outside of your actual file um or your module so that there's no external references to that keep it nice and clean I don't even know I wrote those at like 4 in the morning so don't know so hooking um I was going to talk about arm but I haven't done that much AR I've done mostly x86 and x86 64 so we're going to talk about that um so you got inline hooks which are little just hooks

where you patch a little bit of code to jump to your thing and go and do something else or call some function which is cool um so you all you have to do is you have to know where you want to jump to you've got some memory allocated somewhere with some code stub and you know exactly where that is and then you just say call that piece of code uh so you can like KN out stuff usually so we can patch The Cisco table which is super cool because everything goes through the ciso table um so everything we use land interacts with it that way uh we can I can't even read this any of

my glasses we can also hook kernel methods and kernel symbols um so we will I this looks a bit weird we'll cover some of these um so x86 64 has a cheating mechanism where it actually has some Hardware registers which you can use to shortcut the interrupt mechanism which we'll talk about in a second but in general you have an interrupt table in memory and every time an interrupt on the hardware is invoked so like youve all heard of int80 or like in3 or whatever um it will go to the interrupt table and say what's my Handler for this interrupt call that load that run it and then that will go and do something in kind of memory um

arm has the same thing except I think they call it exception Vector table I'm sure about V8 but that's this case in V7 I think we can also use debug hooks so we can install a break point um within the kernel there's nothing stopping us of doing that so we can say if the kernel executes this page or this address of this page tell me about it and run this Handler function that's quite interesting um and there's a bunch those are Hardware registers so you literally just write into the hardware registers where you want to go so inline hooking um you basically just patch out where it says this is the existing cisal stub for

where we want to go we we've made our own mock one which looks almost identical but with some funky stuff and you just change your addesses so you just keep a copy of this old one because you need it and then you take the new one and you patch it onto that table um you can also do the same concept with interrupt tables which is super annoying uh so where you basically just reite the entry to the table so there's an interrupt Handler and when the interrupt is triggered you go to your new interrupt Handler which is cool uh and then eventually we'll get around to MSR hooking so these are model specific register these are they didn't

used to exist but these allow you to shortcut the system we'll talk about in more but it means basically instead of doing the in0 stuff you can call CIS call and it can do a very fast transition into kernel mode which basically speeds everything up crazy amounts um because you don't have to go through the inter Handler so we need to get the cisal table address because if you want to patch it we need to know where it is um so there's a interrupt script table called an ID and there's an instruction on x 6 to get that interrup descript table and you can do that from non-privileged user that's totally great um so we can get the kernel address of

where that is there's a we want to read the in8 so hex8 offset um Handler for that so then we just find what that's pointing to and then we reconstruct the CIS call Handler with our new CIS Handler um X8 664 simplifies this in that you don't have to do that you can literally just read read um the lstar register which is basically the equivalent lstar register just stores where the cisal table is loaded and that's like the cheat version which everyone uses um and the way that we actually get the address is we we know that it's somewhere within this area but we don't know exactly where but we know these magic bites that some clever

[ __ ] came up with um always preced the Cal table address so you scan for memory you find those three bytes and then you copy four bytes or eight bytes if you're using long mode um afterwards and that will be your address and then you've got your address perfect and it seems to work um cool arm does things very similarly uh except that you've got this software interrupt Handler which is basically like our CIS Handler um it's pretty much 99% the same thing except you have obviously a different set of bites it's the code preceding those bites same thing Frack 68 has got a great article on it um okay so x86 interrupts an absolute

blood pain anybody familiar with interrupts yeah cool okay so interrupts used to for Hardware to trigger things um for software to trigger things for exceptions in code so classic one well actually we've got some classic ones later on um and cisal and then there's a bunch of information about those there um so we've got external hardware interrupts which is there's a programmable interrupt controller on x86 which is like a almost like another chip it's actually in the same chip um where it has certain events that if that event is triggered from Hardware so say the disc has decided that it's finished doing whatever it will trigger um and then that interrup controller will then pass the trigger onto the CPU and say

hey I've got something for you you want to look at this and that's how it works I think and then you you've got software trigger interrupts which don't go through that interrupt controller so those are directly CPU generated interrupts um and I don't know how do that is that's pretty clear actually um yeah so then you've got these interrupts over here and we don't really care too much um on Linux say 56 different interrupt handlers you can have not all of them are used use most of them like the first 100 and something um and there is a register called the IDR it's an IDT register um which defines where that table is located in memory similar thing

to before um you got this horrible mechanism where for some reason their addresses are like in two parts because somebody in Intel thought that was great when they're smoking something weird in the 70s um so you've got these ID base which is the base of the ID and you got the 16bit address which is the limit so that's your maximum obviously for those you can do bit mat we don't have 65,536 handlers but we could um we then have all these different Gates which are little blocks of memory which all unpack the same which we talk about now so these are some of our notable interrupts like uh in zero which is a divide error

so if you do divide by zero error in user L code that will call an interrupt saying you did a division wrong what you're doing um and it handles that single step so when if you ever use a debugger it's just setting um saying I want to set to the next instruction so I want to advance the PC by like one rather than anything else uh external non-mas inter inter interrupt which like the hard Hardware ones so things we can't mask off and ignore um break points which are similar to single stepping except we set when it goes to this address I want you to tell me overflow don't need to explain that General protection fault you wrote

something you did something wrong um page fold that page isn't current in memory because for example if you imagine with a paging mechanism you want to get a page and that hasn't been loaded um yet it has to generate an interrupt to tell memory that that page needs loading and finally ciso the one we're interested in mostly so this that's what the interrupt descriptor gate looks like it's an 8 by descriptor for some reason they decided that we have an offset there and there and those two combined make our address we also have our seg segment selector um which allows us to obviously select our segment so we're writing in the right um I'm not going to talk about

segmentation because it's horrible and we have the DPL which is our descript of privilege level which is the privilege that we're going into so let about that now you can go up privilege so uh DPL Z is ring zero DPL 3 is ring three we can go down a privilege but we cannot go up a privilege in a descriptor we have to always go down um so you can't execute something from uh ring zero to execute some user mode code because then you're basically handing kernel privilege um to a user mode application which we obviously can't do yeah whatever um so that's any of you familiar with C that's a really crappy struct that it basically

defines the descriptor so if we copy the memory into there we can read it and the next thing that looks horrible because it is um we'll get the descriptor number that you've set it so if you want descriptor one you put in one okay that one and then obviously we at the bottom we reconstructing our address because they were weird so then we want to replace it so we take uh two functions we got the old function which we assume we have the address to because you've got to have the address and we got a new function which is obviously the address the new function has have the same calling convention has have the same linkage and

then we got an interrup that we want to replace with uh so we take our new address and we've got our pointer to the descript table and we get a copy of so old FN doesn't have anything in it that's used to store it so we pass it something to go andall the existing descriptor into so that we can refer to it later when we clean up and then we go back and we replace the IDT um to our new address which is what that line is doing and then the gpf is is disable um General protection fault because if we try to do that it's a readon page and it will tell us it's a readon page but

we'll do it in a really really nasty way when you just get dumped and your entire machine just crashes um found out the hard way quite a few times so after the descriptor table gets its address of what it wants to load it then calls a piece of St called error code and error code is a Handler which takes any descriptor and deals with it um so we need to know code is because that's what we want to jump to after we've done our little uh rewrite so we want to write our little filtering Handler sub this has to be as lightweight as you can make it because obviously every single time an interrupts being called this

code is being called so if you do something really nasty and big it will take forever to run um and it will cause problems um we then rewrite the default the existing Handler to uh redirect to our new Handler and then finally we jump to the error code so we have to set it up we have to pass our address in on the stack and then we have to jump to that error code so to locate the error code this is a bit more interesting we can use the system. map table because that has all the kernel symbols and is a kernel symbol and that's great the only problem with that is that um we have the

same issues we had before where then you've got why why do you want to know what eror code is that's really weird um and it's not anywhere near as portable as you want it to be so we can dynamically locate it by finding out what code follows error code so what error code is so we grab 32 bytes of error code um and then we basically signature that so then we search a relatively small like 1,24 bytes um of the table for that piece of code and then we know the thing at the beginning of that piece of code that's going to be our address for error code and it's extremely unlikely to get the

wrong thing and nobody ever changes error code because it's so ingrained in the kernel um and we know cuz if you look at entrys which is part of the kernel it will have uh divide eror which is the first interrupt Handler little St and then somewhere after that we have error code so we know that after that it's probably going to compile after that somewhere not too far and because Conor address is like super big so um I actually I changed out the Lots cuz I looked and I got my number wrong so I'm I'm not going to claim anything um but it's it's pretty big it's at least a gig on X on 32bit um it's bigger than that

on other architectures so so we don't want to like search a gig because that will take forever and that's really really memory intensive and terrible and we don't [ __ ] with the kernel because the kernel will [ __ ] with you ands will find you and he will kill you um cool so this is an extract from error. s which is the error Handler stuff top thing is our divide error Handler if you notice it's super easy he just sticks zero on the stack sticks the address on the stack and then jumps to error code obviously that's implied here and then error code does some magic so we know that after div error zero sorry div

divide error um somewhere after there we're probably going to have error code so we do is we create our signature this is literally just G um I wrote a little C module that will basically just find the symbol far code take the 32 bytes out copy them and then use those so this is just the code that we're looking for that's it so we then look in 1,24 bytes is pretty arbitrary but it works so I search for it and we just search for that 32 by Chunk in the24 bytes which is great um it's it works that's all I can say uh so the Handler stub needs to do some magic because we need to make sure

that we're filtering out stuff and we have to write this in assembly which is horrible so horrible um we have to make sure that every all the state is considered um and like maintained which is great so push Flags push registers call the filtering code to check do we want to hook this thing if it returns zero then we're good um def jump to the default as normal if it jumps to one we want to handle this particular case whatever that case is uh and then we will pop the flags again and we will push the error code so we push zero and then we push the address that we want and then we jump to error code and that

will do some magic so that kind of looks like this is horrible it's way worse like I've seen this too many times it's disgusting um also the red actually shows up really badly on that so just ignore it but basically what we're doing is we're checking we're just checking that the result of that function which is in eax is zero so if it's zero we just jump to our existing code if it's not zero we jump to our Handler um the other thing we have to do is we have to remove the Handler because if we we can't just like walk away once we're done if we if we if we're ever done um we have to have a neat way of

getting out and this is mostly for debugging purposes so this is exactly the same as before but instead of um spping out any addresses you're spping the old address for the address that we've replaced it for before so this is this is a linkage of an existing Handler this is an in3 Handler um that has the same calling Convention as the previous in3 Handler except this time it just prints some stuff and jumps to the existing Handler this is a different way of doing it Let's ignore that [ __ ] um so we can also yeah so that that was all kind of like generic interrupting stuff we can do that for the uh in8

interrupt as well it's really um so we want to basically filter out cisal because the cisal convention stores the number of the cisal in the eex register so if we want to read a particular register sorry a particular CIS we just check the e register for the one that we're looking for and that's super low overhead it's like two instructions um and then we do the same things as before we handle the interesting cases and we ignore all other cases which has nice lightweight thing but um yeah it sucks because it's super hard and it fails so much so so much um but there's a better way and it's portable and it's easier and well

you can ignore all of that stuff I just said like that's all crap you can get rid of it so we've now got a faster Cisco mechanism this is what we're talking about earlier this is the Cisco instruction and the CIS exit instruction sorry CIS enter CIS exit instruction um so we just call a very very similar calling convention and then we just go CIS call and for example if you're importing a read function GBC already has the code for this GBC will do this automatically it won't bother going for the old interrupt handle it'll go for the new one because it's not terrible um and we have dedicated machine registers that we can store the code well the Cs

seg register the uh stack pointer and the base pointer so that when we jump back we know exactly where we are and there's no risk of corruption so we haven't popped anything onto the stack this is all just stored in registers which is great so we can hook x86 64 cisal because obviously that previous technique is redundant because nobody calls like that so um because GBC won't do that if you hook the interet Handler it will just get ignored because no one's actually using in na anymore um and there's we all we need to do is find that cisal table which is like the one before but slightly different in a different place so we search for the

magic bites and then we take the address after those magic bites so we know that the address will exist in the Cisco dispatch code after those so we search for them we take the address and then we do something um that's much better so there's the Elsa register which is the long something something something something something which is the cisal target so that this is like our previous IDT instruction so we can call to find out where that is and then we copy the code in that chunk after that chunk uh 52 bytes pretty arbitary and then we search for the magic numbers we want like we did with error code and then we return the address that exists after

this so the eight bytes after these three bytes we know with a pretty good certainty that that's what we want as our uh cisal table address kind of look like this that actually does look terrible as well um readstar we the me me function basically just searches for those bytes in memory and then returns that if it's not null which means we found it we do some weird pointer casting and then we're back so all we're doing is we're basically saying here's a chunk of memory find these three bytes get eight bytes after that and then return that as an address um so that's pretty easy uh the hooking is even easier because all we

have to do here is we just have to take that cisal table address so cisal table address you see here is the one that we just got and then we find the offset to in this case the open CIS and then we hook our new open function to where the existing open function is this is all function point of magic uh likewise we have to unhook it same thing you take the existing call uh function and overwrite it um and then we're all golden so so I think now is a good time prob falling asleep that Envy you haven't slept probably in days uh so we're going to we going to have a demo um but I do have terrible luck so we're

going to do a live uh is this mirrored it's not mirrored suck all right let's get some so this is really hard I just realized because I can't see what I'm doing all right um if that doesn't say make install then we're [ __ ] so I keep forgetting this one we're good no messages and if we go Dem message we should have a nice yeah there we go the little red thing that's saying that it worked so we've got a picture where's the mouse okay um this is this is way when I had mirrors so this is a little picture of a field and are you serious no are you suck that's the worst demo

ever Zer out of 10 hang on one of several things has happened I probably put it somewhere I shouldn't have this might be a super quick fix oh it's so a super quick fix but I totally don't a you son of a [ __ ] I put something in the temp directory and it got deleted so when I tried to replace the thing that was in the temp directory it's not there anymore that's I shouldn't have rebooted my machine um I'm not going to fix that I'm lazy that's super sucks right so that's not what I want how do I undo right what the [ __ ] this is so difficult [ __ ] sake

damn I I so if you've got a mirror I'll I'll take a mirror like right about in the middle that' be perfect oh there we go so that that would have been a total W if if it had worked but but it didn't so that kind of works anyway right okay what should have happened is that boy should have come up so um basically what we did there was we hooked the open function oh we didn't care about that we hooked the open function so that if we found anything with the word field on it and the extension. jpg we replaced it with our that boy picture in temp which wasn't in temp which is why it

disappeared that was the worst demo I've ever seen I'm so disappointed with myself and then we just call the number one um so basically we just take the the string that says this open this file we just replace that with our file if it has that condition I'm going to see if I can get this working later um so after that ridiculously disappointing demo which I probably actually have time to fix I I'm going to fix it I'm GNA fix it fix it fix it fix it fix it it's going to be a really terrible one as well CU I uh are you a JPEG you better be a j a you're a JPEG amazing

no because they we just calling open all we're saying is you've asked for this file and I'm like l no we're having this file instead it works

uh we can totally do this ah where are you this is so much more difficult when people are watching you everybody look

away not to self don't put things in the temp directory they will get deleted probably all right okay so now that is that up let's get that let's try that again okay where's my mouse anybody oh it's on this screen hold on yes yes right you do really super hard [ __ ] and then the really easy [ __ ] breaks right so so just to show that that wasn't actually just some weird file cing [ __ ] if I do make remove we'll uninstall the module is that okay yeah so we've removed that now um so if you go back to that same directory and open that picture it's the window shitty field thing it's

just a normal file oh okay I hope I hope that got them the concept across sick [ __ ] sake absolutely I mean from that I could have said give the calling um protest privileges I could just change the cred structure in memory I the reason I'm not doing that is because I tried to doing that and I kept corrupting the stack and I didn't get time to fix it so that's why cuz colel stuff is really really hard um oh son of a knowing you're like autonomous I do know how to computer honest sort of we right at the

end made it so did we do this we did this yeah we did no we didn't yeah we did so the one thing I forgot to mention this slide read MSR is a dedicated instruction and we do read MSR and then we give it the machine register which is just a hex code we basically say read this machine register that's the thing that we're doing instead of the IDT stuff um okay so did a live it failed and then they W um cool cool so we replaced it and we put in our own image and it's great for trolling I tried to do a Rick Roll last night and I was like that's great but I

realized that the sound probably wouldn't go through so it would be really terrible and shitty my speakers whatever so because it's a security conference we're probably going to talk about detection how do you detect stuff like this one the assumption is if it's in the konel and somebody's smarter because I mean the guys who doing this for a living way smarter than me and they're just like they know this [ __ ] and they will know exactly how to prevent you from doing anything you can just comp keep keep hooking things until there's nothing left of the original kernel um tldr in the kernel you can just write over everything it's great um signature scanning symbol scanning

that's always works you can compare the kernel symbols one of the biggest things and this is something Windows does really well Windows used to be crap like 10 years ago now it's actually I'd say for security it's one of the best um sign drivers sign drivers all the time because you can't do an injection you have to make sure that somebody authenticated that driver you're not just loading it from Bob in some dodgy country in Eastern Europe um from knuckle Bob but it basically is just that layer to make sure that anything that goes in the kernel is is good and we know cryptographically that it's good that's great you can do anything else um the the biggest thing don't don't get

a root kit on your machine or if you're running systems but in all seriousness if you're running a system and somebody can get rout you already pwned like you're super pwned so you kind of want to make sure that that doesn't happen obviously it might and you need to be able to deal those cases but the best mitigation is prevention I guess um don't let anyone get root on your machines run things in um containers containers are great containers are the best thing ever um so that you they think they've got root but they haven't got root that's pretty cool other things that I haven't done here uh you can use net filter to to so

the communication mechanism we had there was we call a syst call but we have still have to be an unprivileged user on the system to do stuff we can do it with the network as well so we can use net filter to say if somebody sends us a ping packet like an IC icpm icmp packet that has a payload because they can have payloads we put in sorry we put in some magic bites I drank so much Relentless earli it was awful um we put some magic bites and if the packet has those magic bites we filter out for it and then we call some special source uh that basically means that over the Network

anywhere as long as you can send a ping to the machine and it's got the rootkit installed you can do whatever you want that's pretty cool you can also do some stuff with the file system so you can uh infect typically proc files proc SL version is quite common um so that if you write certain bites to that file or you try to read and the classic one is if you try to read a file but you try to read zero bytes out of it obviously no San person would do that probably um but if you try to do that it will say oh cool that's that's us let's let's do something cool let's give this process

root privileges or whatever better hooking mechanisms actually having a featured set of rootkit stuff reason I didn't do it is because I don't want to get addressed and I have no reason to put this on people's machines CU I'm not a dick uh well I am but not in that sense um the other really cool thing this is actually a little bit older is we can do page flipping which is super cool where you've got one page with no hook on it for read write permissions and we have one page that's a clone of that page but with execute only permissions and if a MAA scanner wants to detect a um hook in our code it will it will obviously it

will read right so it'll read that page it'll read the one without hooking and as soon as we want to execute that or jump to that it will say it will throw a page fult because it say but there's no permissions to to execute this so then it will load up the execute page and it'll execute the one with the hook in it awesome because that's really really really really really hard to get around like to defend against because you don't know that's happening because that's like super low in the system I'm going to say that's it so questions comments I don't know whatever have we got yeah we got sweet sick uh come on you got have questions that

was

horrible yes a little bit yeah it's been done um it's it's known to people who are into those circles but it's not known by the wi industry and that's one of the biggest problems with root kits is that people are defending against stuff that was done in the '90s and 20 early 2000s and nowadays the like guys at blackand defon last week they're way ahead of this stuff um it's really hard to stay on it because stuff like that is you have to go to Intel and say Intel Your Design sucks fix it or I mean the same thing happens with arm like this is this is conceptual this isn't this is how the Machine Works we're exploiting

the functions of the system and all systems pretty much work like this so it's really really hard to defend against because yeah somebody might do that but then if you don't have that system how do we do paging we can't so we have to do that anything else got to be questions

M what was

that so um you can do that you can totally do that yeah um the the problem with doing that is that you still have a big hole where like what if I patch kernel memory to disallow that or what if the classic one is with the S3 boot script you can change the S S3 boot script to modify the way it loads things so you can the thing that gets loaded to stop other thing loads you can just get rid of that there there's always like it's um just war games like everybody's just escalating um yes but at the same time absolutely those kind of protections are the things that will hit the low hanging

fruit and like the 98% of things there was another question up

there

yep easiest way to detect if somebody's hooking something is to check with know good values and you can do that because you've got a file called system.map which tells you what the codes what the symbols should be and then you go to that symbol and say well where is it like why is it different because somebody's changed it so what you're looking for is you're trying to detect those changes the problem is if you there are thousands of symbols and if you want to check every single one that's going to take a long time that's quite a high of the head and you're doing in the kernel as well so everything kind of has that

imperative is that kind of ask your question

co exactly that's that's exactly what I mean that was a that was a very innocent example which is great um but that very innocent example could stop some MAA scanner from running you know like we want to execute this file execve well if somebody calls exact ve with this malware scanner no deny it you know the basically what I'm trying to get across is the possibilities are basically endless um which is why the protection of the kernel is so important and why I don't understand why we don't have more signing in Linux especially some systems do um but because a lot of people use custom Linux builds it's inconvenient and you want to load your own like um SE so you want to

load your own modules with your own sign set or whatever Linux doesn't really play that well with it so you have to make sure that um whatever's getting loaded the kernel has some Roots AA somewhere signing it and making sure it's super legit but basically anything else got to be more questions doesn't have to be about this generally brexit if you

want smart smart guy so did you seen sorry oh basically Windows is now integrating a Linux subsystem into windows and the way that actually works is a really great talk that will be out on from Defcon or blackout one of the two on how this works is it has an 800k overhead which is insane to load a subsystem which is the entire Linux kernel obviously the Linux Kel is an 800k but the loader for that is 800k so this really small one it's running a version of the Linux kernel in the system so when you get your little bash prompt you're not fiddling with some ridiculous thing you're fiddling with a version of Linux that has a translation

mechanism for most of the CIS schs so it knows if you call a right in Linux you probably want to call a WR in Windows and it knows how to translate that um and then it has some emulation stuff for the slightly odder cases but it's a full emulation within the window subsystem if you can get into that because somebody put a massive vulnerability in it and you can get a root kit in there why can't you get a rot in Windows perfectly good thought really cuz you know your security is any as good as you hanging fruit right so if you've got something like that

in yeah

yeah yeah so Linux has a pretty good system where it basically deals with errors in the scope that it can so if your sis if your user mode code caused a fatal error it will kill the user mode code because it has some code handling stuff that won't kill the kernel but if you run some kernel mode code and that kills the kernel then you're into sort of blue screen territory equivalent that that's when you're um you've got like a kernel panic so basic basically yeah um it's just increasing the attack surface it's a great feature like I actually quite like Windows I think it's not bad um I like Linux as well and I think having

something that can do both like you can't really run Windows on Linux so it's pretty cool having it the other way around I think it enables developers to do a lot of really cool stuff without having to swap around with VMS and stuff that's with weird emulation um but every feature comes with the price really cool anything else it's got to be something else we got like five minutes

yo ones the hard way there are some really really really good crash dumping tools for Linux so what we're talking about isn't um the user mode process died because we can deal with that we can the kernel still run running the kernel has a log D well K message has uh traces of that it's pretty useful um if we kill the machine the serial um interface or whatever you're looking at will just dump what happens to the can Will panic and you're dead in the water so there are some very good tools remote serial um so having a physical machine and having a serial connection attached to that is a pretty good way of doing it

because the you can kill a lot of things before the serial connection will die up um so you get with quite a lot there are some really really good projects I can't remember them off the top of my head but you can do some quick Googling that basically will take a crash dump and analyze it and tell you this is what went wrong this is what the stack looked like this is what the registers look like everything like that um and then you can analyze that offline so this is I mean I run that one live on my machine CU that was I don't know but you should really have a separate machine or VM or

whatever and something that when it die you you're expecting it to die um you got to know your assembly I think you got to understand how stack framing works you got to have a bit of looking into the canel but the method that we talked about afterwards that's super easy to do and that's quite low overhead and you don't have to type a single line of assembly at all which is really really nice uh and that which basically means there's less room to go wrong because you're rely on the compiler to generate code rather than you and you can guarantee the compiler can do a better job it's pretty smart cool anyone else call

it