Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Linux Rootkit Internals
Search
Sponsored
·
Ship Features Fearlessly
Turn features on and off without deploys. Used by thousands of Ruby developers.
→
@tkmru
December 23, 2017
Programming
2.2k
1
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Linux Rootkit Internals
@tkmru
December 23, 2017
More Decks by @tkmru
See All by @tkmru
10分で知るゲームが「チートされる」仕組み/findy202603
tkmru
0
1.1k
リバースエンジニアリング新時代へ! GhidraとClaude DesktopをMCPで繋ぐ/findy202507
tkmru
8
2.7k
Bring Your Own Container: When Containers Turn the Key to EDR Bypass/byoc-avtokyo2024
tkmru
2
1.9k
ipa-medit: Memory search and patch tool for IPA without Jailbreaking/ipa-medit-bh2022-europe
tkmru
0
430
Ipa-medit: Memory modification tool for iOS apps without Jailbreaking/ipa-medit-codeblue2022
tkmru
0
240
趣味と実益のための著名なOSSライブラリ起因の脆弱性の探求/seccamp2021-b5
tkmru
0
5.5k
Ipa-medit: Memory Search and Patch Tool for IPA Without Jailbreaking @Black Hat USA 2021 Arsenal/ipa-medit-bh2021-usa
tkmru
1
4.9k
Learn the essential way of thinking about vulnerabilities through post-exploitation on middlewares (MySQL/PostgreSQL編)/seccamp2020-b8
tkmru
3
990
apk-medit: memory search and patch tool for debuggable APK @CODE BLUE 2020 Bluebox
tkmru
0
250
Other Decks in Programming
See All in Programming
Vite+ Unified Toolchain for the Web
naokihaba
0
740
AIを活用したE2Eテスト実装効率化のあゆみ / ebisu-mobile-14-kotetu
kotetuco
0
170
霧の中の代数的エフェクト
funnyycat
1
340
関数型プログラミングのメリットって何だろう?
wanko_it
0
160
『コードを書く以外の』エンジニアリング〜課金基盤移行プロジェクト推進のためのTips4選
yuriko1211
0
220
はてなアカウント基盤 State of the Union
cockscomb
1
1.3k
Semantic Version 単位で戦略を柔軟に変えて、パッケージアップデートを自動化する
daitasu
1
350
例外の正しい扱い方 そのエラー try-catchして大丈夫?
jinwatanabe
0
360
エンジニアと一緒にテストコードの設計と実装を改善した話
mototakatsu
0
260
PHPだって関数型したい 〜できること、できないこと〜 / fp-in-php
jsoizo
0
190
Observability in Practice:Grafana 與 Edge Device SRE 的那些事
blueswen
0
190
なぜ型を書くのか? TSKaigi2026で改めて考える #tskaigi_smarthr
kajitack
0
340
Featured
See All Featured
What the history of the web can teach us about the future of AI
inesmontani
PRO
1
630
AI: The stuff that nobody shows you
jnunemaker
PRO
8
820
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
Impact Scores and Hybrid Strategies: The future of link building
tamaranovitovic
0
330
The Pragmatic Product Professional
lauravandoore
37
7.4k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
231
55k
DevOps and Value Stream Thinking: Enabling flow, efficiency and business value
helenjbeal
1
260
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
12
1.7k
Winning Ecommerce Organic Search in an AI Era - #searchnstuff2025
aleyda
1
2.1k
Rails Girls Zürich Keynote
gr2m
96
14k
Testing 201, or: Great Expectations
jmmastey
46
8.2k
Jess Joyce - The Pitfalls of Following Frameworks
techseoconnect
PRO
1
190
Transcript
Linux Rootkit Internals Cyber Wargame Christmas Party(େηΩϡϦςΟ) 12/23 @tkmru
ࣗݾհ • ͚ͨ·Δ(@tkmru) • CTFνʔϜ: TomoriNao • ಉਓࢽαʔΫϧ: TomoriNao •
ౙίϛʹམͪͨͷͰಉਓࢽʹॻ͘༧ఆͩͬ ͨωλΛൃද͠·͢
Rootkitͱ • ࡞ಈதͷϓϩηεϑΝΠϧɺϩάγες ϜσʔλΛӅ͢ϚϧΣΞ • ex) ps, topίϚϯυΛӅ͢ɺϚϧΣΞࣗମ ͷϑΝΠϧɺϓϩηεΛӅ͢ •
ࠓճͷLTͰରͱ͢ΔͷLinux͚ͷͷ
• GitHubʹOSSͱ͍ͯ͠Ζ͍Ζެ։͞Ε͍ͯΔ • ʢଟʣݚڀ༻ʁ • ϚϧΣΞͷίʔυ͕ಡΊΔʂʂ • ·ͱΊ: https://github.com/tkmru/awesome- linux-rootkits
GitHubʹίʔυ͕͋Δʂʂ
͍Ζ͍ΖͳLinux Rootkitͨͪ • LD_PRELOAD Rootkit • Kernel Module Rootkit •
Ramdisk based Rootkit
LD_PRELOAD Rootkit • ڥม LD_PRELOAD Λͬͯڞ༗ϥΠϒ ϥϦΛࠩ͠ସ͑Δ͜ͱ͕Ͱ͖Δ͜ͱΛͬͨ rootkit • ex)
Jinx2, vlany, azazel
LD_PRELOADͱ • ಡΈࠐ·ͤΔڞ༗ϥΠϒϥϦ(.so)ͷύεΛઃఆͰ͖Δ ڥม • γϯϘϧͷ໊લղܾͷͱ͖ γϯϘϧ໊͕িಥ͍ͯ͠Δͱ LD_PRELOADʹઃఆ͍ͯ͠Δ .so ͷؔΛ༏ઌͯ͠ಡ
Έʹߦ͘ • ͜ΕʹΑͬͯؔΛ্ॻ͖Ͱ͖ɺrootkitʹ༻͍Δ͜ͱ͕ Ͱ͖Δ
LD_PRELOADͱ $ ldd $(which ls) # ಈతϦϯΫ͞Ε͍ͯΔڞ༗ϥΠϒϥϦҰཡ linux-vdso.so.1 => (0x00007ffdc1b78000)
libselinux.so.1 => /lib/x86_64-linux-gnu/libselinux.so.1 (0x00007fbe97fb5000) libacl.so.1 => /lib/x86_64-linux-gnu/libacl.so.1 (0x00007fbe97dad000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fbe979e3000) libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007fbe977a5000) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fbe975a1000) /lib64/ld-linux-x86-64.so.2 (0x000055f1ce4c8000) libattr.so.1 => /lib/x86_64-linux-gnu/libattr.so.1 (0x00007fbe9739b000) $ LD_PRELOAD=./hook.so /bin/ls # lsͷؔΛϑοΫ!!
Kernel Module Rootkit • Loadable Kernel ModuleΛར༻ͯ͠ɺkernel ͷػೳΛॻ͖͑Δrootkit • Kernel
rootkitɺLKM(Loadable Kernel Module) rootkitͱݴΘΕΔ • ex) adore, suterusu, diamorphine, etc
Kernel Moduleͱ • ਖ਼໘͔Β KernelͷίʔυʹखΛೖΕɺػೳΛՃ͠Α ͏ͱ͢Δͱɺ࠶ίϯύΠϧͯ͠Ϧϒʔτ͢Δඞཁ͕͋ Δ • Kernel ModuleΛ͏ͱɺΧδϡΞϧʹKernelʹػೳ
ΛՃͰ͖Δ • ਖ਼͘͠NICͷσόΠευϥΠόΛՃ͢ΔͨΊʹ ΘΕΔ
Kernel Module Rootkit • γεςϜίʔϧΛϑοΫ͢ΔKernel ModuleΛՃ͢Δ͜ͱͰ RootkitͷػೳΛ࣮ݱ͍ͯ͠Δ • ҎԼಈ࡞ྫ •
֘͢ΔγεςϜίʔϧΛϑοΫͯ͠ॲཧΛมߋ͢Δɻ • ϑΝΠϧͷݺͼग़͠ΛϦμΠϨΫτͯ͠ɺผͷόΠφϦΛ࣮ ߦͤ͞Δɻ • ࠷ऴతʹग़ྗ͞ΕΔใͷΈΛมߋ͢Δɻ
Ramdisk based Rootkit • initrd(ॳظRAMσΟεΫ)Λॻ͖͑Δ͜ͱʹΑΔ rootkit • ׂΓͱ৽͍͠λΠϓͷrootkit • ex)
Horse Pill: black hat USA 2016 • https://www.blackhat.com/docs/us-16/materials/us-16-Leibowitz- Horse-Pill-A-New-Type-Of-Linux-Rootkit.pdf
initrdͱ • ϑΝΠϧγεςϜΛϚϯτ͢ΔͨΊͷϑΝΠϧ Λѹॖͨ͠ͷ • ॳظͷϒʔτϓϩηεͰΘΕΔ • initrd ͕ϩʔυ͞ΕΔͱɺϑΝΠϧɾγεςϜΛ ༻Մೳʹ͢ΔͨΊͷkernel
moduleͳͲ͕ಡΈࠐ· Εɺ/ ҎԼͷϑΝΠϧγεςϜ͕Ϛϯτ͞ΕΔ
ϒʔτϓϩηεͷͲͷล͔ʁ • UEFI • shim • grub • linooks •
initrd • systemd • app
$ ls -l /boot (Ұ෦লུ) drwxr-xr-x 5 root root 4096
Dec 9 06:40 grub -rw-r--r-- 1 root root 20566118 Dec 9 06:41 initrd.img-3.19.0-80- generic kernelΑΓ৽͍͠ -rw------- 1 root root 6595152 Jan 13 2017 vmlinuz-3.19.0-80-generic ɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹinitrdΑΓ৽͍͠ initrdΛݟͯΈΔ • /bootҎԼʹγεςϜʹΑͬͯಈతʹੜ͞ΕΔ • ͳͥʁ • ڥͷࠩҟʢϋʔυΤΞɺϑΝΠϧγεςϜ etcʣʹΑͬͯϑΝΠ ϧΛม͑Δඞཁ͕͋Δ • ιϑτΣΞɾΞοϓσʔτʹΑͬͯಈతʹߋ৽͞ΕΔ
$ file /boot/initrd.img-3.19.0-80-generic /boot/initrd.img-3.19.0-80-generic: gzip compressed data, from Unix, last
modified: Sat Dec 9 06:40:55 2017 $ gunzip --to-stdout /boot/initrd.img-3.19.0-80-generic | cpio -tvɹ(Ұ෦লུ) -rwxr-xr-x 1 root root 1600 Jun 13 2017 bin/insmod -rwxr-xr-x 1 root root 976 Jun 13 2017 bin/dmesg -rwxr-xr-x 1 root root 4872 Jun 13 2017 bin/run-init -rwxr-xr-x 1 root root 3904 Jun 13 2017 bin/dd • gzipͰѹॖ͞Ε͍ͯΔ • ίϚϯυͷόΠφϦɺϑΝʔϜΣΞͳͲ͕ ؚ·Ε͍ͯΔ initrdΛݟͯΈΔ
initrdΛͲ͏͏ͷ͔ • initrdͷதʹ͋Δ run-init Λॻ͖͑Δ • ϒʔτ࣌ʹrootkitͷϓϩηεΛੜ͢Δ • initrdಈతʹੜ͞ΕɺγεςϜͷߋ৽ʹ Α͕ͬͯ࣌มΘΔͷͰɺॻ͖͑ͯؾ͔ͮ
Εʹ͍͘
͓ΘΓʹ • ࠓlinux rootkit͕linuxͷͲΜͳΈΛ͍ͬͯΔ͔ հ͠·ͨ͠ • ݕ͢ΔʹɺOSSECchkrootkit, rkhunterͱ͍ͬͨ πʔϧ͕͋Δ •
OSSͱͯ͠ެ։͞Ε͍ͯΔrootkitΛͲΕ͘Β͍ݕͰ͖Δ ͔ࠓޙ͍ͬͯ͘ • ࣍ճ࡞ʹظ͍ͯͩ͘͠͞ʂʂʂ
ࢀߟࢿྉ • The magic of LD_PRELOAD for Userland Rootkits |
FlUxIuS' Blog (http:// fluxius.handgrep.se/2011/10/31/the-magic-of-ld_preload-for-userland- rootkits/) • ΤϯλʔϓϥΠζɿୈ5ճɹkernel rootkitͷ֓ཁ (http://www.itmedia.co.jp/ enterprise/0306/10/epn12.html) • ˏITɿΠϯγσϯτϨεϙϯε͡ΊͷҰา ୈ4ճ ৵ೖऀֻ͕͚ΔLKM rootkit ͷ࣮ (http://www.atmarkit.co.jp/fsecurity/rensai/rootkit04/rootkit02.html) • The Horse Pill Rootkit vs. Forcepoint Threat Protection for Linux | Forcepoint (https://blogs.forcepoint.com/security-labs/horse-pill-rootkit-vs-forcepoint- threat-protection-linux)
ղੳʹཱͭࢿྉ Linux Rootkit Detection With OSSEC • https://www.sans.org/reading-room/whitepapers/detection/rootkit- detection-ossec-34555 •
OSSECʹΑΔRootkitݕग़ʹ͍ͭͯॻ͔ΕͨSANS͕ग़͍ͯ͠Δࢿྉ Malware memory analysis of the Jynx2 Linux rootkit (Part 1) • http://www.dtic.mil/get-tr-doc/pdf?AD=AD1004190 • VolatilityΛͬͯJynx2ͷϝϞϦμϯϓΛղੳ͢ΔDRDC(ΧφμӴݚڀ։ ൃ)ͷࢿྉ