Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Linux Rootkit Internals

Avatar for @tkmru @tkmru
December 23, 2017
Programming
2.1k
1

Linux Rootkit Internals

Avatar for @tkmru

@tkmru

December 23, 2017

More Decks by @tkmru

See All by @tkmru
10分で知るゲームが「チートされる」仕組み/findy202603
Avatar for @tkmru tkmru
0
1k
リバースエンジニアリング新時代へ!
GhidraとClaude DesktopをMCPで繋ぐ/findy202507
Avatar for @tkmru tkmru
8
2.6k
Bring Your Own Container: When Containers Turn the Key to EDR Bypass/byoc-avtokyo2024
Avatar for @tkmru tkmru
2
1.9k
ipa-medit: Memory search and patch tool for IPA without Jailbreaking/ipa-medit-bh2022-europe
Avatar for @tkmru tkmru
0
420
Ipa-medit: Memory modification tool for iOS apps without Jailbreaking/ipa-medit-codeblue2022
Avatar for @tkmru tkmru
0
240
趣味と実益のための著名なOSSライブラリ起因の脆弱性の探求/seccamp2021-b5
Avatar for @tkmru tkmru
0
5.5k
Ipa-medit: Memory Search and Patch Tool for IPA Without Jailbreaking @Black Hat USA 2021 Arsenal/ipa-medit-bh2021-usa
Avatar for @tkmru tkmru
1
4.8k
Learn the essential way of thinking about vulnerabilities through post-exploitation on middlewares (MySQL/PostgreSQL編)/seccamp2020-b8
Avatar for @tkmru tkmru
3
990
apk-medit: memory search and patch tool for debuggable APK @CODE BLUE 2020 Bluebox
Avatar for @tkmru tkmru
0
250

Other Decks in Programming

See All in Programming
Lessons from Spec-Driven Development
Avatar for Simon Martinelli simas
PRO
0
210
Dataformのリポジトリを立ち上げるときにまずやること / dataform-day0-2026
Avatar for snhryt snhryt
0
170
「AIで開発し、AIを届ける」をEvalでつなぐ 〜AIネイティブに始めるプロダクト開発の実践〜 / Connecting "Develop with AI, deliver AI" with Eval
Avatar for r-kagaya rkaga
4
5.3k
決定論的オーケストレーションの設計と実装 / Design and Implementation of Deterministic Orchestration
Avatar for nrs nrslib
4
1.4k
Datadog × OpenTelemetry 入門と実践のあいだ
Avatar for Max Kento kn_to_maxpno
1
160
Claspは野良GASの夢をみるか
Avatar for てらうちたかし takter00
0
200
技術記事、 専門家としてのプログラマ、 言語化
Avatar for Koutarou Chikuba mizchi
13
6.1k
AI 輔助遺留系統現代化的經驗分享
Avatar for James Wang jame2408
1
510
Semantic Version 単位で戦略を柔軟に変えて、パッケージアップデートを自動化する
Avatar for daitasu daitasu
1
250
[2026年度第1回ORセミナー] 計画最適化ベンチャーと競技プログラミング人材
Avatar for terry-u16 terryu16
0
270
Composerを使ったサプライチェーン攻撃の様子を眺めてみる #phpstudy
Avatar for hideki kinjyo o0h
PRO
2
250
Honoでのサプライチェーン侵害対策 〜 3つのライブラリに学ぶ
Avatar for Yusuke Wada yusukebe
6
1.3k

Featured

See All Featured
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
Avatar for Stéphanie Walter stephaniewalter
287
14k
A brief & incomplete history of 
UX Design for the World Wide Web: 1989–2019
Avatar for Jason CranfordTeague jct
2
400
The Director’s Chair: Orchestrating AI for Truly Effective Learning
Avatar for Mike Taylor tmiket
1
200
YesSQL, Process and Tooling at Scale
Avatar for Rocio Delgado rocio
174
15k
StorybookのUI Testing Handbookを読んだ
Avatar for Shingo Yamazaki zakiyama
31
6.8k
Raft: Consensus for Rubyists
Avatar for Patrick Van Stee vanstee
141
7.5k
AI Search:
Where Are We & What Can We Do About It?
Avatar for Aleyda Solis aleyda
0
7.6k
Building Adaptive Systems
Avatar for Chris Keathley keathley
44
3.1k
Writing Fast Ruby
Avatar for Erik Berlin sferik
630
63k
svc-hook: hooking system calls on ARM64 by binary rewriting
Avatar for Akira Moroo retrage
2
300
How Software Deployment tools have changed in the past 20 years
Avatar for Geshan Manandhar geshan
0
34k
What the history of the web can teach us about the future of AI
Avatar for Ines Montani inesmontani
PRO
1
610

Transcript

  1. Linux Rootkit Internals Cyber Wargame Christmas Party(େ࿨ηΩϡϦςΟ) 12/23 @tkmru

  2. ࣗݾ঺հ • ͚ͨ·Δ(@tkmru) • CTFνʔϜ: TomoriNao • ಉਓࢽαʔΫϧ: TomoriNao •

    ౙίϛʹམͪͨͷͰಉਓࢽʹॻ͘༧ఆͩͬ ͨωλΛൃද͠·͢

  3. Rootkitͱ͸ • ࡞ಈதͷϓϩηε΍ϑΝΠϧɺϩά΍γες ϜσʔλΛӅ͢Ϛϧ΢ΣΞ • ex) ps, topίϚϯυΛӅ͢ɺϚϧ΢ΣΞࣗମ ͷϑΝΠϧɺϓϩηεΛӅ͢ •

    ࠓճͷLTͰର৅ͱ͢Δͷ͸Linux޲͚ͷ΋ͷ

  4. • GitHubʹOSSͱ͍ͯ͠Ζ͍Ζެ։͞Ε͍ͯΔ • ʢଟ෼ʣݚڀ༻ʁ • Ϛϧ΢ΣΞͷίʔυ͕ಡΊΔʂʂ • ·ͱΊ: https://github.com/tkmru/awesome- linux-rootkits

    GitHubʹίʔυ͕͋Δʂʂ

  5. ͍Ζ͍ΖͳLinux Rootkitͨͪ • LD_PRELOAD Rootkit • Kernel Module Rootkit •

    Ramdisk based Rootkit

  6. LD_PRELOAD Rootkit • ؀ڥม਺ LD_PRELOAD Λ࢖ͬͯڞ༗ϥΠϒ ϥϦΛࠩ͠ସ͑Δ͜ͱ͕Ͱ͖Δ͜ͱΛ࢖ͬͨ rootkit • ex)

    Jinx2, vlany, azazel

  7. LD_PRELOADͱ͸ • ಡΈࠐ·ͤΔڞ༗ϥΠϒϥϦ(.so)ͷύεΛઃఆͰ͖Δ؀ ڥม਺ • γϯϘϧͷ໊લղܾͷͱ͖ γϯϘϧ໊͕িಥ͍ͯ͠Δͱ LD_PRELOADʹઃఆ͍ͯ͠Δ .so ಺ͷؔ਺Λ༏ઌͯ͠ಡ

    Έʹߦ͘ • ͜ΕʹΑͬͯؔ਺Λ্ॻ͖Ͱ͖ɺrootkitʹ༻͍Δ͜ͱ͕ Ͱ͖Δ

  8. LD_PRELOADͱ͸ $ ldd $(which ls) # ಈతϦϯΫ͞Ε͍ͯΔڞ༗ϥΠϒϥϦҰཡ linux-vdso.so.1 => (0x00007ffdc1b78000)

    libselinux.so.1 => /lib/x86_64-linux-gnu/libselinux.so.1 (0x00007fbe97fb5000) libacl.so.1 => /lib/x86_64-linux-gnu/libacl.so.1 (0x00007fbe97dad000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fbe979e3000) libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007fbe977a5000) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fbe975a1000) /lib64/ld-linux-x86-64.so.2 (0x000055f1ce4c8000) libattr.so.1 => /lib/x86_64-linux-gnu/libattr.so.1 (0x00007fbe9739b000) $ LD_PRELOAD=./hook.so /bin/ls # ls಺ͷؔ਺ΛϑοΫ!!

  9. Kernel Module Rootkit • Loadable Kernel ModuleΛར༻ͯ͠ɺkernel ͷػೳΛॻ͖׵͑Δrootkit • Kernel

    rootkitɺLKM(Loadable Kernel Module) rootkitͱ΋ݴΘΕΔ • ex) adore, suterusu, diamorphine, etc

  10. Kernel Moduleͱ͸ • ਖ਼໘͔Β KernelͷίʔυʹखΛೖΕɺػೳΛ௥Ճ͠Α ͏ͱ͢Δͱɺ࠶ίϯύΠϧͯ͠Ϧϒʔτ͢Δඞཁ͕͋ Δ • Kernel ModuleΛ࢖͏ͱɺΧδϡΞϧʹKernelʹػೳ

    Λ௥ՃͰ͖Δ • ਖ਼͘͠͸NIC౳ͷσόΠευϥΠόΛ௥Ճ͢ΔͨΊʹ ࢖ΘΕΔ

  11. Kernel Module Rootkit • γεςϜίʔϧΛϑοΫ͢ΔKernel ModuleΛ௥Ճ͢Δ͜ͱͰ RootkitͷػೳΛ࣮ݱ͍ͯ͠Δ • ҎԼಈ࡞ྫ •

    ௚઀֘౰͢ΔγεςϜίʔϧΛϑοΫͯ͠ॲཧΛมߋ͢Δɻ • ϑΝΠϧͷݺͼग़͠ΛϦμΠϨΫτͯ͠ɺผͷόΠφϦΛ࣮ ߦͤ͞Δɻ • ࠷ऴతʹग़ྗ͞ΕΔ৘ใͷΈΛมߋ͢Δɻ

  12. Ramdisk based Rootkit • initrd(ॳظRAMσΟεΫ)Λॻ͖׵͑Δ͜ͱʹΑΔ rootkit • ׂΓͱ৽͍͠λΠϓͷrootkit • ex)

    Horse Pill: black hat USA 2016 • https://www.blackhat.com/docs/us-16/materials/us-16-Leibowitz- Horse-Pill-A-New-Type-Of-Linux-Rootkit.pdf

  13. initrdͱ͸ • ϑΝΠϧγεςϜΛϚ΢ϯτ͢ΔͨΊͷϑΝΠϧ Λѹॖͨ͠΋ͷ • ॳظͷϒʔτϓϩηεͰ࢖ΘΕΔ • initrd ͕ϩʔυ͞ΕΔͱɺϑΝΠϧɾγεςϜΛ࢖ ༻Մೳʹ͢ΔͨΊͷkernel

    moduleͳͲ͕ಡΈࠐ· Εɺ/ ҎԼͷϑΝΠϧγεςϜ͕Ϛ΢ϯτ͞ΕΔ

  14. ϒʔτϓϩηεͷͲͷล͔ʁ • UEFI • shim • grub • linooks •

    initrd • systemd • app

  15. $ ls -l /boot (Ұ෦লུ) drwxr-xr-x 5 root root 4096

    Dec 9 06:40 grub -rw-r--r-- 1 root root 20566118 Dec 9 06:41 initrd.img-3.19.0-80- generic kernelΑΓ৽͍͠ -rw------- 1 root root 6595152 Jan 13 2017 vmlinuz-3.19.0-80-generic ɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹinitrdΑΓ৽͍͠ initrdΛݟͯΈΔ • /bootҎԼʹγεςϜʹΑͬͯಈతʹੜ੒͞ΕΔ • ͳͥʁ • ؀ڥͷࠩҟʢϋʔυ΢ΤΞɺϑΝΠϧγεςϜ etcʣʹΑͬͯϑΝΠ ϧΛม͑Δඞཁ͕͋Δ • ιϑτ΢ΣΞɾΞοϓσʔτʹΑͬͯಈతʹߋ৽͞ΕΔ

  16. $ file /boot/initrd.img-3.19.0-80-generic /boot/initrd.img-3.19.0-80-generic: gzip compressed data, from Unix, last

    modified: Sat Dec 9 06:40:55 2017 $ gunzip --to-stdout /boot/initrd.img-3.19.0-80-generic | cpio -tvɹ(Ұ෦লུ) -rwxr-xr-x 1 root root 1600 Jun 13 2017 bin/insmod -rwxr-xr-x 1 root root 976 Jun 13 2017 bin/dmesg -rwxr-xr-x 1 root root 4872 Jun 13 2017 bin/run-init -rwxr-xr-x 1 root root 3904 Jun 13 2017 bin/dd • gzipͰѹॖ͞Ε͍ͯΔ • ίϚϯυͷόΠφϦɺϑΝʔϜ΢ΣΞͳͲ͕ ؚ·Ε͍ͯΔ initrdΛݟͯΈΔ

  17. initrdΛͲ͏࢖͏ͷ͔ • initrdͷதʹ͋Δ run-init Λॻ͖׵͑Δ • ϒʔτ࣌ʹrootkitͷϓϩηεΛੜ੒͢Δ • initrd͸ಈతʹੜ੒͞ΕɺγεςϜͷߋ৽ʹ Αͬͯ೔͕࣌มΘΔͷͰɺॻ͖׵͑ͯ΋ؾ͔ͮ

    Εʹ͍͘

  18. ͓ΘΓʹ • ࠓ೔͸linux rootkit͕linuxͷͲΜͳ࢓૊ΈΛ࢖͍ͬͯΔ͔ ঺հ͠·ͨ͠ • ݕ஌͢Δʹ͸ɺOSSEC΍chkrootkit, rkhunterͱ͍ͬͨ πʔϧ͕͋Δ •

    OSSͱͯ͠ެ։͞Ε͍ͯΔrootkitΛͲΕ͘Β͍ݕ஌Ͱ͖Δ ͔ࠓޙ΍͍ͬͯ͘ • ࣍ճ࡞ʹظ଴͍ͯͩ͘͠͞ʂʂʂ

  19. ࢀߟࢿྉ • The magic of LD_PRELOAD for Userland Rootkits |

    FlUxIuS' Blog (http:// fluxius.handgrep.se/2011/10/31/the-magic-of-ld_preload-for-userland- rootkits/) • ΤϯλʔϓϥΠζɿୈ5ճɹkernel rootkitͷ֓ཁ (http://www.itmedia.co.jp/ enterprise/0306/10/epn12.html) • ˏITɿΠϯγσϯτϨεϙϯε͸͡ΊͷҰา ୈ4ճ ৵ೖऀ͕࢓ֻ͚ΔLKM rootkit ͷ࣮৘ (http://www.atmarkit.co.jp/fsecurity/rensai/rootkit04/rootkit02.html) • The Horse Pill Rootkit vs. Forcepoint Threat Protection for Linux | Forcepoint (https://blogs.forcepoint.com/security-labs/horse-pill-rootkit-vs-forcepoint- threat-protection-linux)

  20. ղੳʹ໾ཱͭࢿྉ Linux Rootkit Detection With OSSEC • https://www.sans.org/reading-room/whitepapers/detection/rootkit- detection-ossec-34555 •

    OSSECʹΑΔRootkitݕग़ʹ͍ͭͯॻ͔ΕͨSANS͕ग़͍ͯ͠Δࢿྉ Malware memory analysis of the Jynx2 Linux rootkit (Part 1) • http://www.dtic.mil/get-tr-doc/pdf?AD=AD1004190 • VolatilityΛ࢖ͬͯJynx2ͷϝϞϦμϯϓΛղੳ͢ΔDRDC(Χφμ๷Ӵݚڀ։ ൃ)ͷࢿྉ