Awesome-Mirrors
/
awesome-linux-rootkits
mirror of https://github.com/milabs/awesome-linux-rootkits.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update reptile.md

This commit is contained in:
Ilya V. Matveychikov 2018-07-02 20:14:03 +04:00 committed by GitHub
parent ef694d8bfb
commit 30806e974b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 50 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
details/reptile.md
View File

@ -1,14 +1,53 @@
# Reptile kernel rootkit details
https://github.com/f0rb1dd3n/Reptile
| Feature | Description | Implementation Details |
| --- | --- | --- |
| Environment | 2.6.x/3.x/4.x (x86) | `sys_call_table` search method is x86-only |
| Persistency | /etc/modules or /etc/rc.modules | Boot-time module loading using OS-specific startup files. |
| Management interface | `kill(2)` | `sys_call_table[__NR_kill]` |
| Altering system (library) behaviour | Hooking of system calls | `sys_call_table` patching using `CR0/WP` |
| Hiding (tampering) of file contents | Filtering while reading | `sys_call_table[__NR_read]` |
| Hiding of files and directories | Filtering of directory entries | `sys_call_table[__NR_getdents]` `sys_call_table[__NR_getdents64]` |
| Hiding of processes and process trees | Filtering of `/proc` | Filtering PID-like numeric entries while listing `/proc`. Hidden tasks are marked using `task->flags \| 0x10000000`. Not able to hide all threads and children of hidden (parent) process. |
| Detection evasion | Hides own components | Hide files, unlinks module from `module_list`, alters contents of startup files while reading. |
## Environment
- Linux kernel 2.6.x/3.x/4.x
- x86 (`sys_call_table` search method is x86-only)
## Persistency
Boot-time module loading using OS-specific startup files:
- /etc/modules
- /etc/rc.modules
## Detection evasion
Rootkit is trying to evade from detection by:
- hiding of own files
- hiding of kernel module by unlinking from `module_list`
- tampering contents of startup files while reading
## Management interface
Implemented via `kill(2)` by hooking `sys_call_table[__NR_kill]` entry. Supported commands are:
- hiding/unhiding processes
- hiding/unhiding rootkit's module
- enabling/disabling of tampering file content function
- gaining root priveleges to calling process
## Altering system (library) behaviour
Hooking of system calls by patching syscall-handlers in `sys_call_table[]`.
To write to read-only page `CR0/WP` technique used (x86-only).
## Hiding (tampering) of file contents
Filtering of file content while reading by hooking:
- `sys_call_table[__NR_read]`.
## Hiding of files and directories
Filtering of directory entries by hoocking:
- `sys_call_table[__NR_getdents]`, `sys_call_table[__NR_getdents64]`
## Hiding of processes and process trees
Filtering PID-like numeric entries while listing `/proc`.
Hidden tasks are marked using `task->flags \| 0x10000000`.
Not able to hide all threads and children of hidden (parent) process.