mirror of
https://github.com/milabs/awesome-linux-rootkits.git
synced 2025-01-22 05:21:11 -05:00
Update reptile.md
This commit is contained in:
parent
ef694d8bfb
commit
30806e974b
@ -1,14 +1,53 @@
|
||||
# Reptile kernel rootkit details
|
||||
|
||||
https://github.com/f0rb1dd3n/Reptile
|
||||
|
||||
| Feature | Description | Implementation Details |
|
||||
| --- | --- | --- |
|
||||
| Environment | 2.6.x/3.x/4.x (x86) | `sys_call_table` search method is x86-only |
|
||||
| Persistency | /etc/modules or /etc/rc.modules | Boot-time module loading using OS-specific startup files. |
|
||||
| Management interface | `kill(2)` | `sys_call_table[__NR_kill]` |
|
||||
| Altering system (library) behaviour | Hooking of system calls | `sys_call_table` patching using `CR0/WP` |
|
||||
| Hiding (tampering) of file contents | Filtering while reading | `sys_call_table[__NR_read]` |
|
||||
| Hiding of files and directories | Filtering of directory entries | `sys_call_table[__NR_getdents]` `sys_call_table[__NR_getdents64]` |
|
||||
| Hiding of processes and process trees | Filtering of `/proc` | Filtering PID-like numeric entries while listing `/proc`. Hidden tasks are marked using `task->flags \| 0x10000000`. Not able to hide all threads and children of hidden (parent) process. |
|
||||
| Detection evasion | Hides own components | Hide files, unlinks module from `module_list`, alters contents of startup files while reading. |
|
||||
|
||||
## Environment
|
||||
|
||||
- Linux kernel 2.6.x/3.x/4.x
|
||||
- x86 (`sys_call_table` search method is x86-only)
|
||||
|
||||
## Persistency
|
||||
|
||||
Boot-time module loading using OS-specific startup files:
|
||||
- /etc/modules
|
||||
- /etc/rc.modules
|
||||
|
||||
## Detection evasion
|
||||
|
||||
Rootkit is trying to evade from detection by:
|
||||
- hiding of own files
|
||||
- hiding of kernel module by unlinking from `module_list`
|
||||
- tampering contents of startup files while reading
|
||||
|
||||
## Management interface
|
||||
|
||||
Implemented via `kill(2)` by hooking `sys_call_table[__NR_kill]` entry. Supported commands are:
|
||||
- hiding/unhiding processes
|
||||
- hiding/unhiding rootkit's module
|
||||
- enabling/disabling of tampering file content function
|
||||
- gaining root priveleges to calling process
|
||||
|
||||
## Altering system (library) behaviour
|
||||
|
||||
Hooking of system calls by patching syscall-handlers in `sys_call_table[]`.
|
||||
|
||||
To write to read-only page `CR0/WP` technique used (x86-only).
|
||||
|
||||
## Hiding (tampering) of file contents
|
||||
|
||||
Filtering of file content while reading by hooking:
|
||||
- `sys_call_table[__NR_read]`.
|
||||
|
||||
## Hiding of files and directories
|
||||
|
||||
Filtering of directory entries by hoocking:
|
||||
- `sys_call_table[__NR_getdents]`, `sys_call_table[__NR_getdents64]`
|
||||
|
||||
## Hiding of processes and process trees
|
||||
|
||||
Filtering PID-like numeric entries while listing `/proc`.
|
||||
|
||||
Hidden tasks are marked using `task->flags \| 0x10000000`.
|
||||
|
||||
Not able to hide all threads and children of hidden (parent) process.
|
||||
|
Loading…
Reference in New Issue
Block a user