Tainting with the linux kernel

Evinp · 01-04-2010, 05:12 AM

Hello,

Quote:

alexander@osiris:~$ uname -a
Linux osiris 2.6.31-14-generic #48-Ubuntu SMP Fri Oct 16 14:04:26 UTC 2009 i686 GNU/Linux

I tried to change the sys_call_address to another location in memory.
The result was an OOPS!

sys_call_address is of course not exported, so I found it using:

Quote:

grep sys_call_table /boot/System.map-2.6.31-14-generic
c0577150 R sys_call_table

My kernel prog looks like:

Code:

#include <linux/string.h> 
#include <linux/smp_lock.h>
#include <linux/init.h>
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/file.h>
#include <linux/fs.h>
#include <linux/sched.h>
#include <linux/syscalls.h>
#include <linux/time.h>
#include <asm/unistd.h>
#include <linux/version.h>
#include <linux/errno.h>
#include <linux/dcache.h>
#include <linux/mm.h>
#include <asm/uaccess.h>
#include <asm/string.h>
#define __KERNEL_SYSCALLS__
#include <linux/dirent.h>
#include <linux/fcntl.h>
 
MODULE_LICENSE("GPL");
MODULE_AUTHOR("bli bla blu");



void** sys_call_table = (void**)0xc0577150; 
int (*orig_mkdir)(const char *path); 


int hacked_mkdir(const char *path) 
{ 
	return 0; 
} 

static int __init readlog_init(void) 
{ 
	printk("\n addr: " "%p", sys_call_table);

	orig_mkdir = sys_call_table[__NR_mkdir]; 
	sys_call_table[__NR_mkdir] = hacked_mkdir; 

	printk("\n I am still here \n");

	return 0; 
} 

static void __exit readlog_exit(void)
{ 
	sys_call_table[__NR_mkdir] = orig_mkdir; 
}



module_init(readlog_init);
module_exit(readlog_exit);

Quote:

alexander@osiris:~/Desktop/Vorträge/kernel-exp/fuck$ sudo insmod test.ko
Killed

The result is something like:

Quote:

dmesg

[67385.389666]
[67385.389669] addr: c0577150
[67385.389693] BUG: unable to handle kernel paging request at c05771ec
[67385.389701] IP: [<e078302c>] readlog_init+0x2c/0x46 [test]
[67385.389714] *pde = 1e22f063 *pte = 00577161
[67385.389723] Oops: 0003 [#3] SMP
[67385.389731] last sysfs file: /sys/devices/LNXSYSTM:00/device:00/PNP0C0A:00/power_supply/BAT0/voltage_now
[67385.389739] Modules linked in: test(+) fuck9(P+) fuck(+) arc4 lib80211_crypt_wep cbc aes_i586 aes_generic ecb binfmt_misc ppdev vboxnetflt vboxnetadp vboxdrv snd_hda_codec_realtek snd_hda_intel snd_hda_codec snd_hwdep snd_pcm_oss snd_mixer_oss snd_pcm snd_seq_dummy snd_seq_oss snd_seq_midi snd_rawmidi snd_seq_midi_event dm_crypt snd_seq snd_timer pcmcia snd_seq_device iptable_filter tifm_sd joydev ipw2200 yenta_socket tifm_7xx1 ip_tables snd psmouse libipw rsrc_nonstatic x_tables lib80211 soundcore serio_raw pcmcia_core tifm_core lp nvidia(P) sony_laptop snd_page_alloc parport ohci1394 ieee1394 e100 mii video output intel_agp agpgart
[67385.389851]
[67385.389859] Pid: 7944, comm: insmod Tainted: P D (2.6.31-14-generic #48-Ubuntu) VGN-FS115M
[67385.389867] EIP: 0060:[<e078302c>] EFLAGS: 00210296 CPU: 0
[67385.389875] EIP is at readlog_init+0x2c/0x46 [test]
[67385.389881] EAX: c0577150 EBX: fffffffc ECX: ffffffcc EDX: c01f29a0
[67385.389888] ESI: e0780340 EDI: 00000000 EBP: c3335f5c ESP: c3335f54
[67385.389894] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
[67385.389902] Process insmod (pid: 7944, ti=c3334000 task=de188000 task.ti=c3334000)
[67385.389907] Stack:
[67385.389911] e0780044 c0577150 c3335f88 c010112c e0780340 c0750a50 fffffffc e0780340
[67385.389926] <0> 00347ff4 e0783000 fffffffc e0780340 00347ff4 c3335fac c0173751 c5110738
[67385.389942] <0> de188000 c5110700 00000004 09c57018 09c57018 00004000 c3334000 c010336c
[67385.389960] Call Trace:
[67385.389972] [<c010112c>] ? do_one_initcall+0x2c/0x190
[67385.389982] [<e0783000>] ? readlog_init+0x0/0x46 [test]
[67385.389994] [<c0173751>] ? sys_init_module+0xb1/0x1f0
[67385.390003] [<c010336c>] ? syscall_call+0x7/0xb
[67385.390008] Code: 89 e5 83 ec 08 a1 28 03 78 e0 c7 04 24 44 00 78 e0 89 44 24 04 e8 e9 b3 de df a1 28 03 78 e0 8b 90 9c 00 00 00 89 15 9c 04 78 e0 <c7> 80 9c 00 00 00 00 00 78 e0 c7 04 24 4f 00 78 e0 e8 c2 b3 de
[67385.390096] EIP: [<e078302c>] readlog_init+0x2c/0x46 [test] SS:ESP 0068:c3335f54
[67385.390108] CR2: 00000000c05771ec
[67385.390116] ---[ end trace 4c2f5142834c75aa ]---

Anybody any ideas?

Thx for your help!

Greets

Evinp · 01-04-2010, 03:35 PM

Nobody?

I am guessing that the sys_call_table is protected with a write protection?

Quote:

CONFIG_DEBUG_RODATA=y

I guess there are ways to make the sys_call_table rw ?

I tried:

Code:

struct page *pg;
	pg = virt_to_page(sys_call_table);
	set_pages_uc(pg, 1);

But still OOPS...

unSpawn · 01-04-2010, 06:41 PM

Quote:

Originally Posted by Evinp

I tried to change the sys_call_address

The only other party to benefit from an exposed sys_call_table are kernel rootkit developers. To nudge benign developers on to solve problems "the right way" Linus forced some changes a long time ago including shielding the SCT. Asking for help with subverting the kernel to reroute syscalls (regardless of the reason for wanting it), code or library injection, any help with exploiting otherwise can be viewed as a hostile act. As such any help with it needs to be sought outside of Linuxquestions.org. I'm sorry but we're just not that kind of forum.

Evinp · 01-05-2010, 02:50 AM

Quote:

Originally Posted by unSpawn

The only other party to benefit from an exposed sys_call_table are kernel rootkit developers. To nudge benign developers on to solve problems "the right way" Linus forced some changes a long time ago including shielding the SCT. Asking for help with subverting the kernel to reroute syscalls (regardless of the reason for wanting it), code or library injection, any help with exploiting otherwise can be viewed as a hostile act. As such any help with it needs to be sought outside of Linuxquestions.org. I'm sorry but we're just not that kind of forum.

I understand your reasons but I am sure that my project is legal!
What I try to do is, creating a kernel based keylogger (I am sysadm) with which help I can see what the users are doing on my system.

Of course I know that it might not be legal without warning the users, so I changed the SSH message to be something like: "Keep in mind that this system logs your every commands and key strokes! If you do not accept this terms, please log off"

So I guess my actions are ethically correct and legal!
I hope you do understand it!

Thank you

win32sux · 01-05-2010, 11:34 AM

Evinp, the main point here is that LQ is simply not the right place to get help writing these type of programs. What you're trying to do might be legal, but our members would still be violating the spirit of the LQ Rules if they were to help you with this. As such, I'm closing this thread.

unSpawn · 01-05-2010, 03:02 PM

Quote:

Originally Posted by Evinp

What I try to do is, creating a kernel based keylogger

Ah, so that is what

Quote:

Originally Posted by Evinp

~/Desktop/Vorträge/kernel-exp/

suggests. I always thought "Vorträge" meant presentations. Anyway, keyloggers exist so why create one. Besides, and more importantly, there are other tried and true ways to track users: search this forum for threads about satisfying logging requirements as per PCI-DSS. Read a few of them and then open up a thread if you want to discuss approach or details.