Chia-Hao Tsai, profile picture
Uploaded byChia-Hao Tsai
PDF, PPTX634 views

Rootkit 102 - Kernel-Based Rootkit

This document discusses kernel-level rootkits in Linux. It explains that kernel-level rootkits are more robust than user-space rootkits because they can hide processes and prevent system crashes or reboots from revealing the intrusion. It then provides steps for creating a trivial kernel-based rootkit, including loading a kernel module, hooking a system call like getdent64, and overcoming challenges around locating the sys_call_table and modifying kernel memory. The document suggests some new techniques rootkits could use beyond just syscall hooking, and concludes by thanking the reader.

Embed presentation

Download as PDF, PPTX
Rootkit 102 cmj @ 2015 1
Kernel-Level Rootkit 2
concept Cheat and Robust enough 3
Program Bugs User-Space rootkit • process hand, not workable or dead • no one find abnormal Kernel-Space rootkit • system crash • reboot • … etc 4
Robust is more important than you expected 5
Otherwise, you are attacking the system 6
Linux Kernel from linux-2.6.x to linux-3.17.x 1. You should know the target kernel version 2. method may significant difference between version and platform 7
Trivial Kernel-Based Rootkit 8
Flow 1. Create a loadable-kernel-module) 2. Decide which syscall you what to hook 3. Implement and debug 9
Flow 1. Create a loadable-kernel-module) - Overcome by yourself 2. Decide which syscall you what to hook 3. Implement and debug - Overcome by yourself 10
Hook Syscall Concept 1. Find the address of the sys_call_table or syscall 2. Replace the registered syscall 11
sys_call_table 1. Easily way 2. Normal way 3. Violent way 12
sys_call_table 1. Easily way - Find it out in System.map 2. Normal way 3. Violent way 13
System.map 14
sys_call_table 1. Easily way - Find it out in System.map 2. Normal way - Dump on /proc/kallsyms 3. Violent way 15
/proc/kallsyms 16
sys_call_table 1. Easily way - Find it out in System.map 2. Normal way - Dump on /proc/kallsyms 3. Violent way - Force search all kernel-level memory 17
Brust-Force Search 18
Memory usage in kernel-space • 0xC0000000 - 0xF0000000 • Using export syscall function • Not always, need to consider the linux version … 19
Hook getdent64 20
MileStone • Should we always need to replace the syscall - clue in kallsyms • Should LKM can modified the memory - write protect 21
New tricks,New rootkit 22
You also can hijack • callback fn - syscall hijack • data - link-list struct used in kernel • memory - direct modify data online • … etc 23
Thanks for your attention ~ 24

More Related Content

PDF
Rootkit 101 - 2nd Edition
byChia-Hao Tsai
 
PDF
Chw00t: How to break out from various chroot solutions
byBalazs Bucsay
 
PDF
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
byinaz2
 
PDF
Chw00t: Breaking unices’ chroot solutions
byPositive Hack Days
 
PDF
Kernel Recipes 2013 - Kernel for your device
byAnne Nicolas
 
PDF
Linux advanced privilege escalation
byJameel Nabbo
 
PDF
Is rust language really safe?
byNullbyte Security Conference
 
PDF
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)
byinaz2
 
Rootkit 101 - 2nd Edition
byChia-Hao Tsai
 
Chw00t: How to break out from various chroot solutions
byBalazs Bucsay
 
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
byinaz2
 
Chw00t: Breaking unices’ chroot solutions
byPositive Hack Days
 
Kernel Recipes 2013 - Kernel for your device
byAnne Nicolas
 
Linux advanced privilege escalation
byJameel Nabbo
 
Is rust language really safe?
byNullbyte Security Conference
 
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)
byinaz2
 

What's hot

PDF
About linux-english
byShota Ito
 
PDF
NSC #2 - Challenge Solution
byNoSuchCon
 
PPTX
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
byShota Shinogi
 
PDF
Aide 2014 - Fundamentals of Linux Privilege Escalation
bynullthreat
 
PDF
Check Your Privilege (Escalation)
byBishop Fox
 
PDF
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]
byRootedCON
 
PPTX
Find the Hacker
bySysdig
 
PDF
Linux Kernel - Let's Contribute!
byLevente Kurusa
 
PPTX
ShinoBOT Suite
byShota Shinogi
 
PPTX
From 'dotnet run' to 'hello world'
byMatt Warren
 
PPTX
Death matchtournament del2014
byNabil Munawar
 
PDF
Modern Evasion Techniques
byJason Lang
 
PDF
Exploiting Llinux Environment
byEnrico Scapin
 
PPTX
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
byAndrew Case
 
PPTX
Fundamentals of Linux Privilege Escalation
bynullthreat
 
PDF
Hacking the Gateways
byOnur Alanbel
 
DOC
Appsdba interview question
byDeepti Singh
 
PDF
Kernel Recipes 2015 - Hardened kernels for everyone
byAnne Nicolas
 
PDF
Distro Recipes 2013 : Upstream management and consequences on the distributi...
byAnne Nicolas
 
PDF
Kernel Recipes 2018 - KernelShark 1.0; What's new and what's coming - Steven ...
byAnne Nicolas
 
About linux-english
byShota Ito
 
NSC #2 - Challenge Solution
byNoSuchCon
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
byShota Shinogi
 
Aide 2014 - Fundamentals of Linux Privilege Escalation
bynullthreat
 
Check Your Privilege (Escalation)
byBishop Fox
 
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]
byRootedCON
 
Find the Hacker
bySysdig
 
Linux Kernel - Let's Contribute!
byLevente Kurusa
 
ShinoBOT Suite
byShota Shinogi
 
From 'dotnet run' to 'hello world'
byMatt Warren
 
Death matchtournament del2014
byNabil Munawar
 
Modern Evasion Techniques
byJason Lang
 
Exploiting Llinux Environment
byEnrico Scapin
 
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
byAndrew Case
 
Fundamentals of Linux Privilege Escalation
bynullthreat
 
Hacking the Gateways
byOnur Alanbel
 
Appsdba interview question
byDeepti Singh
 
Kernel Recipes 2015 - Hardened kernels for everyone
byAnne Nicolas
 
Distro Recipes 2013 : Upstream management and consequences on the distributi...
byAnne Nicolas
 
Kernel Recipes 2018 - KernelShark 1.0; What's new and what's coming - Steven ...
byAnne Nicolas
 

Viewers also liked

PPTX
A particle filter based scheme for indoor tracking on an Android Smartphone
byDivye Kapoor
 
PDF
Kernel Recipes 2015: The stable Linux Kernel Tree - 10 years of insanity
byAnne Nicolas
 
PPTX
Cybermania Prelims
byDivye Kapoor
 
PDF
Linux performance
byWill Sterling
 
PPTX
Cybermania Mains
byDivye Kapoor
 
PPTX
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
byAndrew Case
 
ODP
Linux Internals - Kernel/Core
byShay Cohen
 
PDF
The TCP/IP stack in the FreeBSD kernel COSCUP 2014
byKevin Lo
 
PDF
LAS16-403 - GDB Linux Kernel Awareness
byPeter Griffin
 
PDF
The Linux Kernel Implementation of Pipes and FIFOs
byDivye Kapoor
 
PDF
Rootkit on Linux X86 v2.6
byfisher.w.y
 
PDF
Linux Kernel Exploitation
byScio Security
 
PDF
Part 04 Creating a System Call in Linux
byTushar B Kute
 
PPTX
了解网络
byFeng Yu
 
PPT
Debugging Applications with GNU Debugger
byPriyank Kapadia
 
PPTX
了解Cpu
byFeng Yu
 
PDF
Part 02 Linux Kernel Module Programming
byTushar B Kute
 
PDF
The Stack Frame
byIvo Marinkov
 
PPTX
Linux Kernel Tour
bysamrat das
 
PPTX
Ethernet and TCP optimizations
byJeff Squyres
 
A particle filter based scheme for indoor tracking on an Android Smartphone
byDivye Kapoor
 
Kernel Recipes 2015: The stable Linux Kernel Tree - 10 years of insanity
byAnne Nicolas
 
Cybermania Prelims
byDivye Kapoor
 
Linux performance
byWill Sterling
 
Cybermania Mains
byDivye Kapoor
 
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
byAndrew Case
 
Linux Internals - Kernel/Core
byShay Cohen
 
The TCP/IP stack in the FreeBSD kernel COSCUP 2014
byKevin Lo
 
LAS16-403 - GDB Linux Kernel Awareness
byPeter Griffin
 
The Linux Kernel Implementation of Pipes and FIFOs
byDivye Kapoor
 
Rootkit on Linux X86 v2.6
byfisher.w.y
 
Linux Kernel Exploitation
byScio Security
 
Part 04 Creating a System Call in Linux
byTushar B Kute
 
了解网络
byFeng Yu
 
Debugging Applications with GNU Debugger
byPriyank Kapadia
 
了解Cpu
byFeng Yu
 
Part 02 Linux Kernel Module Programming
byTushar B Kute
 
The Stack Frame
byIvo Marinkov
 
Linux Kernel Tour
bysamrat das
 
Ethernet and TCP optimizations
byJeff Squyres
 

Similar to Rootkit 102 - Kernel-Based Rootkit

PDF
Linux kernel-rootkit-dev - Wonokaerun
byidsecconf
 
PDF
CODE BLUE 2014 : BadXNU, A rotten apple! by PEDRO VILAÇA
byCODE BLUE
 
PPTX
Presentation 6_informations security.pptx
byanus2021
 
PDF
Operating-Systems-Network-System-Lecture 2.pdf
bynathanaelcheramlak
 
PDF
Cigarette VS Bubble Gum
byNaruenart
 
PDF
A methodology to detect and characterize kernel level rootkit exploits involv...
byUltraUploader
 
PPTX
Operating system enhancements to prevent misuse of systems
byDayal Dilli
 
ODP
[Defcon] Hardware backdooring is practical
byMoabi.com
 
PDF
Wonder walk in Rootkit Land by Himanshu Khokhar
byOWASP Delhi
 
PDF
Confraria SECURITY & IT - Lisbon Set 29, 2011
byricardomcm
 
PDF
Rootkit on linux_x86_v2.6
byscuhurricane
 
PDF
Linux seccomp(2) vs OpenBSD pledge(2)
byGiovanni Bechis
 
Linux kernel-rootkit-dev - Wonokaerun
byidsecconf
 
CODE BLUE 2014 : BadXNU, A rotten apple! by PEDRO VILAÇA
byCODE BLUE
 
Presentation 6_informations security.pptx
byanus2021
 
Operating-Systems-Network-System-Lecture 2.pdf
bynathanaelcheramlak
 
Cigarette VS Bubble Gum
byNaruenart
 
A methodology to detect and characterize kernel level rootkit exploits involv...
byUltraUploader
 
Operating system enhancements to prevent misuse of systems
byDayal Dilli
 
[Defcon] Hardware backdooring is practical
byMoabi.com
 
Wonder walk in Rootkit Land by Himanshu Khokhar
byOWASP Delhi
 
Confraria SECURITY & IT - Lisbon Set 29, 2011
byricardomcm
 
Rootkit on linux_x86_v2.6
byscuhurricane
 
Linux seccomp(2) vs OpenBSD pledge(2)
byGiovanni Bechis
 

More from Chia-Hao Tsai

PDF
[2019.05] HST - RegEx 101 ~ 1001
byChia-Hao Tsai
 
PDF
[2019.02.16] hst - orm
byChia-Hao Tsai
 
PDF
[2019.01.12] hst iptables 101 to 301
byChia-Hao Tsai
 
PDF
[2018.12.15] hst python object 102
byChia-Hao Tsai
 
PDF
[2018.11.16] Python Object 101
byChia-Hao Tsai
 
PDF
[2017.03.18] hst binary training part 1
byChia-Hao Tsai
 
PDF
ELF 101
byChia-Hao Tsai
 
PDF
Maker - WiFi AP
byChia-Hao Tsai
 
PDF
Learn Python in 30 min - 4
byChia-Hao Tsai
 
PDF
Learn python in 30 min - 3
byChia-Hao Tsai
 
PDF
Learn python 2 - Real World Case
byChia-Hao Tsai
 
PDF
Learn python 1
byChia-Hao Tsai
 
PDF
HoneyCon 2014
byChia-Hao Tsai
 
PDF
Passwd crack introduction
byChia-Hao Tsai
 
PDF
Security coding c and c++ ch8(2)
byChia-Hao Tsai
 
PDF
Security coding c and c++ ch8 (1)
byChia-Hao Tsai
 
PDF
Build web server
byChia-Hao Tsai
 
PDF
Rootkit tw(0224)
byChia-Hao Tsai
 
[2019.05] HST - RegEx 101 ~ 1001
byChia-Hao Tsai
 
[2019.02.16] hst - orm
byChia-Hao Tsai
 
[2019.01.12] hst iptables 101 to 301
byChia-Hao Tsai
 
[2018.12.15] hst python object 102
byChia-Hao Tsai
 
[2018.11.16] Python Object 101
byChia-Hao Tsai
 
[2017.03.18] hst binary training part 1
byChia-Hao Tsai
 
ELF 101
byChia-Hao Tsai
 
Maker - WiFi AP
byChia-Hao Tsai
 
Learn Python in 30 min - 4
byChia-Hao Tsai
 
Learn python in 30 min - 3
byChia-Hao Tsai
 
Learn python 2 - Real World Case
byChia-Hao Tsai
 
Learn python 1
byChia-Hao Tsai
 
HoneyCon 2014
byChia-Hao Tsai
 
Passwd crack introduction
byChia-Hao Tsai
 
Security coding c and c++ ch8(2)
byChia-Hao Tsai
 
Security coding c and c++ ch8 (1)
byChia-Hao Tsai
 
Build web server
byChia-Hao Tsai
 
Rootkit tw(0224)
byChia-Hao Tsai
 

Recently uploaded

PPTX
Detecting Bad Apples: Understanding macOS Malware TTPs by Surya Teja
byCysinfo Cyber Security Community
 
PPTX
Invisible protection against AI training - Poison Pill
byPoison Pill
 
PDF
SiyanoAV Endpoint Security: Advanced Multi-Layered Protection for Every Organ...
byyogeshchauhanoffice
 
DOCX
Tableau Alternative Offers the Best Data Visualization Experience.docx
byVarsha Nayak
 
PDF
Startup Core Architecture: A Simple Practical Guide
byShiv Technolabs Pvt. Ltd.
 
PPTX
Wired_AnalyticsTraineeship_13112025_clean.pptx
bySimonedeGijt
 
PDF
6 Hotel Booking Trends You Can’t Ignore in 2025.pdf
byHotelogix
 
PDF
Free Versus Paid Enterprise IT Monitoring Tools
byEvaMariaBraun1
 
PDF
Enterprise Reporting Made Easy for Actionable Project Insights.pdf
byOrangescrum
 
PDF
Convolutional Neural Networks(CNN) and Computer Vision
byadityasiwach20
 
DOCX
Top Cloud Migration Services for Digital Growth
byAppSquadz Software Pvt.ltd.
 
PPTX
Communicating Software Architecture using Arc42 v1.1
byAshraf Fouad
 
PDF
vMix Overview & Key Features Easily Produce, Record and Live Stream
byIGM Soraing
 
PDF
The future of software delivery is agentic
byMaxim Salnikov
 
PDF
How to do Portable Applicance Testing: example
byMaheswararajJ
 
PPTX
Attacking and Defending AI by Adity Roy and Nikita Biradar
byCysinfo Cyber Security Community
 
PPTX
Real-Time AI Voice Agents over WebRTC - A Practical Playbook
byAlberto González Trastoy
 
PDF
Comprehensive Windows protection with SiyanoAV Total Security — fast, smart, ...
byyogeshchauhanoffice
 
DOCX
Unit 1 - Machine Learning Basics AUCE.docx
byMOSIUOA WESI
 
PPTX
Enhance Workplace Safety with EHA Good Catch System
byEHA Soft Solutions
 
Detecting Bad Apples: Understanding macOS Malware TTPs by Surya Teja
byCysinfo Cyber Security Community
 
Invisible protection against AI training - Poison Pill
byPoison Pill
 
SiyanoAV Endpoint Security: Advanced Multi-Layered Protection for Every Organ...
byyogeshchauhanoffice
 
Tableau Alternative Offers the Best Data Visualization Experience.docx
byVarsha Nayak
 
Startup Core Architecture: A Simple Practical Guide
byShiv Technolabs Pvt. Ltd.
 
Wired_AnalyticsTraineeship_13112025_clean.pptx
bySimonedeGijt
 
6 Hotel Booking Trends You Can’t Ignore in 2025.pdf
byHotelogix
 
Free Versus Paid Enterprise IT Monitoring Tools
byEvaMariaBraun1
 
Enterprise Reporting Made Easy for Actionable Project Insights.pdf
byOrangescrum
 
Convolutional Neural Networks(CNN) and Computer Vision
byadityasiwach20
 
Top Cloud Migration Services for Digital Growth
byAppSquadz Software Pvt.ltd.
 
Communicating Software Architecture using Arc42 v1.1
byAshraf Fouad
 
vMix Overview & Key Features Easily Produce, Record and Live Stream
byIGM Soraing
 
The future of software delivery is agentic
byMaxim Salnikov
 
How to do Portable Applicance Testing: example
byMaheswararajJ
 
Attacking and Defending AI by Adity Roy and Nikita Biradar
byCysinfo Cyber Security Community
 
Real-Time AI Voice Agents over WebRTC - A Practical Playbook
byAlberto González Trastoy
 
Comprehensive Windows protection with SiyanoAV Total Security — fast, smart, ...
byyogeshchauhanoffice
 
Unit 1 - Machine Learning Basics AUCE.docx
byMOSIUOA WESI
 
Enhance Workplace Safety with EHA Good Catch System
byEHA Soft Solutions
 

Rootkit 102 - Kernel-Based Rootkit