search

NoviceLive / research-rootkit

LibZeroEvil & the Research Rootkit project.
GNU General Public License v3.0
589 stars 198 forks source link

fsmon hang in kernel 3.10.0 #1

Open Sn0rt opened 8 years ago

Sn0rt commented 8 years ago 
➜  ~ git clone https://github.com/NoviceLive/research-rootkit.git
Cloning into 'research-rootkit'...
remote: Counting objects: 247, done.
remote: Total 247 (delta 0), reused 0 (delta 0), pack-reused 247
Receiving objects: 100% (247/247), 48.99 KiB | 48.00 KiB/s, done.
Resolving deltas: 100% (131/131), done.
➜  ~ cd research-rootkit/1-sys_call_table/fsmon
➜  fsmon git:(master) ls
Makefile  fsmon.c  lib
➜  fsmon git:(master) make
make modules \
    --directory "/lib/modules/3.10.0-327.22.2.el7.x86_64/build" \
    M="/root/research-rootkit/1-sys_call_table/fsmon"
make[1]: Entering directory `/usr/src/kernels/3.10.0-327.22.2.el7.x86_64'
  CC [M]  /root/research-rootkit/1-sys_call_table/fsmon/fsmon.o
  CC [M]  /root/research-rootkit/1-sys_call_table/fsmon/lib/lib.o
  LD [M]  /root/research-rootkit/1-sys_call_table/fsmon/fsmonko.o
  Building modules, stage 2.
  MODPOST 1 modules
  CC      /root/research-rootkit/1-sys_call_table/fsmon/fsmonko.mod.o
  LD [M]  /root/research-rootkit/1-sys_call_table/fsmon/fsmonko.ko
make[1]: Leaving directory `/usr/src/kernels/3.10.0-327.22.2.el7.x86_64'
➜  fsmon git:(master) insmod fsmonko.ko
NoviceLive commented 8 years ago

Thanks for reporting.

However, compatibility with older kernels will be considered only when the author completes most of his schedule.

For the time being, it's recommended to use a virtual machine with a newer kernel, e.g. the latest rolling version of Kali.

That being said, this issue will be investigated later.

Sn0rt commented 8 years ago

Thanks

NoviceLive commented 8 years ago

Hi, I failed to reproduce the issue in a freshly installed CentOS 7 1511 GNOME Desktop upgraded to the latest packages available.

$ uname -r
3.10.0-327.22.2.el7.x86_64

fsmon works as expected.

Can you try to find some relevant logs in /var/log/messages?

NoviceLive commented 8 years ago

If you have kdump enabled as in my installation, try to find some related information in /var/crash.

Sn0rt commented 8 years ago

Are you install vmware-tools?

NoviceLive commented 8 years ago

No, I am using VirtualBox with VBoxAdditions.

Sn0rt commented 8 years ago

It is PASS that this module was tested in physical machine. May be, some mistake in Vmware Fusion.