alichtman
commented
5 years ago In my opinion, we should aim for approach 2. I think it'll be detected by fewer rootkit detection suites (the actual answer is in section 8 of the "A Taxonomy of Software Deceptive Interpretation in the Linux Operating System", I just have to double check. Also, approach one seems to have been done for this class already, and we want to do something new.
Finding the syscall table is something we have to do for all these approaches.
After that, we have some choices.
The easiest approach is to just overwrite certain function pointers in the syscall table to point to our own functions. This is also pretty easy to detect with a syscall table integrity check.
A slightly more complex approach would be to copy the syscall table to a new location and edit only that copy. Then, we would direct the
int $0x80calls to our copy instead of the original by editing the Interrupt Descriptor Table (IDT). This would get around most of the standard integrity checks of the system call table. Found here and in section 5.2.1.1.3. in "A Taxonomy of Software Deceptive Interpretation in the Linux Operating System"Another approach is to change the value in the IDT register to point to our own IDT table. We'd have to create a replacement IDT and syscall table. This approach is documented in section 5.2.1.1.4. in "A Taxonomy of Software Deceptive Interpretation in the Linux Operating System". This is very easy to detect, since checking the value of the IDT pointer is both easy and can be done from user-space.
Then, we just hook the syscalls we want to mess with:
sys_read,sys_write,open,kill