f0rb1dd3n
commented
6 years ago @nbulischeck, thank you for reporting that. I did some changes, can you test please?
Closed nbulischeck closed 5 years ago
f0rb1dd3n
commented
6 years ago @nbulischeck, thank you for reporting that. I did some changes, can you test please?
nbulischeck
commented
6 years ago I apologize for the delay in testing your quick fix.
I just tested it on Linux 4.17.2-1-ARCH and it worked really well!
It had some slight bugs like kernel panicking as soon as I inserted the module, absolutely annihilating my kernel to the point where it wouldn't mount my /boot partition after rebooting from the kernel panic because the ext4 module wouldn't be inserted (in fact no modules were inserted into the kernel), kernel panicking for the second time when trying to remove it in emergency-mode, and lastly requiring me to rebuild my kernel from a live cd.
You did ultimately fix the compilation issue, which I suppose was the goal, however I believe there are some unintended side effects of the module as it stands. Best of luck in your future development!
f0rb1dd3n
commented
6 years ago @nbulischeck
so, do you have any dump or stacktrace of the kernel panicks? I apologize that you have to reinstall your kernel. I recommend always test it in a VM that you can restore snapshots. Reptile was under development, and it got some bugs. Now I have tested in most of distros (centOS 6 and 7, fedora, ubuntu, debian, e etc) and it is stable working fine. So if you got some bug or panicks, let me know to make this rootkit more stable.
thanks your reporting,
403
nbulischeck
commented
6 years ago @f0rb1dd3n
Unfortunately I wasn't testing in a VM as I haven't had a LKM cause that much damage before. I agree I should have been testing in one. Unfortunately, I wasn't in the best state to capture the backtraces, but upon removal of the module I received:
RIP: 0010:panic+0x201/0x247
RAX: 0x56
RDX: 0x0
RSI: 0x1
...
do_exit.cold.4
? __do_page_fault
do_group_exit
__x64_sys_exit_group
do_syscall_64
entry_SYSCALL_64_after_hwframesorry man, in some old commits, Reptile wasn't stable. And maybe in your version of kernel too.
about this kind of backtrace, you appears to didnt get crash with reptile. But, I don't know what FLAGs are you compiling your kernel and what kind of ambient have you installed. I just tested on default configuration of the main distros of Linux. The most actual kernel I have tested is on last updated Fedora with kernel 4.16.+
But even you got a bad experience with that, I invite you to install a Virtual Machine and test it, maybe use.
thx,
403
Also, from my testing, syscall hooking no longer works in 4.17 so finding a way around that will be fun. Tested the same basic directory hiding code that worked on 4.16.13 on 4.17 and it no longer works.