search

oshaked1 / ghoul

A slippery, elusive, wicked rootkit for Linux
GNU General Public License v2.0
1 stars 0 forks source link

Ftrace exposes ghoul #13

Open oshaked1 opened 2 years ago

oshaked1 commented 2 years ago

Ftrace exposes ghoul's functions (and module name) even when it's hidden.

For example, doing the following while ghoul is loaded:

# enable Ftrace
echo function_graph > /sys/kernel/debug/tracing/current_tracer

# interact with ghoul
./ghoulctl.py ping

# read Ftrace output
cat /sys/kernel/debug/tracing/trace_pipe | grep -C 3 ksys_ioctl

Results in the following output:

   1)               |  do_syscall_64() {
   1)               |    __x64_sys_ioctl() {
   1)               |      hook_finish_task_switch [ghoul]() {
   1)               |        ksys_ioctl() {
   1)               |          __fdget() {
   1)   0.581 us    |            __fget_light();
   1)   0.815 us    |          }

This clearly exposes ghoul.

oshaked1 commented 2 years ago

Another way in which Ftrace exposes ghoul, is with the /sys/kernel/debug/tracing/enabled_functions file. Reading it while ghoul is loaded results in the following output:

finish_task_switch (1) R I      tramp: 0xffffffffc08b7000 (fh_ftrace_thunk+0x0/0x50 [ghoul]) ->fh_ftrace_thunk+0x0/0x50 [ghoul]
do_faccessat (1) R I    tramp: 0xffffffffc08b9000 (fh_ftrace_thunk+0x0/0x50 [ghoul]) ->fh_ftrace_thunk+0x0/0x50 [ghoul]
ksys_ioctl (1) R I      tramp: 0xffffffffc08b5000 (fh_ftrace_thunk+0x0/0x50 [ghoul]) ->fh_ftrace_thunk+0x0/0x50 [ghoul]