search

xcellerator / linux_kernel_hacking

Linux Kernel Hacking
GNU General Public License v2.0
640 stars 126 forks source link

Endless loop on sys_mkdir hook (Linux debian 4.19.0-16-amd64) #8

Closed Sargastico closed 3 years ago

Sargastico commented 3 years ago

Hi! I was playing around with the LKMs from the project (which is awesome btw) and I came across a bug while trying to reproduce the hooking of "sys_mkdir" from the code at linux_kernel_hacking/3_RootkitTechniques/3.1_syscall_hooking/rootkit.c (I didn't modify any part of the code)

I made it work in my own repo (you can check my code if you want). I was testing on a VM Linux debian 4.19.0-16-amd64 and my hook doesn't use the pt_regs and it works. I didn't understand why, because as mentioned on the blog post (and the linux docs says that this change affects the versions 4.17.0 and above):

With (64-bit) kernel version 4.17.0, this changed. The arguments that are first stored in registers by the user are copied into a special struct called pt_regs, and then this is the only thing passed to the syscall. The syscall is then responsible for pulling the arguments it needs out of this struct.

Any idea why this is happening?

here is my dmesg output:

/* more looping stuff */
[  286.237562] rootkit: Trying to create directory with name: /var/log/journal/d967f76ed69a437e9a38b474a9001292
[  286.237575] rootkit: Trying to create directory with name: /var/log/journal/d967f76ed69a437e9a38b474a9001292
[  286.237622] rootkit: Trying to create directory with name: /var/log/journal/d967f76ed69a437e9a38b474a9001292
[  286.237635] rootkit: Trying to create directory with name: /var/log/journal/d967f76ed69a437e9a38b474a9001292
[  286.237688] rootkit: Trying to create directory with name: /var/log/journal/d967f76ed69a437e9a38b474a9001292
[  286.237703] rootkit: Trying to create directory with name: /var/log/journal/d967f76ed69a437e9a38b474a9001292
[  286.237754] rootkit: Trying to create directory with name: /var/log/journal/d967f76ed69a437e9a38b474a9001292
[  286.237767] rootkit: Trying to create directory with name: /var/log/journal/d967f76ed69a437e9a38b474a9001292
[  286.237789] rootkit: Trying to create directory with name: /var/log/journal/d967f76ed69a437e9a38b474a9001292
[  286.237802] rootkit: Trying to create directory with name: /var/log/journal/d967f76ed69a437e9a38b474a9001292
[  286.237849] rootkit: Trying to create directory with name: /var/log/journal/d967f76ed69a437e9a38b474a9001292
[  286.237863] rootkit: Trying to create directory with name: /var/log/journal/d967f76ed69a437e9a38b474a9001292
[  286.237896] rootkit: Trying to create directory with name: /var/log/journal/d967f76ed69a437e9a38b474a9001292
[  286.237912] rootkit: Trying to create directory with name: /var/log/journal/d967f76ed69a437e9a38b474a9001292
[  286.237963] rootkit: Trying to create directory with name: /var/log/journal/d967f76ed69a437e9a38b474a9001292
[  286.237977] rootkit: Trying to create directory with name: /var/log/journal/d967f76ed69a437e9a38b474a9001292
[  286.237999] rootkit: Trying to create directory with name: /var/log/journal/d967f76ed69a437e9a38b474a9001292
[  286.238012] rootkit: Trying to create directory with name: /var/log/journal/d967f76ed69a437e9a38b474a9001292
[  286.238060] rootkit: Trying to create directory with name: /var/log/journal/d967f76ed69a437e9a38b474a9001292
[  286.238073] rootkit: Trying to create directory with name: /var/log/journal/d967f76ed69a437e9a38b474a9001292
[  286.238094] rootkit: Trying to create directory with name: /var/log/journal/d967f76ed69a437e9a38b474a9001292
[  286.238107] rootkit: Trying to create directory with name: /var/log/journal/d967f76ed69a437e9a38b474a9001292
[  286.238154] rootkit: Trying to create directory with name: /var/log/journal/d967f76ed69a437e9a38b474a9001292
[  286.238168] rootkit: Trying to create directory with name: /var/log/journal/d967f76ed69a437e9a38b474a9001292
[  286.238189] rootkit: Trying to create directory with name: /var/log/journal/d967f76ed69a437e9a38b474a9001292
[  286.238202] rootkit: Trying to create directory with name: /var/log/journal/d967f76ed69a437e9a38b474a9001292
[  286.238249] rootkit: Trying to create directory with name: /var/log/journal/d967f76ed69a437e9a38b474a9001292
[  286.238262] rootkit: Trying to create directory with name: /var/log/journal/d967f76ed69a437e9a38b474a9001292
[  286.238453] rootkit: Trying to create directory with name: /var/log/journal/d967f76ed69a437e9a38b474a9001292
[  286.238469] rootkit: Trying to create directory with name: /var/log/journal/d967f76ed69a437e9a38b474a9001292
[  286.238524] rootkit: Trying to create directory with name: /var/log/journal/d967f76ed69a437e9a38b474a9001292
[  286.238537] rootkit: Trying to create directory with name: /var/log/journal/d967f76ed69a437e9a38b474a9001292
[  286.238560] rootkit: Trying to create directory with name: /var/log/journal/d967f76ed69a437e9a38b474a9001292
[  286.238561] rootkit: restoring mkdir syscall
[  286.238564] rootkit: Unloaded :-(
xcellerator commented 3 years ago

Hmmm.. This is an interesting one! I've spun up a VM with the same kernel as you and I get the same result. /var/log/journal made me suspicious of systemd, especially that it's trying to create the same file over and over again.

Turns out, on my Debian 10 VM, that /var/log/journal didn't actually exist! After creating that directory, and repeating things, it's much cleaner:

[  831.011747] rootkit: Loaded >:-)
[  831.011751] rootkit: Found the syscall table at 0xffffffffb7800280
[  831.011753] rootkit: mkdir @ 0xffffffffb6e662a0
[  831.011755] rootkit: hooking mkdir syscall
[  831.016731] rootkit: Trying to create directory with name: a
[  831.033894] rootkit: restoring mkdir syscall
[  831.033897] rootkit: Unloaded :-(

Looks like a Debian bug where systemd is installed and running, but the logs folder doesn't exist.

Please let me know if the above fix works for you! Glad you're enjoying the blog series and are writing the modules yourself too!

Sargastico commented 3 years ago

Nice! This works and fix the issue!