Rootkit 101 - 2nd Edition

cmj @ 2015

1

> rootkit

rootkit is a stealthy type of software, typically malicious, designed to hide some running processes / files / network connections

2

Tamper and Hide

3

Simple Rootkit Design - lv1

• You can cheat the user

• Replace the command used to get resource status

• ls / ps / top / …etc

• You DID NOT exactly tamper the tool, only cheat the user

4

Cheat ls

5

Simple Rootkit Design - lv2

• Replace the tool used to get the resource

• A wrapper of the original tool

• Rebuild the tool

• … etc

6

Replacement

7

• All of the previous tool are reply the unusual response

• Color / syntax missing

• Layout not match

• … etc

• We NEED to keep mysterious and unknown

8

Useful Rootkit Design - lv3

• Understand how ls work - ls will call …

• opendir

• readdir

• … etc

• You can trace by strace / dtruss / …etc

9

Shared Library Hookusing LD_PRELOAD

10

LD_PRELOAD Hook

11

But still can find the clue on the system

• The extra library on configure / environment

• Still can find out the file / folder

If I direct using dlopen / dlsym like the rootkit do …

12

Robust Rootkit design - lv4

• Tamper from the kernel-level

• Directly replace the response as deeper as possible

• You will never find the rootkit if the response comes from rootkit

13

朕不給，你不能搶 ∼

14

cmj

NEVER know the kernel programming XD

15

Concept

1. Hijack the syscall table

2. Hijack the response function

3. Hijack the data in kernel

4. … etc

16

Thanks for your attention ~

17