You are previewing Designing BSD Rootkits.
O'Reilly logo
Designing BSD Rootkits

Book Description

Though rootkits have a fairly negative image, they can be used for both good and evil. Designing BSD Rootkits arms you with the knowledge you need to write offensive rootkits, to defend against malicious ones, and to explore the FreeBSD kernel and operating system in the process.

Organized as a tutorial, Designing BSD Rootkits will teach you the fundamentals of programming and developing rootkits under the FreeBSD operating system. Author Joseph Kong's goal is to make you smarter, not to teach you how to write exploits or launch attacks. You'll learn how to maintain root access long after gaining access to a computer and how to hack FreeBSD.

Kongs liberal use of examples assumes no prior kernel-hacking experience but doesn't water down the information. All code is thoroughly described and analyzed, and each chapter contains at least one real-world application.

Included:

  • The fundamentals of FreeBSD kernel module programming

  • Using call hooking to subvert the FreeBSD kernel

  • Directly manipulating the objects the kernel depends upon for its internal record-keeping

  • Patching kernel code resident in main memory; in other words, altering the kernel's logic while it's still running

  • How to defend against the attacks described

Hack the FreeBSD kernel for yourself!

Table of Contents

  1. Designing BSD Rootkits
    1. ACKNOWLEDGMENTS
    2. FOREWORD
    3. INTRODUCTION
      1. What Is a Rootkit?
      2. Why FreeBSD?
      3. The Goals of This Book
      4. Who Should Read This Book?
      5. Contents Overview
      6. Conventions Used in This Book
      7. Concluding Remarks
    4. 1. LOADABLE KERNEL MODULES
      1. Module Event Handler
      2. The DECLARE_MODULE Macro
      3. "Hello, world!"
      4. System Call Modules
        1. The System Call Function
        2. The sysent Structure
        3. The Offset Value
        4. The SYSCALL_MODULE Macro
        5. Example
        6. The modfind Function
        7. The modstat Function
        8. The syscall Function
        9. Executing the System Call
        10. Executing the System Call Without C Code
      5. Kernel/User Space Transitions
        1. The copyin and copyinstr Functions
        2. The copyout Function
        3. The copystr Function
      6. Character Device Modules
        1. The cdevsw Structure
        2. Character Device Functions
        3. The Device Registration Routine
        4. Example
        5. Testing the Character Device
      7. Linker Files and Modules
      8. Concluding Remarks
    5. 2. HOOKING
      1. Hooking a System Call
      2. Keystroke Logging
      3. Kernel Process Tracing
      4. Common System Call Hooks
      5. Communication Protocols
        1. The protosw Structure
        2. The inetsw[ ] Switch Table
        3. The mbuf Structure
      6. Hooking a Communication Protocol
      7. Concluding Remarks
    6. 3. DIRECT KERNEL OBJECT MANIPULATION
      1. Kernel Queue Data Structures
        1. The LIST_HEAD Macro
        2. The LIST_HEAD_INITIALIZER Macro
        3. The LIST_ENTRY Macro
        4. The LIST_FOREACH Macro
        5. The LIST_REMOVE Macro
      2. Synchronization Issues
        1. The mtx_lock Function
        2. The mtx_unlock Function
        3. The sx_slock and sx_xlock Functions
        4. The sx_sunlock and sx_xunlock Functions
      3. Hiding a Running Process
        1. The proc Structure
        2. The allproc List
        3. Example
      4. Hiding a Running Process Redux
        1. The hashinit Function
        2. pidhashtbl
        3. The pfind Function
        4. Example
      5. Hiding with DKOM
      6. Hiding an Open TCP-based Port
        1. The inpcb Structure
        2. The tcbinfo.listhead List
        3. Example
      7. Corrupting Kernel Data
      8. Concluding Remarks
    7. 4. KERNEL OBJECT HOOKING
      1. Hooking a Character Device
        1. The cdevp_list Tail Queue and cdev_priv Structures
        2. The devmtx Mutex
        3. Example
      2. Concluding Remarks
    8. 5. RUN-TIME KERNEL MEMORY PATCHING
      1. Kernel Data Access Library
        1. The kvm_openfiles Function
        2. The kvm_nlist Function
        3. The kvm_geterr Function
        4. The kvm_read Function
        5. The kvm_write Function
        6. The kvm_close Function
      2. Patching Code Bytes
      3. Understanding x86 Call Statements
        1. Patching Call Statements
      4. Allocating Kernel Memory
        1. The malloc Function
        2. The MALLOC Macro
        3. The free Function
        4. The FREE Macro
        5. Example
      5. Allocating Kernel Memory from User Space
        1. Example
      6. Inline Function Hooking
        1. Example
        2. Gotchas
      7. Cloaking System Call Hooks
      8. Concluding Remarks
    9. 6. PUTTING IT ALL TOGETHER
      1. What HIDSes Do
      2. Bypassing HIDSes
      3. Execution Redirection
      4. File Hiding
      5. Hiding a KLD
        1. The linker_files List
        2. The linker_file Structure
        3. The modules List
        4. The module Structure
        5. Example
      6. Preventing Access, Modification, and Change Time Updates
        1. Change Time
        2. Example
      7. Proof of Concept: Faking Out Tripwire
      8. Concluding Remarks
    10. 7. DETECTION
      1. Detecting Call Hooks
        1. Finding System Call Hooks
      2. Detecting DKOM
        1. Finding Hidden Processes
        2. Finding Hidden Ports
      3. Detecting Run-Time Kernel Memory Patching
        1. Finding Inline Function Hooks
        2. Finding Code Byte Patches
      4. Concluding Remarks
    11. 8. CLOSING WORDS
    12. BIBLIOGRAPHY
    13. COLOPHON