linux-rootkit

Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)
git clone git://git.deurzen.net/linux-rootkit
Log | Files | Refs
commit 1a5f6bf82e72f81948dc0559d8812372b8d17800
parent ccaa2fd36688d1143b34347472093b88eb7b674b
Author: Tizian Leonhardt <tizianleonhardt@web.de>
Date:   Sat,  6 Feb 2021 22:16:57 +0100

Approach phase 1

Diffstat:

Mproject/slides/presentation.tex | 55++++++++++++++++++++++++++++++++++++++++++++++++++++---


1 file changed, 52 insertions(+), 3 deletions(-)

diff --git a/project/slides/presentation.tex b/project/slides/presentation.tex
@@ -1,4 +1,5 @@
 \documentclass{i20lecture}
+\usepackage{listings}
 
 \subtitle{LiveDM - Proof of Concept}
 
@@ -16,7 +17,7 @@
         \item Dynamic Kernel Memory
         \item LiveDM
     \end{itemize}
-    \item Our Approach
+    \item Approach
     \item Results
     \item Discussion / Questions
   \end{enumerate}
@@ -138,7 +139,7 @@
 \end{frame}
 
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\section{Our Approach}
+\section{Approach}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \begin{frame}{\insertsection}
   \framesubtitle{VMM}
@@ -149,12 +150,60 @@
     \begin{itemize}
     \item Xen
     \item KVM
-    \item QEMU (our pick)
+    \item QEMU (our pick; introspection done with GDB)
     \item ..
     \end{itemize}
   \end{itemize}
 \end{frame}
 
+\begin{frame}{\insertsection}
+  \framesubtitle{Implementing Phase 1}
+    
+    \begin{itemize}
+     \item Intercepting allocation functions is easy: breakpoints
+     \begin{itemize}
+\pause
+      \item Has a significant performance overhead, but system is still usable
+\pause
+      \item Possible improvement: hardware breakpoints
+\pause
+      \item Only part of GDB's Python API since 21st January 2021..
+     \end{itemize}
+    \end{itemize}
+\end{frame}
+
+\begin{frame}[fragile]{\insertsection}
+  \framesubtitle{Implementing Phase 1}
+    
+    \begin{itemize}
+     \item To retrieve the size parameter, we can rely on the System V calling convention
+\pause
+     \begin{itemize}
+      \item As the size is not always the first argument, we build a dictionary:
+     \end{itemize}
+    \end{itemize}
+    \begin{lstlisting}
+    break_arg = {
+        "kmem_cache_alloc_trace": "rdx",
+        "kmalloc_order": "rdi"
+        [...]
+    }
+    \end{lstlisting}
+\pause
+    \begin{itemize}
+     \item Return values are gathered by additionally breaking on return instructions
+     \begin{itemize}
+\pause
+     \item Only one will be generated per function
+     \end{itemize}
+    \end{itemize}
+\end{frame}
+
+\begin{frame}{\insertsection}
+  \framesubtitle{Implementing Phase 2}
+
+\end{frame}
+
 
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \section{Discussion / Questions}