C/C++ | memset's blog

Infecting loadable kernel modules: kernel versions 2.6.x/3.0.x

April 18, 2012 styx^ 32 comments

Hi.
“Infecting loadable kernel modules: kernel versions 2.6.x/3.0.x” is the title of my last paper that has been published on phrack #68. You can read the paper here.

Many thanks to:
– blackb1rd (a phrack reviewer) who helped me in writing the paper.
– All the phrack staff for publishing the paper.
– emdel for … mmmh … Hi, emdel!

Any comments or suggestions would be (obviously) appreciated.
Bye.

Categories: C/C++, GNU/Linux, Operating Systems, Programming, Security, Solaris Tags: backdoor, exploitation, infecting kernel module, Kernel 2.6

Syscall Hijacking: OpenBSD

November 26, 2011 styx^ 15 comments

Hi,
in this post I show you how to hijack the system calls in the latest OpenBSD kernel versions.
The way in which syscalls can be hijacked in OpenBSD kernel is very similar to that used in the Linux kernel 2.4 versions. The syscall table is exported and it is accessible by an external kernel module. So a syscall address can be overwritten by the address of an our function. Read more…

Categories: C/C++, OpenBSD, Operating Systems, Security Tags: hijacking, OpenBSD, Programming C, Syscall

Syscall Hijacking: Dynamically obtain syscall table address (kernel 2.6.x) #2

March 18, 2011 styx^ 38 comments

Hi. In this brief post I’ll show you another way to get the syscall table address dinamically.
This post is only an expansion of this one. Read more…

Categories: C/C++, GNU/Linux, Operating Systems, Programming, Security Tags: hijacking, Kernel 2.6, Programming C, Syscall

Syscall Hijacking: Anti Fork-Bomb LKM (kernel 2.6.x)

February 10, 2011 styx^ 3 comments

Hi. In this post I’ll show you how to implement a simple anti fork-bomb LKM.
There is already a kernel method to prevent the fork bomb: you can search online about this stuff.
Instead I’ll show you how prevent a fork bomb attack through a simple loadable kernel module, in order to better understand how a new process is created and how we can prevent its creation. Read more…

Categories: C/C++, GNU/Linux, Operating Systems, Programming, Security Tags: fork bomb, hijacking, Kernel 2.6, Programming C, Syscall

Syscall Hijacking: Dynamically obtain syscall table address (kernel 2.6.x)

January 20, 2011 styx^ 34 comments

Hi. In this post I’ll show you how to obtain dynamically the syscall table address. In the last posts (this and this) I wrote codes in which the syscall table address was hardcoded (as suggested by sj).
Now I’ll show you how to dinamically obtain it. Read more…

Categories: Bash, C/C++, GNU/Linux, Operating Systems, Programming, Security Tags: backdoor, hijacking, Kernel 2.6, Programming C, Syscall

Syscall Hijacking: Simple Rootkit (kernel 2.6.x)

December 28, 2010 styx^ 20 comments

Hi. In this post I’ll show you how to change the process credentials through kernel modules. In a such way you can make your own rootkit(s): i.e. when you performs a pre-established action, the module will give you a root access.
First of all we need to know where these credentials are kept: in the kernel versions < 2.6.29 we find all this informations in the “task_struct” structure. This structure is defined in “linux/sched.h”: Read more…

Categories: C/C++, GNU/Linux, Programming, Security Tags: hijacking, Kernel 2.6, Programming C, Rootkit, Syscall

Syscall Hijacking: Kernel 2.6.* systems

December 3, 2010 styx^ 36 comments

In this guide I will explain how to hijack the syscall in kernel 2.6.*: in particular how to bypass the kernel write protection and the “protected mode” bit of the CR0 CPUs register.
I don’t explain what is a syscall or syscall table: I assume you know what it is.
Read more…

Categories: C/C++, GNU/Linux, Programming, Security Tags: CR0 Protection, hijacking, Kernel 2.6, Syscall, Write protection

GNU C: Extensions to the C Language Family

November 6, 2010 styx^ 2 comments

Hi. Today I’ll talk about the extensions to the C language family introduced by the GNU C.
The GNU C provides several language features not found in ANSI standard C. These extensions are available both in C and C++. The `-pedantic’ option directs GNU CC to print a warning message if any of these features is used.
The list of these features is very long: often we use them implicitly. I will show to you only those I consider most useful and “strange”: Read more…

Categories: C/C++, GNU/Linux, Programming Tags: C language extended, GNU C, Programming C

Port-knocking Backdoor

October 21, 2010 styx^ 6 comments

Hi.
In this post I’ll explain to you how to make a *unix backdoor using a “port knocking” scheme. That is, if we’ll “knock” to some TCP ports that we have initially decided, our program will open a backdoor for us (but only for us :) ).
How does the “port knocking” scheme work? The attacker decides a particular sequence of packets that will be sent to a compromised server where the backdoor is running. When the backdoor program will receive this particular sequence then it will give to the attacker the server’s shell.
Read more…

Categories: C/C++, GNU/Linux, Security Tags: backdoor, port knocking, Programming socket, pthread timeout, raw socket, shell backdoor, sniffer

Win32 API: Passing Socket with IPC method

October 13, 2010 styx^ 3 comments

Hi. In this post I talk to you how to correctly pass a socket created in a parent process to a child process in Microsoft 9x systems.
If you have ever written a multi-process concurrent server in a Unix environment, you may have noticed that the passage of the socket between parent and son processes takes place directly. That is, the child inherits the variables of his parent, also including the file descriptor associated with the socket.

memset's blog

Archive