|
25.
11.
2011
Subverting the Linux Kernel, Rootkit Development and Deployment
Marius Vlad
1&1 Romania
My thesis mainly consists from two parts, one detailing design and
architecture implementation of the Linux kernel, with focus on
processes and virtual memory management, system calls and system
calls handlers, changing virtual memory pages and finding out
information not exportable by the kernel. This explanation couldn't
be done without the intervention of IA-64/32 System Programming
manuals to be followed simultaneously while digging further in the
monolithic kernel. The target machines is UP and IA-32 is assumed.
Various kernel data structures, algorithms and compiler extensions
are explained in order to provide aid for the second part which is a
proof-of-concept on how a remote attacker can gain access to a
GNU/Linux system. First by exploiting a user-space application
specifically designed for this, followed by loading linkable kernel
code - the rootkit is designed to spawn connections back to the
attacker if a certain packet (ICMP or UDP) contains a marker, to
hide network connections, processes and files, and has a interface
(/proc) to disable/enable those "features".
|