Betriebssysteme · Institut für Systemarchitektur · Fakultät Informatik · TU Dresden



25. 11. 2011

Subverting the Linux Kernel, Rootkit Development and Deployment


Marius Vlad

1&1 Romania


My thesis mainly consists from two parts, one detailing design and architecture implementation of the Linux kernel, with focus on processes and virtual memory management, system calls and system calls handlers, changing virtual memory pages and finding out information not exportable by the kernel. This explanation couldn't be done without the intervention of IA-64/32 System Programming manuals to be followed simultaneously while digging further in the monolithic kernel. The target machines is UP and IA-32 is assumed. Various kernel data structures, algorithms and compiler extensions are explained in order to provide aid for the second part which is a proof-of-concept on how a remote attacker can gain access to a GNU/Linux system. First by exploiting a user-space application specifically designed for this, followed by loading linkable kernel code - the rootkit is designed to spawn connections back to the attacker if a certain packet (ICMP or UDP) contains a marker, to hide network connections, processes and files, and has a interface (/proc) to disable/enable those "features".
10. Dec 2018
· Copyright © 2001-2010 Operating Systems Group, TU Dresden | Impressum ·