Virtual File System 관련 rootkit을 만들어 보려고 한다.
프로세스의 task struct 부터 데이터에 접근하는 전체적인 매커니즘을 파악한 다음, 흐름을 변경할 vector를 파악한다.
그 후, 관련 포인터와 구조체를 확인하고 변경한다.
위와 같은 순서로 진행하려고 한다.
위의 struct file 구조체에서 중요 변수 중 f_op 값은 file_operation의 구조체를 가리키고 있다.
struct file_operations {
struct module *owner;
loff_t (*llseek) (struct file *, loff_t, int);
ssize_t (*read) (struct file *, char __user *, size_t, loff_t *);
ssize_t (*write) (struct file *, const char __user *, size_t, loff_t *);
ssize_t (*aio_read) (struct kiocb *, const struct iovec *, unsigned long, loff_t);
ssize_t (*aio_write) (struct kiocb *, const struct iovec *, unsigned long, loff_t);
int (*readdir) (struct file *, void *, filldir_t);
unsigned int (*poll) (struct file *, struct poll_table_struct *);
long (*unlocked_ioctl) (struct file *, unsigned int, unsigned long);
long (*compat_ioctl) (struct file *, unsigned int, unsigned long);
int (*mmap) (struct file *, struct vm_area_struct *);
int (*open) (struct inode *, struct file *);
int (*flush) (struct file *, fl_owner_t id);
int (*release) (struct inode *, struct file *);
int (*fsync) (struct file *, loff_t, loff_t, int datasync);
int (*aio_fsync) (struct kiocb *, int datasync);
int (*fasync) (int, struct file *, int);
int (*lock) (struct file *, int, struct file_lock *);
ssize_t (*sendpage) (struct file *, struct page *, int, size_t, loff_t *, int);
unsigned long (*get_unmapped_area)(struct file *, unsigned long, unsigned long, unsigned long, unsigned long);
int (*check_flags)(int);
int (*flock) (struct file *, int, struct file_lock *);
ssize_t (*splice_write)(struct pipe_inode_info *, struct file *, loff_t *, size_t, unsigned int);
ssize_t (*splice_read)(struct file *, loff_t *, struct pipe_inode_info *, size_t, unsigned int);
int (*setlease)(struct file *, long, struct file_lock **);
long (*fallocate)(struct file *file, int mode, loff_t offset, loff_t len);
};
void *get_readdir(const char *path) {
void *ret;
struct file *file;
if ((file = filp_open(path, O_RDONLY, 0)) == NULL)
return NULL;
ret = file->f_op->readdir;
filp_close(file,0);
return ret;
}The system call getdents() reads several linux_dirent structures from the directory referred to by the open file descriptor fd into the buffer pointed to by dirp. The argument count specifies the size of that buffer.
The linux_dirent structure is declared as follows:
struct linux_dirent {
unsigned long d_ino; /* Inode number */
unsigned long d_off; /* Offset to next linux_dirent */
unsigned short d_reclen; /* Length of this linux_dirent */
char d_name[]; /* Filename (null-terminated) */
/* length is actually (d_reclen - 2 -
offsetof(struct linux_dirent, d_name)) */
/*
char pad; // Zero padding byte
char d_type; // File type (only since Linux
// 2.6.4); offset is (d_reclen - 1)
*/
}
'reversing > rootkit' 카테고리의 다른 글
| rootkit - root [1] (0) | 2017.06.02 |
|---|---|
| rootkit - vfs hooking [readdir,iterate] (0) | 2017.05.25 |
| rootkit- syscall [2] (0) | 2017.05.04 |
| rootkit- syscall [1] (0) | 2017.05.04 |
| DLL Injection Detect[3] (0) | 2016.12.01 |
