Published on July 23, 2002, by palmers, Phrack Magazine.
I concern again on kernel hacking, not on literature. Especially in this field many, many ideas need to be expiated as useless. That does not mean they do not allow to solve particular problems. It means the problems which can be solved are not those which were aimed to be solved.
Published on April 09, 1997, by halflife, Phrack Magazine.
Loadable modules are a very useful feature in linux, as they let you load device drivers on a as-needed basis. However, there is a bad side: they make kernel hacking almost TOO easy. What happens when you can no longer trust your own kernel...? This article describes a simple way kernel modules can be easily abused.
Published on July 23, 2002, by Jan K. Rutkowski, Phrack Magazine.
Over the years mankind has developed many techniques for masking presence of the attacker in the hacked system. In order to stay invisible modern backdoors modify kernel structures and code, causing that nobody can trust the kernel. Nobody, including
IDS tools...
Published on July 28, 2002, by kad, Phrack Magazine.
The Intel®
CPU can be run in two modes: real mode and protected mode. The first mode does not protect any kernel registers from being altered by userland programs. All modern Operating System make use of the protected mode feature to restrict access to critical registers by userland processes. The protected mode offers 4 different 'privilege levels' (ranging from
0..3, aka
ring0..
ring3). Userland applications are usually executed in
ring3. The kernel on the other hand is executed in the most privileged mode,
ring0. This grants the kernel full access to all
CPU registers, all parts of the hardware and the memory. With no question is this the mode of choice to do start some hacking.
Published on December 08, 2001, by mayhem, Phrack Magazine.
Abusing, logging , patching , or even debugging : obvious reasons to think that hooking matters . We will try to understand how it works . The demonstration context is the Linux kernel environment . The articles ends with a general purpose hooking library the linux kernel 2.4 serie, developped on 2.4.5 and running on IA32, it's called LKH, the Linux Kernel Hooker.
Published on November 1999, by Silvio Cesare, --.
This article describes a method of hijacking internal kernel functions, that is, kernel functions that are declared inside the kernel without a function pointer or vector for changing the kernel function it points too. This can have practical uses, as given in example code which patches the process accounting code to not log specially marked processes (processes given signal 31).
Published on December 12, 2001, by sd, devik, Phrack Magazine.
In this paper, we will discuss way of abusing the Linux kernel (syscalls mostly) without help of module support or System.map at all, so that we assume that the reader will have a clue about what LKM is, how a LKM is loaded into kernel etc. If you are not sure, look at some documentation.
Published on November 1998, by Silvio Cesare, --.
This paper documents runtime (on the fly) kernel patching on a running system under Linux using direct access to kernel memory. The same algorithms may equally be applicable to other systems. Examples of kernel patching for use by an attacker is provided showing patching of kernel structures to remove a lkm's visibility to lsmod and even the addition of kernel code ala loadable kernel modules (lkm) to a running system without native lkm support in the kernel. Discussion of rebuilding the appropriate sections of the system symbol map (System.map) is provided and implemented.
Published on December 28, 2002, by jbtzhm, Phrack Magazine.
This paper will show a simple way to patch a common LKM into the static linux kernel image.Most kernel backdoors are implemented by loadable kernel module which is loaded into kernel by insmod or /dev/kmem,and the backdoor module can found easily if the disk can be mounted on other machines.It is not the expected result.What is wanted is just to find a method to put the LKM into kernel image,and make it run when reboot.
Published on December 28, 2001, by palmers, Phrack Magazine.
Since I concern here on hacking, not literature, lets restate it. Our romanticism is security, realism is its shadow. This article is about the hacker Caliban. Our glass shall be the Linux kernel.
Published on June 19, 2002, by rd, Phrack Magazine.
This article is divided into two parts. The first part of the paper gives an overview on how the linux keyboard driver work, and discusses methods that can be used to create a kernel based keylogger. This part will be useful for those who want to write a kernel based keylogger, or to write their own keyboard driver (for supporting input of non-supported language in linux environment, ...) or to program taking advantage of many features in the Linux keyboard driver.
