xorl %eax, %eax

Book: Designing BSD Rootkits

with 4 comments

This is not a new book and here is a little background… I was extremely enthousiast when this book was released on 2007 since jkong’s Phrack #63 article “Playing Games With Kernel Memory … FreeBSD Style” was really cool! When I got his book in my hands I read it like two or three times in a month (it was apparently, on April 2007). This weekend I was updating some old KLD I had written and decided to have a look at that book again in order to include some new features. Even though I was quite sure that everything discussed should still be applicable in FreeBSD 7.1-RELEASE (since this was my target but the book was written/tested on FreeBSD 6.0-STABLE), I tested all of the examples, so… Why not write a review too? :P
Here it is…

Title: Designing BSD Rootkits: An Introduction to Kernel Hacking
Author: Joseph Kong

The best thing about that book that made me love it was its approach of more code, less talk. It deals with all the essential (and some advanced) concepts for rootkit development in just 126 pages! That’s just amazing!!! He gives some code, explains it and moves on, no boring theories or diagrams. Everything is explained using code snippets and that’s making it really interesting reading. In addition, because of this structure it pushes the reader to go and test everything he reads to fully understand what’s going on and that is definitely useful regardless of reader’s previous knowledge on the subject. Anyway, I won’t say more about it… Below is a more detailed review for each chapter separately.
Excellent book :)

Chapter 1: Loadable Kernel Modules
This chapter introduces the reader to basic design issues of FreeBSD’s loadable kernel modules, also known as KLD. It goes through from a common “hello world” kernel module to a KLD that inserts a new system call and finally, a character device driver. Additionally, it highlights some helpful API routines for both user and kernel space.
– The sc_example.c code will not compile as it is in the book since it is missing a header file. Just include sys/sysproto.h and it should be fine.
– Userspace application interface.c (for both the syscall and character device examples) will generate a warning on compile time because of the implicit declaration of exit(3) library routine. Just include stdlib.h header file.
– In cd_example.c there is a weird integer check like this:

static size_t len;
	if (len <= 0)
		error = -1;

Well, since ‘len’ is of type ‘size_t’ it cannot contain negative values. I think that this check should either cast ‘len’ to ‘int’ or check just for zero values.
– In the second interface.c, for the character device, there is a non-intended signedness issue as you can see here:

	int len;
	if ((len = strlen(argv[1]) + 1) > 512) {

That should probably be a ‘size_t’ instead of a signed integer.
– In the second interface.c there are some redundant parentheses here:

if ((close(kernel_fd)) == -1) {

Chapter 2: Hooking
This chapter discusses the most common technique for kernel rootkits. As examples, it demonstrates a system call hook, a kernel level key logger as well as a network protocol hook. This was an interesting chapter even though the concept of hooking functions in rootkits is quite old.

Chapter 3: Direct Kernel Object Manipulation
In this, the author provides detailed description of the Direct Kernel Object Manipulation technique specifically for the FreeBSD operating system. This is not a new technique either, it is known at least since 2004 when Jamie Butler and Greg Hoglund made their “Blackhat” Briefings 2004 presentation “VICE – Catch the hookers! (Plus new rootkit techniques)“. Apart from the included examples of hiding a process using ‘allproc’ list, ‘pidhashtbl’ hash table and hiding an open TCP port, it also discusses how you could utilize this technique (DKOM) to make your rootkit more stealthy. Nice chapter…
– In process_hiding.c file you need to include sys/sysproto.h otherwise the KLD will not compile.
– In process_hiding_redux.c you’ll have to include sys/sysproto.h.
– Once again, the port_hiding.c system call should include the sys/sysproto.h header file.
– Structure ‘inpcbinfo’ does no longer include a ‘listhead’ member, replace the “tcbinfo.listhead” reference with “tcbinfo.ipi_listhead”.
– The INP_LOCK() and INP_UNLOCK() macros will not work since ‘inpcb’ structure uses Reader/Writer locks. Replace them with INP_WLOCK() and INP_WUNLOCK() respectively.
– On page 56, there is a typo where it says: “Notice how port_hiding hid the local telnet” which I guess it should be “hides” instead of “hid”.

Chapter 4: Kernel Object Hooking
This is a tiny little chapter of only four pages! This technique (KOH) is a combination of hooking and DKOM, what he does in these four pages is hooking of functions that are used to manipulate kernel’s internal structures instead of directly patching kernel structures like he did in the previous one. As an example, he provides a KLD that hooks a routine in the read operation of a character device driver.
A tiny mistake…
– In cd_example_hook.c the:

extern TAILQ_HEAD(,cdev_priv) cdevp_list;

Is not needed and the code will not compile since this is already declared in fs/devfs/devfs_int.h which was included in this KLD.

Chapter 5: Run-Time Kernel Memory Patching
Here, the author describes one of the most widely used techniques. This is definitely not a new approach either, who can forget the amazing “Runtime kernel kmem patching” article of the almighty Silvio Cesare back in 1998? The algorithm behind this technique can be read in Silvio’s article under “Patching kernel structures” section. The examples range from patching/replacing instructions of a dummy kernel module to creating a trojan system call by patching the system call dispatcher.
– The hello.c file needs sys/sysproto.h header file.
– To avoid compiled-time warnings, include stdlib.h in fix_hello.c and fix_hello_improved.c.
– The sys/sysproto.h header file is also missing from kmalloc.c and in addition, the space allocated never gets freed.
– Finally, include stdlib.h in interface.c, kmalloc_reloaded.c and mkdir_patch.c files.

Chapter 6: Putting It All Together
This is probably the most interesting chapter since it combines all of the techniques discussed for subverting the FreeBSD kernel in order to create a complete (although trivial as the author states) rootkit. There aren’t much to discuss here, a great chapter :)
– Include stdlib.h in trojan_loader.c.
– In 7.2.2 the references to “tcbinfo.listhead should be updated to “”tcbinfo.ipi_listhead” as well as the “tcbinfo.hashbase” to “tcbinfo.ipi_hashbase”.

Chapter 7: Detection
Really useful chapter, what’s the meaning of coding a rootkit if it can be detected? No reason! Here jkong describes some methods to detect the existence of a rootkit using various different approaches and he also provides some tools and ideas for further development to perform rootkit detection under FreeBSD. Furthermore, I’m quite sure that some of the ideas can be implemented easily on other operating systems too.

Written by xorl

November 29, 2009 at 23:56

Posted in books

4 Responses

Subscribe to comments with RSS.

  1. Nice, I been reading this book for like the past month i highly approve to anyone who wants to learn how to hack the BSD kernel. Its a great step by step guide and as you go through you def. get ideas of your own to implement. Infact i already started coding one not to long ago using this book ;-)


    November 30, 2009 at 06:35

  2. Thank you so much. Your post saved me!

    Satoshi Abe

    February 27, 2011 at 19:58

  3. I wanted to write an errata, but yours is Good enough, Thank you.


    July 23, 2013 at 04:10

  4. Chapter 2 has a bug in listing 2-1. Replace mkdir with sys_mkdir


    October 1, 2018 at 19:42

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: