Traditional kernel rootkits, such as adore and phalanx, worked by overwriting pointers in sys_call_table
so that they would point to a replacement function, which would then call the original syscall as needed. This was accomplished by either an LKM or a program that modified the kernel through /dev/kmem
or /dev/mem
. On today's Linux systems, for security reasons, these writable windows into memory are disabled or are no longer capable of anything but read operations depending on how the kernel is configured. There have been other ways of trying to prevent this type of infection, such as marking sys_call_table
as const
so that it is stored in the .rodata
section of the text segment. This can be bypassed by marking the corresponding
PTE (short for Page Table Entry) as writeable, or by disabling the write-protect bit in the cr0
register. Therefore, this type of infection is a very reliable way to make a rootkit even today, but it is also very easily detected...
Learning Linux Binary Analysis
By :
Learning Linux Binary Analysis
By:
Overview of this book
Learning Linux Binary Analysis is packed with knowledge and code that will teach you the inner workings of the ELF format, and the methods used by hackers and security analysts for virus analysis, binary patching, software protection and more.
This book will start by taking you through UNIX/Linux object utilities, and will move on to teaching you all about the ELF specimen. You will learn about process tracing, and will explore the different types of Linux and UNIX viruses, and how you can make use of ELF Virus Technology to deal with them.
The latter half of the book discusses the usage of Kprobe instrumentation for kernel hacking, code patching, and debugging. You will discover how to detect and disinfect kernel-mode rootkits, and move on to analyze static code. Finally, you will be walked through complex userspace memory infection analysis.
This book will lead you into territory that is uncharted even by some experts; right into the world of the computer hacker.
Table of Contents (17 chapters)
Learning Linux Binary Analysis
Credits
About the Author
Acknowledgments
About the Reviewers
www.PacktPub.com
Preface
Free Chapter
The Linux Environment and Its Tools
The ELF Binary Format
Linux Process Tracing
ELF Virus Technology – Linux/Unix Viruses
Linux Binary Protection
ELF Binary Forensics in Linux
Process Memory Forensics
ECFS – Extended Core File Snapshot Technology
Linux /proc/kcore Analysis
Index
Customer Reviews