krd and /proc/kcore - skills and advice needed
derz...@gmail.com
Just to remind you that krd is on freshmeat (of course), and
on http://krd.linux.edu (the linux.edu projects - if you want to
participate to the linux.edu project and make "gov financed" projects,
please email me, ill be glad to hook you up).
Also krd got a difficult task to find a kind of file that always change
its binary (by compression) So when krd is reading /proc/kcore to check
for this binary in memory, its pretty hard to know since the binary
changes everytime you "remake" it.
So the idea is to make a krd module that will check 2 of this binary
made to check the data similarity between then, for install the
unpacking routing code should be the same for both. Got any idea on how
to do this ? Ive got mine - but its always good to share !
For your info im talking about the sk2.0 backdoor findable on
packetstorm (a backdoor using kmem to replace /sbin/init , hide pids,
etc.. the whole backdoor package - pretty strong one).
http://www.packetstormsecurity.org/filedesc/suckit2priv.tar.html
I didnt really have time to check everything about it out - just that
after the backdoor is compiled, its autopacking itself to have its
binary "hidden" in memory.
See ya,
Guillaume R.
MPG
derz...@gmail.com
Well;
for the slowniness, running krd on reading 1MB of /proc/kcore with
function hex2str()
will give :
prod:/home/romem/krd-pre0.2/src # time ./krd
./krd pre0.1 [http://krd.linux.edu] Guillaume R. <gu...@ism-o.com>
./krd [-c hex] [-h file]
into kcore
1 MB read
real 0m22.963s
user 0m22.880s
sys 0m0.080s
without hex2str (nasty sprintf ill paste after) :
prod:/home/romem/krd-pre0.2/src # time ./krd
./krd pre0.1 [http://krd.linux.edu] Guillaume R. <gu...@ism-o.com>
./krd [-c hex] [-h file]
into kcore
1 MB read
real 0m0.299s
user 0m0.240s
sys 0m0.060s
---
notice any difference ? :>
Well, here is the rogue function to remake
void
hex2str ()
{
int counter, j;
for (counter = 0, j = 0; j < MAXSTR; counter = counter + 2, j++);
sprintf (&cstr[counter], "%02.2X", (strbuf[j] & 0xff));
}
This function is simply converting the data read into ASCII to be
compared after this to the signature files, cannot compare directly the
data to the data file in binary; because it would find in memory the
data signature inside krd - this is why i got to do this tricky slow
trick. Again, if any idea of making a nice sprintf like to put the data
into ASCII %X02.2 - just let me know - i will work on a solution later
anyways.
Guillaume R.
