While reading an article on writing rootkits on linux systems, I came across this line-

"The simplest way to introduce code into a running kernel is through a loadable kernel module (LKM)."

Are there any other (complex ?)ways to inject code into linux kernel ?
Posted on 2007-12-02 05:41:49 by shakuni
Yeah, like the typical buffer overflow exploits... but this is pretty much at the border of what we can discuss in these forums. There isn't really any legitimate reason for utilizing such techniques (especially since LKMs are available).

If you want to know how to guard against such exploits, I suggest you read phrack and zines like that, perhaps hop over to some RCE forums as well...
Posted on 2007-12-02 12:32:02 by f0dder

Yeah, like the typical buffer overflow exploits... but this is pretty much at the border of what we can discuss in these forums. There isn't really any legitimate reason for utilizing such techniques (especially since LKMs are available).

If you want to know how to guard against such exploits, I suggest you read phrack and zines like that, perhaps hop over to some RCE forums as well...


Yada Yada, Fodder always hangs out on low level stuff to do nothing more than try discourage everyone. Fodder? Do you work for Microsoft? You know yourself that they are stuck having to give ring zero access to new devices. Other wize, Microsoft would have to make all peripherals. Once you hit ring zero, you can do what ever you want to. Just be sure to block the debug interrupts. DBG1 & DBG3 or they will "BSOD" you in a second.
Posted on 2007-12-27 18:05:29 by mrgone
No, I don't work for Microsoft, but I don't want to help people writing malware.

Besides, the original poster asked for linux, not Microsoft, advice... there isn't any PatchGuard stuff in linux, and there's a proper & established way to get kernel modules loaded that doesn't require digital signing of your modules by a central authority.

Thus, no legitimate reason to use non-authorized ways to load kernel code. I think you should re-read the two posts in this thread and think about your next reply, mrgone.
Posted on 2007-12-27 18:20:29 by f0dder

Yada Yada, Fodder always hangs out on low level stuff to do nothing more than try discourage everyone. Fodder? Do you work for Microsoft? You know yourself that they are stuck having to give ring zero access to new devices. Other wize, Microsoft would have to make all peripherals. Once you hit ring zero, you can do what ever you want to. Just be sure to block the debug interrupts. DBG1 & DBG3 or they will "BSOD" you in a second.


First, what does Microsoft have anything to do with Linux Kernel Modules???

Second, f0dder gave the answer that I would expect for something that clearly crosses the line of what we allow. Don't mistake loosening-up the rules with "free game" on this place.

Anyone who knows anything about *nix kernel/driver development would have probably given the same answer.
Posted on 2007-12-27 18:25:47 by SpooK
Linux? I didn't know he was talking Linux. I was talking Windows but I am sure it is the same.
Posted on 2007-12-27 18:57:08 by mrgone
mrgone: read his post? I'll quote it here for you: :)

Are there any other (complex ?)ways to inject code into linux kernel ?


And yes, it's the same on Windows, there are legitimate ways to get to kernel-mode so you don't need to inject code into the kernel. Windows does have the problem, for 64bit editions, that PatchGuard severely limits what you can do (SandboxIE being a good example), and Vista requires driver signing which costs money, and again limits what you can do (Microsoft won't sign just anything). Hobbyists can still run their own drivers, but it requires some boot-time flags, and the drivers won't run on end-user systems without signing.

Before accusing me of "bashing low-level topics", please realize what it is that I'm bashing. And hey, no hard feelings, man :)
Posted on 2007-12-27 19:02:39 by f0dder
  They all must give ring0 access. Once in you are the operating system. All bets are off.
Posted on 2007-12-27 19:07:29 by mrgone

They all must give ring0 access. Once in you are the operating system. All bets are off.

Yes, but there's a difference in using a published "entry point" that can do credential checking to see if you should be allowed to enter kernel mode, vs. trying to "inject" your code through a bug in the kernel and thus forcing entry.

And btw., wrt. "All bets are off", do read up on patchguard, it's a nasty beast. And while it can be defeated, it's not something you want to do for real-world code for consumer use, as you'll be playing a cat-and-mouse game with Microsoft... play by the rules, or choose a different operating system.
Posted on 2007-12-27 19:11:59 by f0dder

Linux? I didn't know he was talking Linux. I was talking Windows but I am sure it is the same.


"I am sure" != "I know for sure"

Ring-0 is Ring-0, but how you are allowed to get there is dependent on the flexibility and security of the OS.

From what I have observed throughout the years, most misinformation is dispersed because we try to mold reality to our understanding... probably due to it being psychologically satisfying. The harder, but even more satisfying thing to do is learn, adapt and accept the reality of things.
Posted on 2007-12-27 19:25:49 by SpooK
There isn't really any legitimate reason for utilizing such techniques (especially since LKMs are available).

There is. I wanted to learn how malwares work so that I can write software that work against them.

If you want to know how to guard against such exploits, I suggest you read phrack and zines like that, perhaps hop over to some RCE forums as well...


Yes. Already did that,but thought that it is always good to post it here,may be I can get some good info.

and Vista requires driver signing which costs money, and again limits what you can do (Microsoft won't sign just anything)


Does this mean that all the info related to getting ring0 using drivers WILL NOT WORK on Vista?

Since many legitimate applications, like antivirus applications and system tweaking tools(like System Mechanic) etc,work on the same principles,How would they work?
Posted on 2007-12-30 06:19:54 by shakuni

There isn't really any legitimate reason for utilizing such techniques (especially since LKMs are available).

There is. I wanted to learn how malwares work so that I can write software that work against them.

We've heard that one before, and it always tends to sound pretty hollow. I'm sorry if your intentions are good, but it's the same standard reply used by the malware writers (those of them who aren't clever enough to research the things on their own), and it's hard to tell intentions across the internet.


and Vista requires driver signing which costs money, and again limits what you can do (Microsoft won't sign just anything)


Does this mean that all the info related to getting ring0 using drivers WILL NOT WORK on Vista?

Since many legitimate applications, like antivirus applications and system tweaking tools(like System Mechanic) etc,work on the same principles,How would they work?

It means you need to boot your machine with a special boot.ini flag while doing development, and that you need to get your driver signed by Microsoft before regular users can use the drivers. Obviously Microsoft will not sign "rootkit_stealth0r.sys", "prevent_vista_antiDRM.sys", "fake_OEM_machineid_ACPI.sys" :)

The problem with the steps taken in Vista (and XP64) is two-fold:

1) getting your driver signed costs money, preventing hobby programmers from releasing drivers (and yes, there's actually legitimate hobby driver projects, like custom filesystems).

2) even with a signed driver, PatchGuard limits what you can do. This includes hooking of system calls. And that hooking is necessary if you want to do effective security systems; I already linked to SandBoxIE in this previous post.
Posted on 2007-12-30 06:37:55 by f0dder

There is. I wanted to learn how malwares work so that I can write software that work against them.


Linux Kernel security is usually in the hands of advanced to expert programmers.

Take a look at SELinux, RSBAC and Grsecurity projects for ideas and methods.
Posted on 2007-12-30 11:01:58 by SpooK