

Show HN: A simple, highly commented, rootkit which attacks GCC and Python - mrrrgn
https://github.com/mrrrgn/simple-rootkit

======
cplease
This doesn't attack gcc or python, it's just a trivial kernel module that
interposes SYS_read. There's no germline persistence a la trusting trust. e.g.
if I compile gcc, compile the Linux kernel, and compile python all on a system
with this "rootkit" installed, and put the newly built kernel and toolchains
on a new system, that system is clean.

This isn't really anything other than a Hello World kernel module.

~~~
mrrrgn
Hmmm, well, no, it's not a full on "Trusting Trust" attack; though it has a
similar outcome insofar as producing dirty binaries from clean source goes.

The module is simple, with the only tricky part being replacing a system call.
My goal here was to play around with the idea of modifying source code en
route to a compiler/interpreter in a sneaky way. Nothing more sophisticated
than that. :]

------
unwind
Nice!

The name is clearly a nod to the classic "Reflections on Trusting Trust" by
Ken Thompson ([http://cm.bell-labs.com/who/ken/trust.html](http://cm.bell-
labs.com/who/ken/trust.html)).

I feel the presentation in the video would be clearer if it just cat'd the
source files before running/compiling them, to keep the source on-screen.

~~~
mrrrgn
Good advice, I may re-shoot the gif later and do that. Thanks! :)

------
junto
As a side note, how did you generate that gif?

~~~
mrrrgn
I used licecap, it's extremely awesome.
[https://github.com/lepht/licecap](https://github.com/lepht/licecap) :]

------
vezzy-fnord
This module appears to use a simple brute force method for uncovering the
address of the system call table, as opposed to hardcoding from System.map.
There's another more elegant solution that could be of interest to readers:
[http://www.elliotbradbury.com/linux-syscall-hooking-
interrup...](http://www.elliotbradbury.com/linux-syscall-hooking-interrupt-
descriptor-table/)

If you're looking for deeper case studies on Linux rootkits, the Suterusu
rootkit is an interesting PoC: [http://poppopret.org/2013/01/07/suterusu-
rootkit-inline-kern...](http://poppopret.org/2013/01/07/suterusu-rootkit-
inline-kernel-function-hooking-on-x86-and-arm/)

On the other hand, if you're looking for a guide on understanding LKMs from
the ground up and how they can apply to rootkits, I strongly recommend Joseph
Kong's excellent book _Designing BSD Rootkits_. It's FreeBSD-specific and
dates to 2007, but it's not still outdated AFAIR:
[http://www.nostarch.com/rootkits.htm](http://www.nostarch.com/rootkits.htm)

------
Lai0chee
There is a high chance that it will crash your system.

\- Unlocked access to ->comm

\- What if buf is less than 6 bytes or not NULL terminated?

\- Only searching for sys_close() is not enough, it will also find any
function pointer to sys_close() and then return a false syscall table.

Anyway, a nice hack. :-)

~~~
Lai0chee
BTW: Thanks for downvoting this.

~~~
mrrrgn
Not sure who downvoted; but I appreciated the suggestions! Someone submitted a
patch with the changes and I merged it a few hours ago. Thank you! :)

------
m00dy
This is OK for learners. But, it's not even middle grade.

~~~
mrrrgn
I'm only a learner myself. Not a security expert or trying to claim that this
is super 1337. It's just a neat thing to play with.

