Shulou(Shulou.com)06/01 Report--

This article mainly explains "the method of hiding files under the Linux operating system". The content of the article is simple and clear, and it is easy to learn and understand. Please follow the editor's train of thought to study and learn "the method of hiding files under the Linux operating system".

one。 Overview

At present, the general method of hiding files is still hooksys_getdents64 system call, the general process is to call the original sys_getdents64 system call first, and then filter in buf. Modify sys_call_table is a relatively primitive rk technology, encounter a better administrator, basically gdb vmlinux can be detected. If you want to be more covert, you have to look for new technologies. Inline hook is also a popular practice at present, which is not easy to detect. This paper explains a method to hide files by using a function in the inline hook kernel.

two。 Analyze sys_getdnts64 system call

If you want to hide the file, you should start with the sys_dents64 system call. To see how it is implemented in the kernel.

The code is in linux-2.6.26/fs/readdir.c:

Asmlinkage long sys_getdents64 (unsigned int fd, struct linux_dirent64 _ user * dirent, unsigned int count) {struct file * file; struct linux_dirent64 _ user * lastdirent; struct getdents_callback64 buf; int error; error =-EFAULT; if (! access_ok (VERIFY_WRITE, dirent, count)) goto out; error =-EBADF; file = fget (fd); if (! file) goto out; buf.current_dir = dirent Buf.previous = NULL; buf.count = count; buf.error = 0; error = vfs_readdir (file, filldir64, & buf); if (error

D_off) d_off = file- > d_off; error =-EFAULT; if (_ _ put_user (d_off, & lastdirent- > d_off)) goto out_putf; error = count-buf.count;} out_putf: fput (file); out: return error;}

First, call access_ok to verify whether the dirent address in the user space is out of bounds and writable. Then according to fd, use fget to find the corresponding file structure. Then there is an operation that populates the buf data structure, regardless of what it does, and then move on.

Vfs_readdir (file, filldir64, & buf)

The function finally calls the vfs_readdir of the vfs layer to get the list of files. To this point, can we use hookvfs_readdir to achieve the effect of hiding files? Keep tracking vfs_readdir to see if this idea works.

The source code is in the same file:

Int vfs_readdir (struct file * file, filldir_t filler, void * buf) {struct inode * inode = file- > fancipath.dentry-> diciinode; int res =-ENOTDIR; if (! file- > f_op | |! file- > flip opp-> readdir) goto out; res = security_file_permission (file, MAY_READ); if (res) goto out; res = mutex_lock_killable (& inode- > i_mutex); if (res) goto out Res =-ENOENT; if (! IS_DEADDIR (inode)) {res = file- > flip-op-> readdir (file, buf, filler); file_accessed (file);} mutex_unlock (& inode- > i_mutex); out: return res;} EXPORT_SYMBOL (vfs_readdir)

It has three parameters, * is the file structure pointer obtained through fget, and the second is known by combining the context that this is a callback function used to fill the user space pointer at the beginning of the third argument. Let's take a look at exactly how it works.

After security_file_permission () verification, the inode structure is locked with mutex_lock_killable (). Then call ile- > falloop-> readdir (file, buf, filler); populate the buf with further underlying functions. This buf is the starting address of the user space strcut dirent64 structure.

So here we can conclude that we can filter buf through the hook vfs_readdir function or can complete the function of hiding files. And the address of vfs_readdir is exported, so you don't have to find its address in a complicated way.

But is there any way to go further? I mentioned earlier that there is a filldir64 function that populates the buf structure. Maybe use hook to do a more covert method of hiding files. Keep tracking filldir64 to see how it works.

Static int filldir64 (void * _ buf, const char * name, int namlen, loff_t offset, U64 ino, unsigned int d_type) {struct linux_dirent64 _ user * dirent; struct getdents_callback64 * buf = (struct getdents_callback64 *) _ buf; int reclen = ALIGN (NAME_OFFSET (dirent) + namlen + 1, sizeof (U64)); buf- > error =-EINVAL; if (reclen > buf- > count) return-EINVAL; dirent = buf- > previous If (dirent) {if (_ put_user (offset, & dirent- > d_off)) goto efault;} dirent = buf- > current_dir; if (_ _ put_user (ino, & dirent- > d_ino) goto efault; if (_ _ put_user (0, & dirent- > d_off)) goto efault; if (_ _ put_user (reclen, & dirent- > d_reclen)) goto efault If (_ put_user (d_type, & dirent- > d_type)) goto efault; if (copy_to_user (dirent- > d_name, name, namlen)) goto efault; if (_ put_user (0, dirent- > d_name + namlen)) goto efault; buf- > previous = dirent; dirent = (void _ user *) dirent + reclen; buf- > current_dir = dirent; buf- > count-= reclen; return 0 Efault: buf- > error =-EFAULT; return-EFAULT;}

First convert the parameter buf to the structure pointer of struct getdents_callback64.

Struct getdents_callback64 {struct linux_dirent64 _ _ user * current_dir; struct linux_dirent64 _ _ user * previous; int count; int error;}

Current_dir always points to the current struct dirent64 structure, and filldir64 populates only one dirent64 structure at a time.

It is called by the file- > fallow-> readdir loop. You can see from the code that the relevant items of the dirent64 structure are copied to the dirent64 structure in user space, and then the corresponding pointer is updated.

So by analyzing the filldir64 code, we can determine whether the parameter name is the file we want to hide. If so, return 0 will be fine.

three。 Expansion

By analyzing the implementation of sys_getdents64 code, we can understand that it is very simple and convenient to complete the function of rootkit through the method of hook kernel function. The key point is that you can understand its implementation logic. For the linux platform, reading the kernel source code is fundamental to the development of rootkit. How to hook? The simplest thing is to modify the first few bytes of the function, jmp to our new function, in the new function to complete the function similar to the function. There is no need to jump back to the original function at all, with the kernel source code in hand, how to implement the original function, we will copy it again. The linux implementation of rk also has a very convenient point, that is, its kernel source code is open, read the source code carefully, you will have more gains.

Thank you for reading, the above is the content of "the method of hiding files under the Linux operating system". After the study of this article, I believe you have a deeper understanding of the method of hiding files under the Linux operating system, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.