monks icon indicating copy to clipboard operation
monks copied to clipboard

Published 20 hours ago verified publisher icon alexandernst

Check if syscall table is faked

Open alexandernst opened this issue 11 years ago • 15 comments

Procmon should check if the syscall table is already patched by something else (or even by a remaining stub from procmon itself, as of #31). If the syscall table is patched, procmon should do nothing.

alexandernst avatar Dec 05 '13 11:12 alexandernst

Scratch last phrase. Procmon should be able to determine if the syscall table is already patched, and if it is, it should be possible to guess if it's patched by procmon's stubs. If so, it should be possible to get the real syscall address and re-patch.

alexandernst avatar Dec 24 '13 10:12 alexandernst

Also scratch that last thing! It should be possible to do so, BUT, if user really wants to re-patch the syscalls (meaning patch the stubs with another stubs) tell him clearly why that it's not a good idea. Anyways, give him the option to do so... We won't fight against brave people! :smiley:

alexandernst avatar Dec 25 '13 23:12 alexandernst

@alexandernst Alexander, what do you think about the option of restore original system call table using the vmlinux (or packed vmlinuz) images? Procmon may be used as a simple "anti-rootkit" solution in that case :)

milabs avatar Dec 25 '13 23:12 milabs

@milabs Oh, that's an interesting point! You mean something like scan (with udis? :stuck_out_tongue_closed_eyes: ) a vmlinux binary, check where syscalls should be and then check the current syscall table, right?

alexandernst avatar Dec 25 '13 23:12 alexandernst

@alexandernst Yes!

milabs avatar Dec 26 '13 04:12 milabs

@milabs Procmon (Monks!) could expose the address of each syscall the same way it exposes the state of each syscall (via sysctl). That way we could do the checking part in the viewer rather than the kernel module. What do you think?

alexandernst avatar Dec 26 '13 08:12 alexandernst

@alexandernst How do you intend to scan kernel's memory from the viewer?

milabs avatar Dec 26 '13 08:12 milabs

@milabs No need.

1. Load the kernel.
2. Create entries for each syscall (currently we do that already) in ```procmon.syscalls.__NR_read.realsc_addr```
3. Start the viewer and check those values from ```sysctl``` while reading a binary vmlinux image.

I think it could work.

alexandernst avatar Dec 26 '13 08:12 alexandernst

@alexandernst OK, I've got it. Do you think that sysctl is a good information exporting interface?

milabs avatar Dec 26 '13 08:12 milabs

@milabs Maybe not the best one. sysctl is the first thing I thought, but it could be replaced with anything :) The main idea is to keep as little logic as possible in the kernel module. The kernel module itself should just expose information and swap real with fake syscalls.

alexandernst avatar Dec 26 '13 08:12 alexandernst

@alexandernst I think proc interface is a good choice for that purporse. Sysctl not the best one as I see it.

milabs avatar Dec 26 '13 08:12 milabs

In the end they both are quite the same. They place some files inside /proc, just that they place them in different locations. Ok, I'll open an issue for this

alexandernst avatar Dec 26 '13 09:12 alexandernst

@alexandernst procfs allows to read one file to get meny things (list of broken syscalls, for ex.) I don't think that sysctl does it as well as proc besides of the same back interface :)

milabs avatar Dec 26 '13 09:12 milabs

@milabs Ah, indeed! Good point :) If no other alternative shows up, procfs will it be

alexandernst avatar Dec 26 '13 09:12 alexandernst

@alexandernst procfs is the simplier one :)

milabs avatar Dec 26 '13 09:12 milabs