Page 1 of 1

Kernel Mode Hooking

PostPosted: Thu Sep 23, 2010 6:53 pm
by oblique
In this article I will show you the basic technique that rootkits use, which we can use to hook system calls in kernel mode. I will deal only with Linux 2.6 x86-32 and Linux 2.6 x86-64. In the end we are going to hook the setuid system call which when takes a "magic" uid as an argument it will give root to the process.
The article is available in Greek and English and the sections are listed below:

Code: Select all
    0x01] Introduction
    0x02] Kernel mode hooking basic theory
    0x03] LKM - hello kernel
    0x04] Interrupt Descriptor Table (IDT)
    0x05] Get sys_call_table - Linux x86-32
    0x06] Model-Specific Registers (MSRs)
    0x07] Get sys_call_table - Linux x86-64
    0x08] Get ia32_sys_call_table - Linux x86-64
    0x09] Map to a writable memory
    0x0A] Hook a system call
    0x0B] Other ideas/methods
    0x0C] Greets
    0x0D] References


You can download the article with the source codes from here.

Enjoy ;)