Archive for July, 2008

Linux 2.6 Rootkit Detector

Saturday, July 5th, 2008

Here is a Rootkit Detector I wrote for CS 558 at USC in the Fall of 2005. It consists mainly of a Linux loadable kernel module that loops through the scheduler task list as well as all open file descriptors attached to the tasks and writes what it finds to a file. Then a python script compares the kernel data to what is reported by lsof. If it finds discrepancies it reports them and alerts the user of a possible rootkit.

It was originally tested by successfully hiding a process with the adore-ng-0.53 rootkit written by Stealth. However, I have not tried this yet on my latest setup.

I’m not sure the detector actually still works, although I got it to build and install on a 2.6.24-19 i386 kernel running on Ubuntu 8.04 today. I had to make a couple of changes to the original code. Namely, I  replaced a task_t typedef with the struct task_struct variable since the task_t was removed from the kernel. I also had to add another layer of indirection to get at the file descriptors, since the max_fds and fd members of the srtuct files_struct were moved to struct fdtable in <linux/file.h>.

I was also able to install it with insmod, however I doubt it still works as it was only built for a uniprocessor system almost 3 years ago, and getting this to build was the first bit of kernel hacking I’ve done since then. I also can’t uninstall it without rebooting anymore, although, I haven’t done that yet and my kernel hasn’t crashed ;)

I still think if updated and expanded it can be a useful tool against both kernel and user level Linux rootkits.

P.S. I know the output format sucks and the python code is a mess, but the goal here was to study rootkits and linux kernel development. If I ever revisit this I will make sure to clean up all that stuff and write a proper parser. But… this is GPLd so feel free to jump in. If there is any interest in it maybe I will setup a google code project and revisit it.

This was the first and only kernel module I’ve ever written and I wrote and tested the whole thing in about a month or so, while reading Robert Love’s Linux Kernel Development and seriously trudging through the kernel source.

Here are some (not so perfect) documents to get you started:

Posted in File Systems, Linux, Rootkits, Security, USC | No Comments »

XSFS: The Extensible Steganographic File System.

Saturday, July 5th, 2008

XSFS: The Extensible Steganographic Filesystem is a term paper I wrote in the first semester of my Masters program in CS at USC. I wrote it for CS555: Advanced Operating Systems in Fall 2004. The ideas in XSFS are especially useful when needing to hide large amounts of data on untrusted storage.

It would make an interesting project to clean up the ideas a bit and modernize it for untrusted storage such as Amazon S3.  It would also be a really excellent project to implement in Erlang.

Oh, and sorry for the picture. It was originally done in MS Word on the school computers for some unknown reason, and has been shuffled through various versions of OpenOffice for some time. I’m sure I have the original on CD somewhere, but for now you’ll have to take this slightly edited version.

Creative Commons LicenseThis paper is licensed under a Creative Commons Attribution-No Derivative Works 3.0 United States License.

Posted in Erlang, File Systems, Networking, Security, Steganography, USC, XSFS | No Comments »

Funny viagra stories how to buy viagraViagra online cheap Buy viagra for lowest prices
Leave reply viagra if you are already buy viagra 100mg
Funny viagra stories how to buy viagraViagra online cheap Buy viagra for lowest prices
Leave reply viagra if you are already buy viagra 100mg