LKMs -- Loadable Kernel Modules
Lodable What?
LKMs (Loadable Kernel Modules) are often used as drivers.

As you may know, Linux uses a kernel which is able to load code after it has been booted. For this reason, LKMs are often used as a driver. Imagine one of the main Distributions like Mandrake, Suse, etc... they should be ready for being installed on a lot of different machines and architectures. Hence, the kernel needs some "specific code". Imagine a notebook which has no serial port. Does it need to know how to talk to this port if it does not have any? Instead of those modules, it may need a module to talk to his usb devices.

Ok, didnt i read something about Rootkits?
Right :). Rootkits are a kind of trojan horses. While some trojan horses are able to give you a chance to logon silently to the infected machine after being logged out, others may be able to hide therselves. Rootkits are a combination of all those "features". It is fairly easy to hide processes, network connections and modules.

Nuke?
Although the idea of rootkits may sound a kind of invincible to you, it is also fairly easy to detect them, because they all use the same idea which i will clarify with a little image:


Picture 1: Without interference, a client application requests a listing of the contents of a directory (pseudo code).

Picture 2: As we overwrite the function "list_directory", we can filter its resultst by our wishes.

Now one could say that every function could easily been overwritten. That is not the case. It is easy to overwrite the function that gets the contents of a directory, but it is not possible to easily overwrite the function which is called by the system call which is responsible for changing directories.
That indicates that it is fairly easy to detect a rootkit (even on the level on which the kernel works) with a little script. This script reads all PID's from ps aux for example and trys to execute an cd /proc/<PID>. If there is a singe PID which is not shown by ps aux but which can be chdir'ed, there is a trojan installed. Either the trojan consists of an infected binary or (of course) a kernel module.
In Both cases, there are many ways of detecting trojan horses. Check out http://www.chkrootkit.org/ for more information about detecting rootkits, worms and trojan horses.

Lets get back to the main subject: how to design such kernel modules and what can one do with them?
Check out the Downloads section for heavily commented sources for kernel modules which realize different aspects of programming rootkits. One can also find a little lecture which i wrote for the mrmcd 04 (CCC (Chaos Computer Club) stuff. Its available in german. Apart from that, i have written an english translation. Check it out :)

Please note, that all this stuff is based on Stealth's rootkit called adore. It was enhanced by myself. You can find more stuff of Stealth and more about adore at http://packetstorm.linuxsecurity.com/groups/teso/.




Download
Documentation/lecture [pdf, de]

Documentation/lecture [pdf, en]

Sources [tgz][de/en]

Sources [zip][de/en]



Fabian Werner, 2005
fw (at) happy-werner (dot) de