############################################################################ ## Data structures, Algorithms, and Programming tricks used in the kernel ## ## ## ## Linux source code for all supported architectures is contained in ## ## more than 14,000 C and assembly language files stored in about 1000 ## ## subdirectories; it consists of roughly 6 million lines of code, ## ## which occupy over 230 megabytes of disk space. ## ############################################################################ Operating System Concept +--------------------------------------------------------------------------------- | processes, interprocess communication, semaphores, monitors, message passing, | scheduling algorithms, input/output, deadlocks, device drivers, | memory management, paging algorithms, file system design, security, | and protection mechanisms +--------------------------------------------------------------------------------- .oO Processor, Memory, Harddisk, Peripheral Oo. Linux source code directory /usr/src/linux slackware config startup /etc/rc.d/ System Call on Linux - System Call Number -> asm/unistd.h (sys/syscall.h) - System Call Table -> arch/i386/kernel/entry.S Commands to Manage Kernel Modules This Command Does the Following ------------------------------------------------------------------------------------ insmod | Inserts a module into the kernel ------------------------------------------------------------------------------------ rmmod | Removes a module from the kernel ------------------------------------------------------------------------------------ depmod | Determines interdependencies between modules ------------------------------------------------------------------------------------ ksyms | Displays a list of symbols along with the name of the module that | defined the symbol ------------------------------------------------------------------------------------ lsmod | Lists all currently loaded modules ------------------------------------------------------------------------------------ modinfo | Displays information about a kernel module ------------------------------------------------------------------------------------ modprobe | Inserts or removes a module or a set of modules intelligently (for | example, if module A requires B, then modprobe automatically | loads B when asked to load A ------------------------------------------------------------------------------------ /etc/rc.d/rc.inet1.conf # Primary network interface card (eth0) IPADDR[0]="" NETMASK[0]="" USE_DHCP[0]="" | Yes DHCP_HOSTNAME[0]="" | Yes GATEWAY="" Kernel source references: o arch/i386/kernel/entry.S (file:///usr/src/linux/arch/i386/kernel/entry.S) o include/asm-i386/unistd.h (file:///usr/src/linux/include/asm-i386/unistd.h) o include/linux/sys.h (file:///usr/src/linux/include/linux/sys.h) Process at Arch i386 o kernel/fork.c o kernel/exit.c o kernel/sched.c o kernel/timer.c o kernel/softirq.c o fs/proc/base.c o arch/i386/kernel/time.c o arch/i386/kernel/process.c o include/linux/sched.h o include/asm-i386/system.h Linux Kernel Modul (LKM) Linux Kernel Hooker ( LKH) Linux Kernel Rootkit (LKR) | Silvio Cesare, "Runtime Kernel Kmem Patching" | http://reactor-core.org/runtime-kernel-patching.html -------------------------------------------------------- Kernel Hacking o Bypassing Integrity Checking Systems o BACKDOORING BINARY OBJECTS o Buffer Overflow > stack-based buffer overflows > adjacent non-terminated string buffers > StackGuard > The Frame Pointer Overwrite > HEAP OVERFLOW o ELF(Executable and Linking Format) objects manipulation o File Descriptor Hijacking o Format string exploitation o Bootloader (grub, lilo) exploitation o Inbound memory management exploitation/malloc techniques o set_head() technique o Hiding processes/linux scheduler o Hiding file o Hiding Network Connection o Integer Overflows o Handling Interrupt Descriptor Table o NULL/userspace dereference vulnerabilities o The Slab Allocator o Forcing a kernel path to sleep o Race condition exploiting o Hooking library the linux kernel o Linux Kernel Keylogger/Function hijacking o The kernel memory o return-into-lib(c) exploits o Virtual File System exploitation o Kernel patching without LKM o Execution Redirection/control of binary execution o Hijacking Linux Page Fault Handler Exception Table o Infecting loadable kernel modules o ptrace injecting shellcodes o Redirection of system calls o Runtime Process Infection o shift the stack pointer o Static Kernel Patching o syscall overflow o the debugging mechanism/debug registers ~brtv