Detect Kernel Rootkits hooking syscalls
Kernel Rootkits such as Diamorphine hook various syscall functions so they can either:
- Hide files and processes from usermode applications, by altering the data returned from the Kernel
- Facilitate a covert channel from usermode-kernel to trigger actions such as priliege escallation
This project attempts to detect this syscall hooking using eBPF, and it's ability to get kernel stack traces.
HookDetect
monitors the following syscalls:
- kill
- Used to send signals to other processes
- getdents and getdents64
- Used to list files and folders
HookDetect
will check every use of these syscalls to check two things:
- How many stack frames are there between the initial kernel entrypoint and the actual syscall function
- This detects when a hook interposes on the function to alter it's return data
- After the kernel detected the processes making a syscall, was the read function actually called?
- This detect for the covert-channel uses where the real syscall is not actually run
For more details, see this blog: Detecting kernel hooking using eBPF
This code has been tested on:
- Ubuntu 21.04, Kernel 5.11.0-17
- RHEL 7.6, Kernel 3.10.0-957
To use pre-build binaries, grab them from the Releases page.
To build from source, do the following:
As this code makes use of CO-RE, it requires a recent version of Linux that has BTF Type information.
See these notes in the libbpf README
for more information. For example Ubuntu requries Ubuntu 20.10
+.
To build it requires these dependecies:
- zlib
- libelf
- libbfd
- clang 11
- make
On Ubuntu these can be installed by
sudo apt install build-essential clang-11 libelf-dev zlib1g-dev libbfd-dev libcap-dev libfd-dev
To Build from source, recusivly clone the respository the run make
in the src
directory to build:
git clone --recursive https://github.com/pathtofile/bpf-hookdetect.git
cd bpf-hookdetect/src
make
The binaries will built into bpf-hookdetect/src/bin
.
To run, run the hookdetect
binary as root. If the program detects a function was hooked, it will print the syscall name,
along with the process and PID:
$> sudo ./bpf-hookdetect/src/bin/hookdetect
sys_getdents64 is hooked for PID 2584743 (ls) - Real function called but data possibly altered
sys_kill is hooked for PID 2584087 (bash) - Real function not called
To print out the stack traces from each syscall logged, run hookdetect with --verbose
:
$> sudo ./bpf-hookdetect/src/bin/hookdetect --verbose
sys_kill:
0xffffffff886b88e1 -> __x64_sys_kill
0xffffffff89234d38 -> do_syscall_64
0xffffffff8940008c -> entry_SYSCALL_64_after_hwframe
sys_kill is hooked for PID 2584087 (bash) - Real function called but data possibly altered
To test, download, make, and install the Diamorphine rootkit.
Once rootkit is installed, start hookdetect
and run:
# Sending signal 63 is intercepted by Diamorphine, and real syscall function is not called
kill -63 0
# But when sending other signals the real function is called
kill -s 23 $$
The project's skeleton is adapted from libbpf-bootstrap
The code to convert stack addresses to function names is taken from the BCC Project