Playing with Linux Kernel Runtime Guard (LKRG)
Step by step for running LKRG protection against suterusu LKM rootkit targeting updated CentOS 7.
If you want to learn more about the project, how things work, etc. I strongly suggest subscribing to the project's mailing list:
# cat /etc/redhat-release
CentOS Linux release 7.4.1708 (Core)
# uname -a
Linux selinux.lab.vm 3.10.0-862.14.4.el7.x86_64 #1 SMP Wed Sep 26 15:12:11 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
# yum install kernel-devel
# pwd
/root
# wget https://www.openwall.com/lkrg/lkrg-0.5.tar.gz
# tar -zxvf lkrg-0.5.tar.gz
# cd lkrg-0.5
# make
# modinfo p_lkrg.ko
filename: /root/lkrg-0.5/p_lkrg.ko
license: GPL v2
description: pi3's Linux kernel Runtime Guard
author: Adam 'pi3' Zabrocki (http://pi3.com.pl)
retpoline: Y
rhelversion: 7.5
srcversion: 7437FE150EFCECA96B3EEAF
depends:
vermagic: 3.10.0-862.14.4.el7.x86_64 SMP mod_unload modversions
parm: p_init_log_level:Logging level init value [1 (alive) is default] (uint)
# git clone https://github.com/mncoppola/suterusu.git
# cd suterusu
# make linux-x86_64 KDIR=/usr/src/kernels/3.10.0-862.14.4.el7.x86_64/
# insmod suterusu.ko
# gcc sock.c -o sock
# cp socker /tmp/
# cd /root/lkrg-0.5
# insmod p_lkrg.ko
# dmesg | tail
[ 574.326724] [p_lkrg] Loading LKRG...
[ 574.619429] [p_lkrg] LKRG initialized successfully!
[ 589.720682] [p_lkrg] System is clean!
[ 592.223492] [p_lkrg] Unloading LKRG...
[ 592.366212] [p_lkrg] LKRG unloaded!
[ 687.519851] [p_lkrg] Loading LKRG...
[ 687.857611] [p_lkrg] LKRG initialized successfully!
[ 687.880217] [p_lkrg] System is clean!
# su - cr0
$ id
uid=1000(cr0) gid=1000(cr0) groups=1000(cr0)
$ /tmp/sock
Dropping to root shell
Killed
$ dmesg | tail
[ 787.650853] [p_lkrg] <Exploit Detection> Detected pointer swapping attack!process[1175 | sock] has different 'cred' pointer [0xffff8bf70008f480 vs 0xffff8bf70008f540]
[ 787.659309] [p_lkrg] <Exploit Detection> Detected pointer swapping attack!process[1175 | sock] has different 'real_cred' pointer [0xffff8bf70008f480 vs 0xffff8bf70008f540]
[ 787.663917] [p_lkrg] <Exploit Detection> process[1175 | sock] has different UID! 1000 vs 0
[ 787.675209] [p_lkrg] <Exploit Detection> process[1175 | sock] has different EUID! 1000 vs 0
[ 787.682771] [p_lkrg] <Exploit Detection> process[1175 | sock] has different SUID! 1000 vs 0
[ 787.713394] [p_lkrg] <Exploit Detection> process[1175 | sock] has different FSUID! 1000 vs 0
[ 787.715679] [p_lkrg] <Exploit Detection> process[1175 | sock] has different GID! 1000 vs 0
[ 787.719535] [p_lkrg] <Exploit Detection> process[1175 | sock] has different EGID! 1000 vs 0
[ 787.722859] [p_lkrg] <Exploit Detection> process[1175 | sock] has different SGID! 1000 vs 0
[ 787.725855] [p_lkrg] <Exploit Detection> process[1175 | sock] has different FSGID! 1000 vs 0
[ 787.731415] [p_lkrg] <Exploit Detection> Trying to kill process[sock | 1175]!
[ 788.088163] Pausing function hook 0xffffffffc049da50
[ 788.088188] Resuming function hook 0xffffffffc049da50
[ 788.088204] Pausing function hook 0xffffffffc049da50
[ 788.088214] Resuming function hook 0xffffffffc049da50
[ 793.265987] [p_lkrg] ALERT !!! _STEXT MEMORY BLOCK HASH IS DIFFERENT - it is [0x87e3ac7efa28e336] and should be [0x3895cef460d7b282] !!!
[ 793.276114] [p_lkrg] ALERT !!! SYSTEM HAS BEEN COMPROMISED - DETECTED DIFFERENT 1 CHECKSUMS !!!
Cool!
Links: