Playing with KRF - a Kernelspace Randomized Faulter
KRF - a Kernelspace Randomized Faulter is a tool that rewrites the Linux / FreeBSD system call table. It consists of krfx kernel module, the krfctl userspace tool, some binary examples, and krfmesg that allows for logging a faulting status. When configured via krfctl, KRF replaces faultable syscalls with thin wrappers where we could inject our malicious code. Each wrapper then performs a check to see whether the call should be faulted using a configurable targeting system capable of targeting a specific personality(2), PID, UID, and/or GID. If the process shouldn't be faulted, the original syscall is invoked. In the end, the targeted call is faulted via a random failure function. For example, a getcwd() call might receive one of ERANGE, ENAMETOOLONG, EACCES, ENOMEM, EFAULT, ENOENT, and so on. Let's see how we could run this nice persistence technique against Linux boxes.