using FSM to recover struct fields offsets
In previous post I described declarative way to find non-exported data and functions using FSM. But often you also need to know offsets to some fields in structures - they can be changed in different...
View Articlefsm rules for rpcrt4!GlobalRpcServer
I already described how you can extract address of GlobalRpcServer and offset to some RPC_SERVER_T fields. Lets do it for arm64 in declarative manner using FSMStart again with...
View Articlepoorgcc: IDA Pro plugin to fix poor gcc code on arm64
Lets see what generates gcc for arm64 - for example gcc7.5 and linux kernelFunction do_sysinstr:ADRP X0, #__func__.48604@PAGE ; "arm64_show_signal"ADD X0, X0,...
View Articleecdsa in driver
Lets assume that we have buggy and dangerous driver (which "rely on many unexported functions and select them via pattern scans which are regularly revalidated against windows insider builds", he-he)....
View Articlecodewars heisenbug
I got following crash when tried to solve some trivial task:UndefinedBehaviorSanitizer:DEADLYSIGNAL ==1==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000020 (pc 0x0000004271a4 bp...
View Articledumper of linux kernel notification chains
There seems to be one little-known thing in linux kernel - notification chains. So they have literal analogue of PsSetLoadImageNotifyRoutine - function register_module_notifier. And similarly they...
View Articlefunctions pointers in linux kernel data sections
I wrote simple program to estimate size of problem. Yes, I know about CFI but it seems that even on kernel 5.11 on fresh Ubuntu this mechanism is not implemented and indirect calls looks like: mov...
View Articlearm64 disasm for linux kernel
I added today disassembler for arm64 linux kernel to search pointers. It turned out to be surprisingly difficult to do for several reasons (disasm for x64 is only 383 LOC vs 618 for arm64)One of them...
View Articlelinux kernel tracing
It`s hard to believe but linux kernel has almost exact copy of windows ETW - event tracing. It is just as difficult to make it work, it is poorly documented, very complex and fragile. And yes, as you...
View Articlelinux-kernel per-cpu vars
It`s hard to believe but linux has degraded version of KPCR on windows - so called "per-cpu variables". This is some isolated memory assigned to CPU (stored in gs segment register on x64 and in MSR...
View Articlelinux kernel kprobes
without a doubt most crazy and insane spying mechanism in linux kernel is krobesIt`s expensive - each time when int3 occurred typical call stack looks...
View Articlelinux kernel uprobes
Lets consider another spying mechanism in linux kernel - uprobes. They also insert int3 but this time in user-mode and can be used for example to steal TLS traffic. I made simple code to set up uprobe...
View Articlefilesystem notifications in linux kernel
disclaimerFilesystems are the most complex part of any OS. I am not a specialist in linux filesystems and even don`t commit the code to linux kernel. So all information here cannot be considered...
View ArticlePoC to hide kprobes list
as you may know list of kprobes has mapping on /sys in file /sys/kernel/debug/kprobes/list. And now when I have working filesystem notifications it would be extremely tempting try to make hiding...
View Articlewhat linux hiding
disclaimerthere is no doubt that the list below is incomplete, inaccurate etc - it`s just what very average programmer can find during two month of browsing linux source codeobservability criteriawhat...
View Articlesecurity hooks in linux kernel
This mechanism was inspired by NSA. As described all hooks stored in huge struct security_hooks_list, but it`s format is different in each version. We can determine which list belongs to what hook with...
View ArticleBPF iterators
Sure I could not get past the hype topic of BPF (overvalued mechanism to allow you just run your buggy code in kernel with low performance and lots of overhead). For access of some kernel data they add...
View Articleblinding sysmon for linux
Let`s see which tracepoints it using:sudo ./lkmem -d -c -t ~/krnl/curr ~/krnl/System.map-5.11.0-37-generic __tracepoint_sched_process_exit at 0xffffffffa47140c0: enabled 1 cnt 1 [0]...
View Articleslides from our talk at Black Hat EU 2021
linkand someafterwordall presented attacks caused by misuse of Windows logging mechanism for ETW-based EDRs. And I see bad sign when the same thing happens with eBPF on Linux. So who knows - maybe my...
View ArticleeBPF on cgroups
the long story short - they are stored in array effective and in list progs in cgroup->bpfBelow I will try to explain boring and dirty detailscgroupsThis article says:hierarchy: a set of cgroups...
View Article