Profiling shared libraries on linux
Disclaimer: proposed approach uses dirty hacks & patches and tested on x86_64 only so use it at your own risk. Also no chatGPT or some another Artificial Idiots were used for this researchLets...
View Articlenetfilter hooks
They can be used to run shell when received some magic packet: 123. As usually there is not tool to show installed netfilter hooks so I added dumping them (and at the same time netfilter loggers) to my...
View Articlegcc: placing strings in arbitrary section
As you may know gcc always placing string literals in section .rodata. Let's assume what we want to change this outrageous behavior - for example for shellcode literals used in function init_module...
View Articleyet another linux process injection
As you my know there are two methods1) using LD_PRELOAD, don`t work if you want to inject into already running (and perhaps even many days) process2) ptrace. Has the following inherent...
View Articleasm injection stub
Lets check what this stub should do being injected in some linux process via __malloc_hook/__free_hook (btw this implicitly means than you cannot use this dirty hack for processes linked with musl or...
View Articlelinux input handles
Try convince me that input_register_handle is not best place for installing keylogger, it's even strange that they were embarrassed to connect there their holy cow eBPF. Long story short - there are 3...
View Articlekotest
Linux kernel allows you to have discardable sections in LKM and this creates problem of links between two kind of memory. As you can guess keeping pointer to already unloaded area can be very dangerous...
View Articlekotest fix for mips
kotest refused to count string literals for MIPS kernel modules. Reason was in that gcc does not put sizes/object types of unnamed string literals - it looks in asm files like$LC0: .ascii...
View ArticleClik here to view.
stack frames size in DWARF
As you might suspect, the stack size in the kernel is quite meager so it's very important to know how much of stack occupy your driver. So I conducted inhumane experiments on my own driver lkcd to...
View Articlefunction stack size in GCC
Let's continue our wandering in endless dead endGCC has struct stack_usage and even field su inside struct function. And this last is accessible as global var cfun. So it's should be easy to patch...
View Articleframe sizes in dwarfdump
Add today dumping of stack frame sizes to my dwarfdump (well, where they are exists). Format of .debug_frame section obviously was invented by martian misantrophes so patch is huge and uglySample of...
View ArticleClik here to view.
dumping ebpf kind_ops
Very funny article about (im)possible future of ebpf. Given that right now 8 small BPF scripts with only 7 opcodes occupy 1Mb whole kernel on ebpf will require exabytes of RAM, he-heAnyway there is...
View ArticleClik here to view.
ebpf map as communication channel
Recently I've done small research to repurpose overvalued ebpf into something useful and even achieved some modest results. It seems that at least you can use ebpf maps in your old-school native...
View Articlemoving string literals to discardable sections
As kotest shows we can achieve reduction in the size of non-discardable sections of LKMs (and thus reduce total size of memory occupied by kernel) with moving constants used in functions from...
View ArticleClik here to view.
crowdstrike
since everyone (including"professional C++ programmers") has already written about so I will also write it down (for memory)This was not first time: proofOfficial report is very vague but we can...
View Articlebpf_verifier_ops
Lets dissect some typical ebpf spyware. It sets up uprobes onSSL_read_exSSL_readSSL_write_exSSL_writegotls_write_register gotls_read_registergotls_exit_read_registerand uses bpf functions...
View ArticleClik here to view.
hidden executable pages in linux kernel
Standard method to find rootkits like this (or like this) is cross-scanning PTEs of memory without NX bit, then extract pages belonging to LKMs - thus in set difference we will gather hidden executable...
View Articlehidden executable pages in linux kernel, part 2
In part 1 I've described how memory managed by hardware. Now lets dig into how kernel sees memory. Not surprisingly that we should check the same structures that malicious drivers update while...
View Articlebug in gcc?
It seems that gcc not always put COMPONENT_REF when access fields of structures passed by reference. For example I add today simple static function append_name(aux_type_clutch&clutch, const char...
View ArticleTracking arguments of functions in gcc
I continuing to improve my gcc plugin for collecting cross-references: 1, 2, 3, 4, 5, 6& 7. On this week I decided to see if I can extract source of complex types like records and most prominent...
View Article