Skip to content
/ hijack Public

PoC of system call hijacking using loadable kernel modules (LKMs)

License

MIT license
2 stars 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

archival-0x/hijack

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
example.c
example.c
 
 
hack_open.c
hack_open.c
 
 

Repository files navigation

hijack

PoC of System call hijacking using loadable kernel modules

intro

This is an example of how we hijack the open() system call using loadable kernel modules. By overriding the functionality of open within kernel-space, we are able to manipulate execution throughout the entirety of the system, hence making this a rootkit.

usage

The routine for overriding open(), new_open(), found within the hack_open.c file, is generic. The code only simply prints the contents of the arguments passed, but could definitely be modified for much more malicious purposes.

1. Set address of system call table

$ sudo cat /boot/System.map-`uname -r` | grep sys_call_table

Store the output of that into the unsigned long * sys_call_table variable in hack_open.c as a hexadecimal value type-coerced to unsigned long.

2. Compile and install the module

make all
# Install kernel module
sudo insmod hack_open.ko
# Remove kernel module
rmmod hack_open

3. Run the test case

make example
./example

About

PoC of system call hijacking using loadable kernel modules (LKMs)

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

2 stars

Watchers

2 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages