1. Add LKRG early boot systemd script file. Currently only Systemd init system is supported. There are no technical reasons to not add support for other Init systems. 2. Modify Makefile to support install/unistall option which will deploy/remove systemd boot service. 3. [ED] Add functionality of freezing all user-mode processes during Exploit-Detection initialization.

2019-02-13 03:12:10 +03:00 · 2019-02-13 03:12:10 +03:00 · 96721f15ec
parent c904dfe27a
commit 96721f15ec
5 changed files with 125 additions and 1 deletions
--- a/8
+++ b/8
@ -8,9 +8,10 @@
 export CFLAGS="$CFLAGS"

 P_OUTPUT = output
-P_PWD = $(shell pwd)
+P_PWD ?= $(shell pwd)
 P_KVER ?= $(shell uname -r)
 P_KERNEL := /lib/modules/$(P_KVER)/build
+P_BOOTUP_SCRIPT ?= scripts/bootup/lkrg-bootup.sh

 obj-m += p_lkrg.o
 p_lkrg-objs += src/modules/ksyms/p_resolve_ksym.o \
@ -83,6 +84,11 @@ all:

 install:
 	$(MAKE) -C $(P_KERNEL) M=$(P_PWD) modules_install
+	depmod -a
+	$(P_PWD)/$(P_BOOTUP_SCRIPT) install
+
+uninstall:
+	$(P_PWD)/$(P_BOOTUP_SCRIPT) uninstall

 clean:
 	$(MAKE) -C $(P_KERNEL) M=$(P_PWD) clean
--- a/scripts/bootup/lkrg-bootup.sh
+++ b/scripts/bootup/lkrg-bootup.sh
@ -0,0 +1,27 @@
+#!/bin/bash
+#
+# Bootup installation script for LKRG (main branch)
+#
+# Author:
+#  - Adam 'pi3' Zabrocki (http://pi3.com.pl)
+##
+
+P_PWD=`pwd`
+P_LKRG_SYSTEMD="scripts/bootup/systemd/lkrg-systemd.sh"
+
+P_RED='\033[0;31m'
+P_GREEN='\033[0;32m'
+P_WHITE='\033[1;37m'
+P_NC='\033[0m' # No Color
+
+echo -e " ${P_GREEN}[*] ${P_WHITE}Executing LKRG's bootup installation script${P_NC}"
+
+case "`readlink /proc/1/exe`" in
+	/usr/lib/systemd/systemd | \
+	/lib/systemd/systemd)
+		$P_PWD/$P_LKRG_SYSTEMD "$@"
+		;;
+	*)
+		echo "  ${P_RED}[-] Unsupported init system: not systemd?${P_NC}"
+		;;
+esac
--- a/scripts/bootup/systemd/lkrg-systemd.sh
+++ b/scripts/bootup/systemd/lkrg-systemd.sh
@ -0,0 +1,41 @@
+#!/bin/bash
+#
+# Systemd installation script for LKRG (main branch)
+#
+# Author:
+#  - Adam 'pi3' Zabrocki (http://pi3.com.pl)
+##
+
+P_PWD=`pwd`
+P_SYSTEMD_DIR=`systemctl show -p UnitPath | cut -d " " -f5`
+
+P_RED='\033[0;31m'
+P_GREEN='\033[0;32m'
+P_WHITE='\033[1;37m'
+P_YL='\033[1;33m'
+P_NC='\033[0m' # No Color
+
+echo -e "  ${P_GREEN}[+] ${P_WHITE}Systemd detected${P_NC}"
+
+if [ "$1" == "install" ]; then
+    if [ -f $P_SYSTEMD_DIR/lkrg.service ]; then
+	echo -e "      ${P_RED}ERROR! ${P_YL}lkrg.service${P_RED} file already exists under ${P_YL}$P_SYSTEMD_DIR${P_RED} folder"
+	exit 666
+    else
+	echo -e "       ${P_GREEN}Installing ${P_YL}lkrg.service${P_GREEN} file under ${P_YL}$P_SYSTEMD_DIR${P_GREEN} folder${P_NC}"
+	cp $P_PWD/scripts/bootup/systemd/lkrg.service $P_SYSTEMD_DIR/lkrg.service
+	echo -e "       ${P_GREEN}Enabling ${P_YL}lkrg.service${P_GREEN} on bootup${P_NC}"
+	systemctl enable lkrg.service
+    fi
+elif [ "$1" == "uninstall" ]; then
+    echo -e "       ${P_GREEN}Disabling ${P_YL}lkrg.service${P_GREEN} on bootup${P_NC}"
+    systemctl disable lkrg.service
+    echo -e "       ${P_GREEN}Deleting ${P_YL}lkrg.service${P_GREEN} file from the ${P_YL}$P_SYSTEMD_DIR${P_GREEN} folder${P_NC}"
+    rm $P_SYSTEMD_DIR/lkrg.service
+else
+    echo -e "      ${P_RED}ERROR! Unknown option!${P_NC}"
+    exit 666
+fi
+
+
+echo -e "  ${P_GREEN}[+] ${P_WHITE}Done!${P_NC}"
--- a/scripts/bootup/systemd/lkrg.service
+++ b/scripts/bootup/systemd/lkrg.service
@ -0,0 +1,23 @@
+##
+# Systemd service for LKRG (main branch)
+#
+# Author:
+#  - Adam 'pi3' Zabrocki (http://pi3.com.pl)
+##
+
+[Unit]
+Description=Linux Kernel Runtime Guard
+After=basic.target
+Before=network.target
+
+[Service]
+Type=simple
+ExecStartPre=/sbin/modprobe p_lkrg p_init_log_level=3
+ExecStart=/sbin/sysctl lkrg.clean_message=0
+ExecStop=/sbin/rmmod p_lkrg
+RemainAfterExit=yes
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target
+
--- a/src/modules/exploit_detection/p_exploit_detection.c
+++ b/src/modules/exploit_detection/p_exploit_detection.c
@ -37,6 +37,8 @@ struct kmem_cache *p_ed_pcfi_cache = NULL;
 #define p_ed_pcfi_free(name)   kmem_cache_free(p_ed_pcfi_cache, (void *)(name))

 int (*p_is_kernel_text_address)(unsigned long p_addr) = 0x0;
+int (*p_freeze_processes)(void) = 0x0;
+void (*p_thaw_processes)(void) = 0x0;

 struct p_umh_whitelist p_umh_global[] = {

@ -1091,6 +1093,24 @@ int p_exploit_detection_init(void) {
      goto p_exploit_detection_init_out;
   }

+   p_freeze_processes = (int (*)(void))p_kallsyms_lookup_name("freeze_processes");
+
+   if (!p_freeze_processes) {
+      p_print_log(P_LKRG_ERR,
+             "[ED] ERROR: Can't find 'freeze_processes' function :( Exiting...\n");
+      p_ret = P_LKRG_GENERAL_ERROR;
+      goto p_exploit_detection_init_out;
+   }
+
+   p_thaw_processes = (void (*)(void))p_kallsyms_lookup_name("thaw_processes");
+
+   if (!p_thaw_processes) {
+      p_print_log(P_LKRG_ERR,
+             "[ED] ERROR: Can't find 'thaw_processes' function :( Exiting...\n");
+      p_ret = P_LKRG_GENERAL_ERROR;
+      goto p_exploit_detection_init_out;
+   }
+
 #ifdef CONFIG_SECURITY_SELINUX
   p_selinux_enabled    = (int *)p_kallsyms_lookup_name("selinux_enabled");
 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
@ -1130,6 +1150,10 @@ int p_exploit_detection_init(void) {
      goto p_exploit_detection_init_out;
   }

+   // Freeze all non-kernel processes
+   while (p_freeze_processes())
+      schedule();
+
   // Dump processes and threads
   p_iterate_processes(p_dump_task_f);

@ -1494,6 +1518,9 @@ p_exploit_detection_init_err:

 p_exploit_detection_init_out:

+   // Thaw all non-kernel processes
+   p_thaw_processes();
+
 // STRONG_DEBUG
   p_debug_log(P_LKRG_STRONG_DBG,
          "Leaving function <p_exploit_detection_init> (p_ret => %d)\n",p_ret);