-
Notifications
You must be signed in to change notification settings - Fork 13
/
Copy pathTODO.txt
48 lines (42 loc) · 3 KB
/
TODO.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
About the interface to talk to yarr from userspace:
[X] Find sys_call_table.
[X] Add a new interrupt descriptor.
[X] Add a new syscall.
[ ] Implement a fake system_call to hook the real system_call() at IRQ 0x80.
[ ] The function do_yarrIntrDesc() must be rewritten, check commentaries.
About functionality:
[ ] Make possible ask yarr for hide a process.
[ ] Make possible ask yarr for log every keystroke (keylogger).
[ ] Make possible ask yarr for hide a port/connection.
[ ] Make possible ask yarr for hide a file (this also includes devices of course, but network interfaces should be threated with care since they aren't files).
[ ] Implement module configuration through a file (using flex and bison :).
[ ] Make possible ask yarr for hide users and user connections.
[ ] Make yarr loadable even in kernels with no support for modules.
[X] Make possible ask yarr to give root privileges to a task.
About invisibility:
[X] Make module invisible to lsmod (remove it from the modules list of the kernel).
[ ] Don't let the kernel export any symbol (variables, functions, whatever), if so yarr can be detected by looking at /proc/kallsyms.
[ ] Create a fake_sys_call_table and don't substitute functions on each sys_call_table entry but change the call sys_call_table(,eax,4)
on instruction for call new_sys_call_table(,eax,4), so there is no inconsistency on sys_call_table, but on syscall_call.
[ ] Create a technique to don't let anyone see the value of syscall_call, if they try then fail or return what you want to show.
[ ] For this last technique it should be implemented a method to tell yarr not to show what is in address until +offset, but remember it
and show what i remember.
About stability:
[ ] Make module unloadable even if it not inside kernel's modules list.
[ ] Read about request_irq() and try to understand how Linux puts a handler for an interrupt.
[X] Release interrupt descriptor when exiting.
[X] Release system call when exiting.
[ ] When taking an IRQ search for a free one, and tell the kernel that it is taken.
[ ] When yarr is loaded and then unloaded, if you execute a test program the kernel will crash :).
About testing:
[ ] Develop the tests (PoC).
[ ] Check that we aren't exporting symbols.
[X] Make the interrupt descriptor work. Take a look to interrupt descriptors implemented by the kernel, try to implement the prologs and epilogs.
[X] Test yarr compilation under 3.x.x kernel series.
About portability:
[ ] Yarr is a x86 32 bits architecture rootkit, it would be awesome to make it more portable, but this is quite hard and needs planification and reestructuration of the folders (make it like Linux, hardware-dependant code under arch/<architecture>/).
[ ] Make yarr as kernel-independant as possible, right now it is being developed under 2.6.32.x kernel series.
Other stuff:
[X] Clear those nasty warnings at compile time that claim about not declaring prototypes or stuff like that.
[ ] Understand why if syscall.h is included on other source file there is a compilation error.
[ ] Clean includes that aren't being used.