| With dramatic development of Internet and embed industry, security of Linux is required more and more. Kernel security of Linux is also more important. Therefore, kernel mode rootkits in Linux need more focus of researchers, for their stronger damage, higher invisibility, and harder technology requirement than user mode rootkits.The dissertation's contents try to provide a general overview of rootkits, its main goals and evolution. For easier understand to rootkits technical details, some Linux kernel mechanics and its data structures, design principles and implements are discussed, which include: LKM(Loadable Kernel Module), ELF(Executable and Linkable File) file format, interrupt implements and ext2/3 file system.Rootkits'principles, technical details and implements are focused by this dissertation. Classic meanwhile simple LKM injection is introduced in this dissertation; this technology's defect is discussed, too. From that, pack to running kernel way is introduced, analyzed and implemented. High reliability on LKM makes module's invisibility to kernel very important, so several ways of module hide are discussed. Improvement way in kernel version 2.6 is provided. Module injection is discussed in this dissertation, which have something to do with module disk file. That's one of most rootkists'properties. Of course, applicable way in kernel version 2.6 is provided, too. One of most effective ways of defense rootkits is disable LKM in kernel compiling process. Way of dealing with none-LKM is analyzed specifically, fully utility of virtual file kmem. IDT injection and its evolution in kernel version 2.6 are provided in this dissertation as enhancement of LKM injection in layer. For sake of integrity, ways of file hiding and recovering in ext2/3 are referred, too.Besides, this dissertation tries to propose several defensive methods associated with these threats are covered in detail, provide the information required to detect them and protect the Linux kernel. |
PDF Full Text Request