Professional Documents
Culture Documents
2005
Linux Ptrace( ) *
( , 710072)
: Linux Ptrace( ) ;
; , Ptrace( ) Linux
: Linux; Ptrace( ) ; ; ;
: TP311, TP301
: A
Abstract: The process tracing and control ability of ptrace( ) on Linux are discussed in this paper. Further, the security
threat of ptrace( ) is analysed with the exploit of vulnerable Linux systems. In the end, the application of ptrace( ) to virus
hiding technology on Linux is discussed.
Key words: Linux; Ptrace( ) ; Process Tracing; Process Debugging; Virus Hiding
/ ,
Ptrace ( )
, UNIX
: Root
ptrace( ) ptrace( )
, ,
; ptrace( ) , ( at-
ptrace( )
tach) , / ,
, , ,
; (
Root , Root
) ,
,
ptrace( ) , Linux GNU
GDB
, Linux
Ptrace( ) , :
, ,
EUID EGID 0
ptrace( )
, , ptrace( ) ;
, EUID 0 ptrace( )
, ,
ptrace( ) ,
,
,
Ptrace ( )
ptrace( ) ,
, ptrace( ) ,
fork( ) ,
socket( 0, 1, 0) , ,
request_module( ) ,
kernel_thread( exec_modprobe, ( void * ) module_name, 0)
, exec_modprobe( ) ,
kernel / kmod. c
static int exec_modprobe( void * module_name)
{
static char * envp[ ] = { " HOME = / " , " TERM = linux" , " PATH = /
sbin: / usr/ sbin: / bin: / usr / bin" , NULL } ;
char * argv[ ] = { modprobe_ path, " -s" , " -k " , " --" , ( char* )
: Linux Ptrace( )
module_name, NULL } ;
103
( current- > uid! = child- > suid) ||( current- > uid! = child- > uid) |
int ret;
ret = exec_usermodehelper( modprobe_path, argv, envp) ;
if ( ret) {
printk( KERN_ERR" kmod: failed to exec % s -s -k % s, errno = % d \n" ,
( current- > gid! = child- > egid) ||( current- > gid! = child- > sgid) |
( ! cap_issubset( child- > cap_permitted, current- > cap_permitted) ) |
}
return ret;
goto out_tsk;
...
,
, Root
exec_modprobe( )
, Linux
, fs_ struct ,
, sys_ execve
: Ptraced,
, exec_
, Ptraced SUID
usermodehelper( ) ( kmod. c )
, SUID ,
..
curtask - > euid = curtask - > fsuid = 0;
curtask - > egid = curtask - > fsgid =0 ;
cap_set_full( curtask - > cap_effective) ;
. ..
set_fs( KERNEL_DS) ;
. ..
if ( execve( program_path, argv, envp) < 0)
SUID Setuid
, Setuid
SUID ,
,
,
Linux , ptrace( )
return -errno;
return 0 ;
}
, EUIDEGID , , ,
,
Ptrace ( )
,
,
, EIP
, ,
,
fork( ) ,
, ,
socket( 0, 1, 0) ,
ID fork( )
ID, 1, ID
, ,
ptrace( ) :
( 2) ptrace( PTRACE_GETREGS, . . . )
( 4) ptrace( PTRACE_DETACH, . . . )
, ,
, Root
ptrace( ) ,
,
4. 1
Linux
Linux ,
: ; ,
malloc( ) , realloc( ) , free( ) calloc( )
, ,
, 1
Text
Memory Arena
Heap
(Unused)
Stack
(Unused)
Stack
( 1) Text ,
Sys_ptrace :
if ( request = = PTRACE_ATTACH) {
if ( child = = current)
goto out_tsk;
if ( ( ! child- > dumpable ||( current- > uid! = child- > euid) ||
( 2) Memory Arena
, ( Heap)
104
Heap
2005
gs struct user_regs_struct
( 3) Stack ,
( 3) 4. 3 addr
Stack ,
, addr
1 , Memory Arena
( 5) regs
, Backupregs
4. 2
/proc
Linux ,
protec tion
offse t
dev
ino de
r- x- -
00000400
03 : 03
1401
rwx-p
0002f400
03 : 03
1401
rwx-p
00000000
00 : 00
NULL)
60000000 - 60098000
rwx-p
00000400
03 : 03
215
rwx-p
00000000
00 : 00
bfffa000 - c0000000
rwx-p
00000000
00 : 00
, address ; protection , r
= read, w = write, x = execute, s = shared, p = private ( copy on
, ptrace( ) ,
GDB ,
: ) ; inode , 0
ptrace( ) ,
4. 3
Maps,
, :
( 1) ID , /proc / pid/ maps
( 2) ,
( 3) Maps ,
,
, ,
map start dev
( 4) dev , 00: 00
, ptrace( )
,
,
ptrace( ) , ,
,
ptrace( ) ,
ptrace( ) ,
Bug,
ptrace( ) ,
, map start
[ 1]
, . : , 2000 . 155-159.
( 5) map start
4. 4
[ 2]
. Linux C [ M] . : ,
2002. 217- 218.
[ 3]
, , ,
, ,
linux + ptrace% C2% A9% B6% B4 % B7% D6 % CE% F6, 2002- 09-
ptrace( ) ,
17 / 2004 - 04.
,
ptrace( ) :
( 1) ID, ptrace ( PTRACE _ ATTACH, TRACED_ID, NULL, NULL)
( 2) ptrace ( PTRACE _ GETREGS,
TRACED_ID, NULL, ®s) re-
[ 4]
Pradeep Padata. Playing with Ptrace [ EB / OL ] . http: / / www. linuxjournal. com/ article. php? sid = 6100, 2002-11 / 2004 - 04.
:
( 1979- ) , , ,
; ( 1937- ) , , , ,