nbulischeck/tyton

[Feature Request] Detect Syscall Hooking by KHOOK

nbulischeck opened this issue · 4 comments

Currently we can't detect if KHOOK has been used to hook kernel functions. This is because it doesn't mess with the pointer, but the function itself by inserting assembly to get it to jump into a custom hook in the LKM.

This should be detectable by (at least in a non-extensible way), comparing the assembly to see if any suspicious jumps are performed immediately in the function.

What about making a shadow copy of the function and compare it? Of course tyton should be loaded in a clean state, but it could detect a modification made afterwards.

Or maybe checksum the whole function?

@dvadell What do you mean by shadow copy? In my mind that's a full copy of the function put into memory and then to check do a byte by byte comparison. I like the checksum idea. The alternative is to do exactly what KHOOK does in the first place (insert instructions) and check to see of they're there. IIRC, KHOOK inserts a jump into the front of the function to get inside the rootkit.

Yes, that's what I was referring to when I said shadow copy. I don't know what's easier to implement.

But the problem with inserting an instruction (as a canary, I imagine?) like KHOOK does is that you will be changing something. I think it's better to leave everything as it is, and detect any change.

I didn't mean inserting an instruction, but rather using the instruction API to detect insertions. A shadow copy would, I'd imagine, be fairly easy to implement, but performance-wise I'm not keen on copying every syscall in the kernel.