inskmem

Contents

• What is inskmem?
• Download
• Installation
• How to use inskmem
• Authorship

News

• 02-11-2004: Homepage online
• August 2003 to March 2004: Implementation of v1 and v1.1

inskmem allows you to load a LKM (Linux Kernel Module) into a Linux kernel, even if it was compiled without modules support. It does so by searching kmalloc via /dev/kmem and does some system call magic to load the module into kernel space, relocate the necessary symbols and execute the module's startup routine. It uses a kernel space x86 disassembler to find the necessary entry points.

/dev/kmem has to be writable, things like grsecurity prevent this.

It works for 2.4 kernels, I never tested if it runs on 2.6 kernels. It runs on x86 compatible machines only.

The current version available is 1.1.

You can download inskmem here:

• inskmem_1.1.tar.bz2 (81 kB)

This code is published under the BSD license. Be advised that this is not very well tested kernel stuff and this may crash your machine. You can't make me liable for anything, you use this at your own risk! Consider this as a proof-of-concept.

Do a:

./configure --help
./configure [your flags here]
make

You need a System.map of the currently running kernel so the ELF relocation code can find the addresses of the symbols. Look at the following transcript of a test session to find out more:

neptun:/home/greuff/inskmem# ./inskmem
inskmem - (c) 2003 by void.at
greuff 

Usage: inskmem System.map module.o
       inskmem --remove address_of_cleanup_module

This program links an LKM into kernel space without the need of
module support. You need read/write access to /dev/kmem or else
it won't work.

neptun:/home/greuff/inskmem# ./inskmem System.map dummy.o
inskmem - (c) 2003 by void.at
greuff 

Opening /dev/kmem for read/write... fd 3
Determining the location of sys_call_table... Reading symbols from System.map...
  System.map: 20417 symbols
0xc0315214
Using module 'dummy.o'... module size is 2936
Backing up 22 bytes from sys_mount...
Patching "shellcode" using address 0xc01355b0 and size 2936...
Writing the kmalloc triggering code ...
Triggering the code (effectively calling kmalloc)...
Restoring sys_mount ...

Address of allocated space in kernel: 0xd0eea000 :-))

Linking module into kernel space ...
  SHT_NOBITS: offset is 0 with size 0
  SHN_COMMON: offset is 0 with size 4
  found module's entry point - address is 0xd0eea1ae
  SHN_COMMON: offset is 4 with size 4
  SHN_COMMON: offset is 8 with size 1
Backing up 22 bytes from sys_mount...
Patching "shellcode" using address 0xc01355b0 and size 9...
Writing the kmalloc triggering code ...
Triggering the code (effectively calling kmalloc)...
Restoring sys_mount ...
  had to reallocate 9 more bytes to hold SHN_COMMON and SHT_NOBITS objects
  address is 0xd3e7130c (in kernel space, of course :-))
Starting the module at address 0xd0eea1ae...

work done!
neptun:/home/greuff/inskmem#

dummy.o is a test module that does all kinds of stuff with pointers (to check the relocation actually worked) and comes with the source archive. make dummy.o builds the module out of the source archive. You can then use dmesg to check if things actually worked:

...
initializing module
FOOOOOOOOOOOOOOO! 1
testint is 1, increasing by one ...
bla bla doing weird stuff and don't care to find out where the strings are bla bla...
testint is now 2
bla bla... testint is 2 (increasing by one)
testint is now 3 (final value)
current = ce580000
current pid: 1740
f = d3eb0ba8, cur = ce580000
d = d3fefb84
name of the root filesystem: ext3
searching for searchstr...found at 0xc0100183
found at 0xc03664be
...

inskmem is (c) 2003,2004 by Thomas Wana <thomas@wana.at>.

This code is published under the BSD license. Be advised that this is not very well tested kernel stuff and this may crash your machine. You can't make me liable for anything, you use this at your own risk!