<HTML>

<HEAD>

      <TITLE>Loadable Kernel Modules [LKM] Lecture</TITLE>

</HEAD>

<BODY>

<br>

<CENTER>

<HR SIZE=1 NOSHADE WIDTH="45%">

Loadable Kernel Modules [LKM] Lecture<br>

By <a href="mailto:the__unknown_@hotmail.com">Unknown</a><br>

HTML by <a href="mailto:rammal81@hotmail.com">Mikkkeee</a><br>

For <A HREF="http://blacksun.box.sk">Blacksun Research Facility

[BSRF]</A><br>



<A HREF="http://blacksun.box.sk">http://blacksun.box.sk</A><br>



<HR SIZE=1 NOSHADE WIDTH="61%"><br></center>



<P><B>LKM file can be downloaded from <A HREF="http://blacksun.box.sk/mirror/LKM.zip">http://blacksun.box.sk/mirror/LKM.zip</A></B>



<P>&lt;sts|> a zip ???

<BR>&lt;Mikkkeee> guys the lecture started?

<BR>&lt;Hijack> 5k

<BR>&lt;mezzano> it's mikkkeee sup man told you I wouldn't miss this one

;)

<BR>&lt;SpiderMan> around 5k

<BR>&lt;SpiderMan> not large at all

<BR>&lt;Syrup> anyone know how juno password algorithm works?

<BR>&lt;Phr3k> small

<BR>&lt;Mikkkeee> guys the lecture started?

<BR>&lt;SpiderMan> not yet Mikkkeee

<BR>&lt;SpiderMan> just told everyone to download the file

<BR>*** Mikkkeee sets mode: +v unknown

<BR>&lt;unknown> No it starts now

<BR>&lt;Revelant-Angel> i can read anything all messages are flying passed

me

<BR>*** Retrieving #bsrf info...

<BR>*** Revelant-Angel has quit IRC (Quit:)

<BR>&lt;feds> what is it???

<BR>&lt;Syrup> yay lecture

<BR>*** DarkneSs has joined #bsrf

<BR>&lt;Mikkkeee> its a zip unknown set up

<BR>*** bulgarinche has joined #bsrf

<BR>&lt;Mikkkeee> http://blacksun.box.sk/mirror/LKM.zip

<BR>&lt;Phr3k> i dunno what LKM even is

<BR>&lt;Mikkkeee> loadable kernel modules

<BR>&lt;unknown> I will explain every thing

<BR>&lt;freakOVER> don't get excited kids!

<BR>&lt;freakOVER> :)

<BR>&lt;feds> hey

<BR>&lt;feds> me 2!

<BR>&lt;Mikkkeee> well someone log this too

<BR>&lt;}{exadecimal> LKM = Loadable Kernel Module

<BR>*** optimum has quit IRC (Quit: )

<BR>&lt;Phr3k> is this lecture aplicable to even beginners

<BR>* freakOVER is loggin

<BR>&lt;freakOVER> ;)

<BR>&lt;}{exadecimal> i'm logging Mikkkeee

<BR>&lt;Phr3k> i'm a beginner beginner

<BR>&lt;Dustin> obviously

<BR>*** wascy has joined #bsrf

<BR>&lt;Mikkkeee> ---------beginning of lecture---------------

<BR>&lt;feds> any other celeb like u

<BR>*** Mikkkeee sets mode: +m

<BR>&lt;Mikkkeee> if anyone wants voice msg an op

<BR>*** Mikkkeee sets mode: -m

<BR>&lt;unknown> OK lets start

<BR>&lt;ControlC> SWEET

<BR>*** _jacs- is now known as jacs

<BR>&lt;D|GiTaLM0nKe3> k

<BR>&lt;wascy> me, pls.

<BR>&lt;Mikkkeee> wait who wants voice

<BR>&lt;}{exadecimal> do we need a c compiler? theres a c file in that

zip

<BR>&lt;sts|> wich kernelversion?

<BR>&lt;sts|> 2.2 2.4?

<BR>&lt;Dustin> i owuld like voice

<BR>&lt;D|GiTaLM0nKe3> I do

<BR>&lt;twix> me

<BR>&lt;Phr3k> i want voice

<BR>&lt;|StYxX|> no one talk for a sec

<BR>&lt;wascy> i'd like. thx.

<BR>&lt;freakOVER> ouch

<BR>&lt;snider> }{exadecimal: If you use linux you have gcc, if you don't

use linux the LKM won't compile anyways

<BR>*** Mikkkeee sets mode: +v Phr3k

<BR>*** Mikkkeee sets mode: +m

<BR>&lt;unknown> you need GCC

<BR>&lt;Mikkkeee> unknown you can begin

<BR>&lt;unknown> LKM(loadable kernel modules) are used to increase

<BR>&lt;unknown> the kernel's functionality on run time.

<BR>*** Mikkkeee sets mode: +v mezzano

<BR>&lt;unknown> which means you dont have to recompile the entire kernel

to

<BR>&lt;unknown> use load it.

<BR>&lt;unknown> This is why it is used for many device drivers.

<BR>&lt;unknown> Because LKM are used as part of the kernel it

<BR>&lt;unknown> give us endless ways to use it for our benifits :)

<BR>*** SpiderMan has quit IRC (Ping timeout: 180 seconds)

<BR>&lt;freakOVER> are LKMs slower to load?

<BR>*** SpiderMan has joined #bsrf

<BR>*** ChanServ sets mode: +o SpiderMan

<BR>&lt;unknown> Every LKM contains 2 main functions

<BR>*** h4x0r3d has joined #bsrf

<BR>&lt;unknown>&nbsp; int init_module(void) and cleanup_module

<BR>*** jacs has joined #bsrf

<BR>*** _sokrates- has quit IRC (Quit: Leaving)

<BR>&lt;unknown> init_module is called when the module is loaded and cleanup_module

<BR>&lt;unknown> is called when you remove it. init_module should return

0

<BR>&lt;unknown> to signal that everything is OK.

<BR>&lt;unknown> e also must define MODULE and include linux/module.h for

<BR>&lt;unknown> module configurations,definitions,macros etc.

<BR>*** Phish has joined #bsrf

<BR>&lt;unknown> o now we can code our first helloworld LKM

<BR>&lt;unknown> look at helloworld.c see of you understand everything.

<BR>&lt;unknown> (it should be easy).

<BR>&lt;unknown> If u wonder why i used printk and not printf its

<BR>&lt;unknown> because we are running in kernel mode which

<BR>&lt;unknown> means we can use restricted set of functions

<BR>&lt;unknown> A list of useful funcs is in func_list.txt.

<BR>*** D|GiTaLM0nKe3 has left #bsrf

<BR>&lt;unknown> questions ?

<BR>*** snider sets mode: -m

<BR>&lt;mezzano> that was deep ;)

<BR>&lt;freakOVER> ya

<BR>&lt;freakOVER> are LKMs slower to load up than if u just compiled the

kernel with them?

<BR>&lt;freakOVER> hey it's just a question :P

<BR>&lt;unknown> You load it into lernel space in run-time

<BR>&lt;snider> feds: i'll send the files

<BR>&lt;sts|> you load them.. then they run like they were compiled into

the kernel

<BR>&lt;freakOVER> ah ok

<BR>&lt;feds> i have them

<BR>&lt;Hijack> passwords can be captured using the LKM

<BR>&lt;unknown> Yes

<BR>&lt;Hijack> have them sent through e-mail

<BR>&lt;unknown> you can do almost everything using LKM

<BR>&lt;}{exadecimal> so how do we use the lkm?

<BR>&lt;unknown> OK

<BR>&lt;feds> it says it can't find DEVCPP.exe

<BR>&lt;unknown> So let continue

<BR>&lt;suspect> lol

<BR>&lt;Mikkkeee> unknown would these files run as vxd files?

<BR>&lt;Dustin> unknown: but they would need to RUN your lkm first to steal

passes?

<BR>&lt;SpiderMan> feds: just open it up in notepad for now

<BR>&lt;unknown> So lets continue

<BR>*** snider sets mode: +m

<BR>&lt;freakOVER> feds: open it using notepad

<BR>&lt;unknown> You can also hack the sever and load it yourself

<BR>&lt;unknown> It almost like VxD but in linux

<BR>&lt;Mikkkeee> are you going to give us an example in real time?

<BR>&lt;unknown> Yes

<BR>&lt;Mikkkeee> man vxd hacking is hot

<BR>*** Dustin has left #bsrf

<BR>&lt;unknown> So compile helloworld.c with gcc -O3 -c helloworld.c

<BR>*** pitpat has joined #bsrf

<BR>&lt;unknown> This will create helloworld.o

<BR>*** Syrup has quit IRC (Quit:)

<BR>&lt;unknown> to insert the LKM do "insmod helloworld.o"

<BR>*** dg-2 has quit IRC (Quit: )

<BR>&lt;unknown> Now do lsmod

<BR>&lt;unknown> this will list the modules loaded into the kernel

<BR>&lt;unknown> Later we will see how to make our LKM

<BR>&lt;unknown> Unremovabe &amp; invisible

<BR>&lt;unknown> to remove it do "rmmod helloworld"

<BR>&lt;unknown> questions?

<BR>*** DG-2 has joined #bsrf

<BR>&lt;unknown> questions?

<BR>&lt;mezzano> nope seems pretty intuitive ;)

<BR>&lt;unknown> KO

<BR>&lt;unknown> OK

<BR>*** SpiderMan sets mode: -m

<BR>&lt;Hijack> so is there any solutions for removing it if i were a system

admin

<BR>&lt;}{exadecimal> no voice

<BR>&lt;Hijack> ?

<BR>&lt;unknown> OK now because our LKM is running in kernel space

<BR>&lt;unknown> we cant access user space memory.

<BR>&lt;unknown> So lets say one of our functions gets as

<BR>&lt;unknown> an argument a pointer to user space

<BR>&lt;unknown> we must move it to kernel space before we try

<BR>&lt;unknown> to use data it points to.

<BR>&lt;_miketr0nix-> hello

<BR>*** SpiderMan sets mode: +m

<BR>&lt;unknown> to use data it points to.

<BR>&lt;unknown> He can remove it on run-time he can restart the box

<BR>&lt;unknown> so the module will not be loaded

<BR>*** Mikkkeee sets mode: +o unknown

<BR>*** ChanServ sets mode: -o unknown

<BR>&lt;Mikkkeee> shit

<BR>&lt;unknown> but first he has to find it

<BR>* mezzano thinks mikkkeee needs to pimp-slap chanserv ;)

<BR>&lt;unknown> If you what you can put some script to insmod it when

the box starts

<BR>&lt;unknown> In order to move user data to ke rnel data we have several

functions

<BR>*** ControlC has quit IRC (Quit: )

<BR>&lt;unknown> get_user(kernel_dest,user_pointer) - gets the value user_pointer

points to

<BR>&lt;unknown> and put it in kernel_dest(old kernels use dest=get_user(src)).

<BR>&lt;unknown> put_user(kernel_src,user_pointer) - note that kernel_src

<BR>&lt;unknown> is not a pointer)

<BR>&lt;unknown> copy_from_user(kernel_dest_ptr,src_ptr,size)

<BR>&lt;unknown> copy_to_user(user_dest_ptr,src_ptr,size)

<BR>*** DG-2 has quit IRC (Quit: Leaving)

<BR>*** pitpat has quit IRC (Quit: )

<BR>*** Mikkkeee sets mode: +o unknown

<BR>*** optimum has joined #bsrf

<BR>&lt;unknown> For example look at _h_lkm.c at line 78

<BR>*** suspect has quit IRC (Ping timeout: 180 seconds)

<BR>&lt;unknown> this function copies string from user

<BR>*** Dustin has joined #bsrf

<BR>&lt;unknown> (GET_U is a macro for get_user())

<BR>&lt;unknown> questions ?

<BR>*** [phRoZen] has joined #BSRF

<BR>*** SpiderMan sets mode: -m

<BR>&lt;Hijack> none at the moment

<BR>*** optimum is now known as optimum[d

<BR>&lt;Neophyte> im fine

<BR>&lt;}{exadecimal> yeah

<BR>*** zaxil has joined #bsrf

<BR>&lt;zaxil> hey everyone

<BR>&lt;}{exadecimal> why do we keep losing our voices?

<BR>*** bulgarinche has quit IRC (Ping timeout: 180 seconds)