nbulischeck / tyton Goto Github PK
View Code? Open in Web Editor NEWKernel-Mode Rootkit Hunter
Home Page: https://nbulischeck.github.io/tyton/
License: GNU General Public License v3.0
Kernel-Mode Rootkit Hunter
Home Page: https://nbulischeck.github.io/tyton/
License: GNU General Public License v3.0
Line 12 in ef291a9
As it stands, if you build the kernel module and insert it into your kernel, you will taint it.
If you could figure out a way to prevent this from happening, possibly through kernel module signing, that would be great.
You can read more about tainting the kernel from the following links:
https://www.kernel.org/doc/html/v4.15/admin-guide/tainted-kernels.html
https://unix.stackexchange.com/questions/118116/what-is-a-tainted-kernel-in-linux
https://stackoverflow.com/questions/27252165/what-does-kernel-tainted-mean
Hello,
There is an issue with the latest version of tyton code. When trying to compile it I get the error in the subject.
OS: Blackarch Linux
Kernel version: 5.13.13-arch1-1
Tyton version: master brach from github and 1:80.56494f3-1 from Blackarch repository.
DKMS make.log for tyton-80.56494f3 for kernel 5.13.13-arch1-1 (x86_64)
sâmbătă 28 august 2021, 17:11:15 +0300
make -C /lib/modules/5.13.13-arch1-1/build M=/var/lib/dkms/tyton/80.56494f3/build modules
make[1]: warning: jobserver unavailable: using -j1. Add '+' to parent make rule.
make[1]: Entering directory '/usr/lib/modules/5.13.13-arch1-1/build'
CC [M] /var/lib/dkms/tyton/80.56494f3/build/src/core.o
CC [M] /var/lib/dkms/tyton/80.56494f3/build/src/util.o
CC [M] /var/lib/dkms/tyton/80.56494f3/build/src/proc.o
/var/lib/dkms/tyton/80.56494f3/build/src/proc.c: In function ‘analyze_fops’:
/var/lib/dkms/tyton/80.56494f3/build/src/proc.c:116:29: error: ‘module_mutex’ undeclared (first use in this function); did you mean ‘module_put’?
116 | mutex_lock(&module_mutex);
| ^~~~~~~~~~~~
| module_put
/var/lib/dkms/tyton/80.56494f3/build/src/proc.c:116:29: note: each undeclared identifier is reported only once for each function it appears in
make[2]: *** [scripts/Makefile.build:273: /var/lib/dkms/tyton/80.56494f3/build/src/proc.o] Error 1
make[1]: *** [Makefile:1862: /var/lib/dkms/tyton/80.56494f3/build] Error 2
make[1]: Leaving directory '/usr/lib/modules/5.13.13-arch1-1/build'
make: *** [Makefile:19: module] Error 2
If I run make to compile the code I have downloaded from git I get the exact same error. This happens each time I try to compile that module. Tried with different kernel versions, 2 or 3 versions, and always the compilation ends in error.
Dear development team,
In a recent kernel patch, "kallsyms_lookup_name" was unexported, and building tyton on kernel>=5.7.6 fails.
I built tyton-1.2 under Blackarch on kernel 5.7.7-arch1-1 and the following error occurred:
Error Message from pacman:
==> dkms install --no-depmod -m tyton -v 1.2 -k 5.7.7-arch1-1
Error! Bad return status for module build on kernel: 5.7.7-arch1-1 (x86_64)
Consult /var/lib/dkms/tyton/1.2/build/make.log for more information.
==> Warning, `dkms install --no-depmod -m tyton -v 1.2 -k 5.7.7-arch1-1' returned 10
make.log
DKMS make.log for tyton-1.2 for kernel 5.7.7-arch1-1 (x86_64) [0/184]
2020-07-05T23:06:53 EDT
make -C /lib/modules/5.7.7-arch1-1/build M=/var/lib/dkms/tyton/1.2/build modules
make[1]: warning: jobserver unavailable: using -j1. Add '+' to parent make rule.
make[1]: Entering directory '/usr/lib/modules/5.7.7-arch1-1/build'
CC [M] /var/lib/dkms/tyton/1.2/build/src/core.o
CC [M] /var/lib/dkms/tyton/1.2/build/src/util.o
CC [M] /var/lib/dkms/tyton/1.2/build/src/proc.o
CC [M] /var/lib/dkms/tyton/1.2/build/src/module_list.o
CC [M] /var/lib/dkms/tyton/1.2/build/src/syscall_hooks.o
CC [M] /var/lib/dkms/tyton/1.2/build/src/network_hooks.o
CC [M] /var/lib/dkms/tyton/1.2/build/src/netfilter_hooks.o
CC [M] /var/lib/dkms/tyton/1.2/build/src/interrupt_hooks.o
LD [M] /var/lib/dkms/tyton/1.2/build/tyton.o
MODPOST 1 modules
ERROR: modpost: "kallsyms_lookup_name" [/var/lib/dkms/tyton/1.2/build/tyton.ko] undefined!
make[2]: *** [scripts/Makefile.modpost:99: __modpost] Error 1
make[1]: *** [Makefile:1645: modules] Error 2
make[1]: Leaving directory '/usr/lib/modules/5.7.7-arch1-1/build'
make: *** [Makefile:19: module] Error 2
So I wonder if there's any workaround for this issue, or I do have to compile my own kernel to make tyton work?
Best regards,
Yu
Can't compile master branch on Ubuntu 16.04 + kernel 4.4.0-75, can you take a look?
/tmp/tyton-master/src/network_hooks.c: In function 'analyze_networks':
/tmp/tyton-master/src/network_hooks.c:54:42: error: dereferencing pointer to incomplete type 'const struct file_operations'
op_addr[0] = *(unsigned long *)seq_fops->llseek;
Currently we have Debian/Ubuntu/Kali and Arch. Adding Fedora to this list would be beneficial.
Environment:
Distro name and version: Black Arch (rolling release)
Kernel version: 5.10.13-arch1-2
Reproducibility Rate: Always. Even if building the package from AUR it fails.
Steps to reproduce:
git clone https://github.com/nbulischeck/tyton.git
make
ERROR: modpost: "__module_address" [/home/blackarch/tyton/tyton.ko] undefined!
. Please refer to "Actual result" section.Expected result:
Kernel module should be built.
Actual result:
make -C /lib/modules/5.10.13-arch1-2/build M=/home/blackarch/tyton modules
make[1]: Entering directory '/usr/lib/modules/5.10.13-arch1-2/build'
CC [M] /home/blackarch/tyton/src/core.o
CC [M] /home/blackarch/tyton/src/util.o
CC [M] /home/blackarch/tyton/src/proc.o
CC [M] /home/blackarch/tyton/src/module_list.o
CC [M] /home/blackarch/tyton/src/syscall_hooks.o
CC [M] /home/blackarch/tyton/src/network_hooks.o
CC [M] /home/blackarch/tyton/src/netfilter_hooks.o
CC [M] /home/blackarch/tyton/src/interrupt_hooks.o
LD [M] /home/blackarch/tyton/tyton.o
MODPOST /home/blackarch/tyton/Module.symvers
ERROR: modpost: "__module_address" [/home/blackarch/tyton/tyton.ko] undefined!
make[2]: *** [scripts/Makefile.modpost:111: /home/blackarch/tyton/Module.symvers] Error 1
make[2]: *** Deleting file '/home/blackarch/tyton/Module.symvers'
make[1]: *** [Makefile:1709: modules] Error 2
make[1]: Leaving directory '/usr/lib/modules/5.10.13-arch1-2/build'
make: *** [Makefile:19: module] Error 2
Severity/Priority
Critical.
Notes
This link from linux-kernel mailing-list might be related.
Fresh compile from master branch, I didn't do anything after insmod
. No other kernel modules or hooks installed.
It just crashed on 4.4.0-75-generic in a few seconds, I can enable kdump if it's needed.
Logs from dmesg:
[ 65.415771] CPU: 0 PID: 360 Comm: kworker/0:2 Tainted: G OE 4.4.0-75-generic #96-Ubuntu
[ 65.415792] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/13/2018
[ 65.415819] Workqueue: events work_func [tyton]
[ 65.415832] task: ffff8800345b6900 ti: ffff880035654000 task.ti: ffff880035654000
[ 65.415850] RIP: 0010:[<ffffffffc0008817>] [<ffffffffc0008817>] analyze_netfilter+0x47/0x100 [tyton]
[ 65.415874] RSP: 0018:ffff880035657dd0 EFLAGS: 00010246
[ 65.415887] RAX: ffffffff81ef6aa0 RBX: ffff880035bc8300 RCX: 0000000000000006
[ 65.415904] RDX: ffffffff81ef6aa0 RSI: 0000000000000246 RDI: ffff88013960dd50
[ 65.415921] RBP: ffff880035657e08 R08: 00000000736b6f6f R09: 00000000000006fd
[ 65.415937] R10: ffffffff81c9bb76 R11: 00000000000006fd R12: ffffffff81ef6a10
[ 65.415954] R13: ffff88013961af00 R14: 0000000000000000 R15: ffffffff81ef6a20
[ 65.415971] FS: 0000000000000000(0000) GS:ffff880139600000(0000) knlGS:0000000000000000
[ 65.415990] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 65.416004] CR2: 0000000000000000 CR3: 0000000001e0a000 CR4: 00000000003406f0
[ 65.416049] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 65.416066] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 65.416083] Stack:
[ 65.416089] ffffffff81ef6aa0 00000005c0009403 ffff880035bc8300 ffff8801396165c0
[ 65.416110] ffff88013961af00 0000000000000000 ffffffffc000a000 ffff880035657e18
[ 65.416131] ffffffffc000801d ffff880035657e58 ffffffff8109a555 0000000000000000
[ 65.416152] Call Trace:
[ 65.416162] [<ffffffffc000801d>] work_func+0x1d/0x60 [tyton]
[ 65.416179] [<ffffffff8109a555>] process_one_work+0x165/0x480
[ 65.416629] [<ffffffff8109a8bb>] worker_thread+0x4b/0x4c0
[ 65.417064] [<ffffffff8109a870>] ? process_one_work+0x480/0x480
[ 65.417499] [<ffffffff8109a870>] ? process_one_work+0x480/0x480
[ 65.417919] [<ffffffff810a0be8>] kthread+0xd8/0xf0
[ 65.418327] [<ffffffff810a0b10>] ? kthread_create_on_node+0x1e0/0x1e0
[ 65.418736] [<ffffffff8183bd0f>] ret_from_fork+0x3f/0x70
[ 65.419137] [<ffffffff810a0b10>] ? kthread_create_on_node+0x1e0/0x1e0
[ 65.419545] Code: 10 e8 e5 4d 18 c1 48 c7 45 c8 20 68 ef 81 c7 45 d4 00 00 00 00 48 8b 45 c8 4c 8d 78 80 83 7d d4 05 41 be 00 00 00 00 4d 0f 45 f7 <4d> 8b 26 4d 39 f4 74 5f 4d 8b 6c 24 10 48 c7 c7 e0 ae e5 81 e8
[ 65.420789] RIP [<ffffffffc0008817>] analyze_netfilter+0x47/0x100 [tyton]
[ 65.421195] RSP <ffff880035657dd0>
[ 65.421578] CR2: 0000000000000000
[ 65.421940] ---[ end trace 9bd2729f4cf2d893 ]---
[ 65.422377] BUG: unable to handle kernel paging request at ffffffffffffffd8
[ 65.422747] IP: [<ffffffff810a1290>] kthread_data+0x10/0x20
[ 65.423104] PGD 1e0d067 PUD 1e0f067 PMD 0
[ 65.423451] Oops: 0000 [#2] SMP
[ 65.423803] Modules linked in: tyton(OE) hid_generic usbhid hid psmouse ahci libahci vmwgfx e1000 ttm mptspi drm_kms_helper mptscsih mptbase syscopyarea sysfillrect scsi_transport_spi sysimgblt fb_sys_fops drm pata_acpi fjes
[ 65.426720] CPU: 0 PID: 360 Comm: kworker/0:2 Tainted: G D OE 4.4.0-75-generic #96-Ubuntu
[ 65.427449] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/13/2018
[ 65.428220] task: ffff8800345b6900 ti: ffff880035654000 task.ti: ffff880035654000
[ 65.428612] RIP: 0010:[<ffffffff810a1290>] [<ffffffff810a1290>] kthread_data+0x10/0x20
[ 65.429013] RSP: 0018:ffff880035657ac8 EFLAGS: 00010002
[ 65.429411] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff82108e80
[ 65.429819] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8800345b6900
[ 65.430233] RBP: ffff880035657ac8 R08: 00000000ffffffff R09: 0000000000000000
[ 65.430620] R10: ffff8800345b6960 R11: 0000000000003800 R12: 0000000000000000
[ 65.431005] R13: 0000000000016dc0 R14: ffff8800345b6900 R15: ffff880139616dc0
[ 65.431390] FS: 0000000000000000(0000) GS:ffff880139600000(0000) knlGS:0000000000000000
[ 65.431776] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 65.432160] CR2: 0000000000000028 CR3: 00000000b9ad5000 CR4: 00000000003406f0
[ 65.432572] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 65.432980] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 65.433367] Stack:
[ 65.433754] ffff880035657ae0 ffffffff8109b8f1 ffff880139616dc0 ffff880035657b30
[ 65.434163] ffffffff81837430 ffff880035657b48 ffffffff00000000 ffff8800345b6900
[ 65.434569] ffff880035658000 ffff8800345b6fd0 ffff8800356576e0 0000000000000046
[ 65.434977] Call Trace:
[ 65.435378] [<ffffffff8109b8f1>] wq_worker_sleeping+0x11/0x90
[ 65.435780] [<ffffffff81837430>] __schedule+0x650/0xa30
[ 65.436199] [<ffffffff81837845>] schedule+0x35/0x80
[ 65.436569] [<ffffffff81084455>] do_exit+0x775/0xb00
[ 65.436932] [<ffffffff81031c41>] oops_end+0xa1/0xd0
[ 65.437299] [<ffffffff8106ad35>] no_context+0x135/0x380
[ 65.437646] [<ffffffff8106b000>] __bad_area_nosemaphore+0x80/0x1f0
[ 65.437996] [<ffffffff8106b183>] bad_area_nosemaphore+0x13/0x20
[ 65.438341] [<ffffffff8106b447>] __do_page_fault+0xb7/0x400
[ 65.438681] [<ffffffff8106b7b2>] do_page_fault+0x22/0x30
[ 65.439019] [<ffffffff8183daf8>] page_fault+0x28/0x30
[ 65.439359] [<ffffffffc0008817>] ? analyze_netfilter+0x47/0x100 [tyton]
[ 65.439694] [<ffffffffc000801d>] work_func+0x1d/0x60 [tyton]
[ 65.440019] [<ffffffff8109a555>] process_one_work+0x165/0x480
[ 65.440335] [<ffffffff8109a8bb>] worker_thread+0x4b/0x4c0
[ 65.440643] [<ffffffff8109a870>] ? process_one_work+0x480/0x480
[ 65.440943] [<ffffffff8109a870>] ? process_one_work+0x480/0x480
[ 65.441228] [<ffffffff810a0be8>] kthread+0xd8/0xf0
[ 65.441508] [<ffffffff810a0b10>] ? kthread_create_on_node+0x1e0/0x1e0
[ 65.441780] [<ffffffff8183bd0f>] ret_from_fork+0x3f/0x70
[ 65.442043] [<ffffffff810a0b10>] ? kthread_create_on_node+0x1e0/0x1e0
[ 65.442305] Code: ff ff ff be 46 02 00 00 48 c7 c7 48 b2 cb 81 e8 b7 01 fe ff e9 a6 fe ff ff 66 90 0f 1f 44 00 00 48 8b 87 18 05 00 00 55 48 89 e5 <48> 8b 40 d8 5d c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00
[ 65.443209] RIP [<ffffffff810a1290>] kthread_data+0x10/0x20
[ 65.443724] RSP <ffff880035657ac8>
[ 65.444241] CR2: ffffffffffffffd8
[ 65.444584] ---[ end trace 9bd2729f4cf2d894 ]---
[ 65.444861] Fixing recursive fault but reboot is needed!
There is currently no alert system, but generating an alert every time a new module is inserted into the kernel would be helpful.
This can be done by:
You could probably also use a refactored form of the analyze_modules
function here to search for hidden modules as well.
Currently, warnings/alerts/etc. will only be displayed to the user if they view the journalctl log after one has been generated. This is inconvenient as users will not commonly analyze this log for new behavior, nor will it be maintained across boot sessions.
If you could find a way to create userland notifications so that, in the event of an alert or warning the user would be notified of such and could take appropriate action, that would be great.
A possible, and suggested, avenue for tackling this would be to write a journalctl message that is acted upon by a journald-remote that ultimately talks to libnotify. Journald-remote is a client that reads messages from journalctl.
You can find more information on the above approach at the following links:
https://www.freedesktop.org/software/systemd/man/systemd-journal-remote.service.html
https://serverfault.com/questions/758244/how-to-configure-systemd-journal-remote
==> Запускается build()...
make -C /lib/modules/5.15.2-zen1-1-zen/build M=/home/admin/Buildroot0/PAMAC/tyton-dkms-git/src/tyton modules
make[1]: предупреждение: сервер заданий недоступен: используется -j1. Добавьте «+» к правилу в родительском make.
make[1]: вход в каталог «/usr/lib/modules/5.15.2-zen1-1-zen/build»
CC [M] /home/admin/Buildroot0/PAMAC/tyton-dkms-git/src/tyton/src/core.o
CC [M] /home/admin/Buildroot0/PAMAC/tyton-dkms-git/src/tyton/src/util.o
CC [M] /home/admin/Buildroot0/PAMAC/tyton-dkms-git/src/tyton/src/proc.o
/home/admin/Buildroot0/PAMAC/tyton-dkms-git/src/tyton/src/proc.c: В функции «analyze_fops»:
/home/admin/Buildroot0/PAMAC/tyton-dkms-git/src/tyton/src/proc.c:116:29: ошибка: «module_mutex» не описан (первое использование в этой функции); имелось в виду «module_put»?
116 | mutex_lock(&module_mutex);
| ^~~~~~~~~~~~
| module_put
/home/admin/Buildroot0/PAMAC/tyton-dkms-git/src/tyton/src/proc.c:116:29: замечание: сообщение о каждом неописанном идентификаторе выдается один раз в каждой функции, где он встречается
make[2]: *** [scripts/Makefile.build:277: /home/admin/Buildroot0/PAMAC/tyton-dkms-git/src/tyton/src/proc.o] Ошибка 1
make[1]: *** [Makefile:1863: /home/admin/Buildroot0/PAMAC/tyton-dkms-git/src/tyton] Ошибка 2
make[1]: выход из каталога «/usr/lib/modules/5.15.2-zen1-1-zen/build»
make: *** [Makefile:19: module] Ошибка 2
==> ОШИБКА: Произошел сбой в build().
Прерывание...
I have this error. I use kernel 5.15.2-zen1-1-zen
Hi, I have started to experience this issue after installing tyton module, the latest snapshot.
My laptop goes into suspend mode just fine, however it boots fresh later after I power it on
Here is the pm-suspend.log file:
Mon Jan 21 23:11:27 +08 2019: performing suspend
Tue Jan 22 08:48:41 +08 2019: Awake.
Tue Jan 22 08:48:41 +08 2019: Running hooks for resume
Running hook /usr/lib64/pm-utils/sleep.d/99video resume suspend:
/usr/lib64/pm-utils/sleep.d/99video resume suspend: success.
Running hook /usr/lib64/pm-utils/sleep.d/98video-quirk-db-handler resume suspend:
/usr/lib64/pm-utils/sleep.d/98video-quirk-db-handler resume suspend: success.
Running hook /usr/lib64/pm-utils/sleep.d/95led resume suspend:
/usr/lib64/pm-utils/sleep.d/95led resume suspend: success.
Running hook /usr/lib64/pm-utils/sleep.d/94cpufreq resume suspend:
/usr/lib64/pm-utils/sleep.d/94cpufreq resume suspend: success.
Running hook /usr/lib64/pm-utils/sleep.d/90clock resume suspend:
/usr/lib64/pm-utils/sleep.d/90clock resume suspend: disabled.
Running hook /usr/lib64/pm-utils/sleep.d/75modules resume suspend:
Reloaded unloaded modules.
/usr/lib64/pm-utils/sleep.d/75modules resume suspend: success.
Running hook /usr/lib64/pm-utils/sleep.d/50unload_alx resume suspend:
/usr/lib64/pm-utils/sleep.d/50unload_alx resume suspend: success.
Running hook /usr/lib64/pm-utils/sleep.d/01grub resume suspend:
/usr/lib64/pm-utils/sleep.d/01grub resume suspend: disabled.
Running hook /usr/lib64/pm-utils/sleep.d/00powersave resume suspend:
Blacklisting 01grub.
Blacklisting 90clock.
/usr/lib64/pm-utils/sleep.d/00powersave resume suspend: success.
Running hook /usr/lib64/pm-utils/sleep.d/00logging resume suspend:
/usr/lib64/pm-utils/sleep.d/00logging resume suspend: success.
Tue Jan 22 08:48:41 +08 2019: Finished.
Initial commandline parameters:
Blacklisting 01grub.
Blacklisting 90clock.
Tue Jan 22 08:48:43 +08 2019: Running hooks for suspend.
Running hook /usr/lib64/pm-utils/sleep.d/00logging suspend suspend:
Linux pt 4.20.2-pentoo #3 SMP PREEMPT Sun Jan 20 16:44:51 +08 2019 x86_64 Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz GenuineIntel GNU/Linux
Module Size Used by
tyton 16384 0
ctr 16384 0
ccm 20480 0
ipv6 430080 76
usbhid 40960 0
uvcvideo 102400 0
videobuf2_vmalloc 16384 1 uvcvideo
videobuf2_memops 16384 1 videobuf2_vmalloc
videobuf2_v4l2 24576 1 uvcvideo
videodev 180224 2 videobuf2_v4l2,uvcvideo
videobuf2_common 45056 2 videobuf2_v4l2,uvcvideo
vboxpci 28672 0
vboxnetadp 28672 0
iwldvm 188416 0
vboxnetflt 32768 0
mac80211 684032 1 iwldvm
x86_pkg_temp_thermal 16384 0
kvm_intel 192512 0
vboxdrv 430080 3 vboxpci,vboxnetadp,vboxnetflt
iwlwifi 245760 1 iwldvm
kvm 634880 1 kvm_intel
sdhci_pci 40960 0
irqbypass 16384 1 kvm
cqhci 28672 1 sdhci_pci
efivars 20480 0
serio_raw 16384 0
sdhci 49152 1 sdhci_pci
i2c_i801 28672 0
mmc_core 143360 3 sdhci,cqhci,sdhci_pci
cfg80211 663552 3 iwldvm,iwlwifi,mac80211
xhci_pci 16384 0
e1000e 249856 0
ehci_pci 16384 0
ehci_hcd 86016 1 ehci_pci
xhci_hcd 225280 1 xhci_pci
thinkpad_acpi 81920 0
rfkill 24576 3 thinkpad_acpi,cfg80211
pcc_cpufreq 16384 0
efivarfs 16384 1
total used free shared buff/cache available
Mem: 7970748 1463528 4726832 554416 1780388 5853408
Swap: 4194300 372 4193928
/usr/lib64/pm-utils/sleep.d/00logging suspend suspend: success.
Running hook /usr/lib64/pm-utils/sleep.d/00powersave suspend suspend:
Blacklisting 01grub.
Blacklisting 90clock.
/usr/lib64/pm-utils/sleep.d/00powersave suspend suspend: success.
Running hook /usr/lib64/pm-utils/sleep.d/01grub suspend suspend:
/usr/lib64/pm-utils/sleep.d/01grub suspend suspend: disabled.
Running hook /usr/lib64/pm-utils/sleep.d/50unload_alx suspend suspend:
/usr/lib64/pm-utils/sleep.d/50unload_alx suspend suspend: success.
Running hook /usr/lib64/pm-utils/sleep.d/75modules suspend suspend:
/usr/lib64/pm-utils/sleep.d/75modules suspend suspend: success.
Running hook /usr/lib64/pm-utils/sleep.d/90clock suspend suspend:
/usr/lib64/pm-utils/sleep.d/90clock suspend suspend: disabled.
Running hook /usr/lib64/pm-utils/sleep.d/94cpufreq suspend suspend:
/usr/lib64/pm-utils/sleep.d/94cpufreq suspend suspend: success.
Running hook /usr/lib64/pm-utils/sleep.d/95led suspend suspend:
/usr/lib64/pm-utils/sleep.d/95led suspend suspend: success.
Running hook /usr/lib64/pm-utils/sleep.d/98video-quirk-db-handler suspend suspend:
/usr/lib64/pm-utils/sleep.d/98video-quirk-db-handler: line 101: /sys/class/dmi/id/bios_version: No such file or directory
/usr/lib64/pm-utils/sleep.d/98video-quirk-db-handler: line 101: /sys/class/dmi/id/bios_vendor: No such file or directory
/usr/lib64/pm-utils/sleep.d/98video-quirk-db-handler: line 101: /sys/class/dmi/id/bios_date: No such file or directory
/usr/lib64/pm-utils/sleep.d/98video-quirk-db-handler: line 101: /sys/class/dmi/id/sys_vendor: No such file or directory
/usr/lib64/pm-utils/sleep.d/98video-quirk-db-handler: line 101: /sys/class/dmi/id/product_name: No such file or directory
/usr/lib64/pm-utils/sleep.d/98video-quirk-db-handler: line 101: /sys/class/dmi/id/product_version: No such file or directory
/usr/lib64/pm-utils/sleep.d/98video-quirk-db-handler: line 101: /sys/class/dmi/id/board_name: No such file or directory
/usr/lib64/pm-utils/sleep.d/98video-quirk-db-handler: line 101: /sys/class/dmi/id/board_version: No such file or directory
/usr/lib64/pm-utils/sleep.d/98video-quirk-db-handler: line 101: /sys/class/dmi/id/board_vendor: No such file or directory
Kernel modesetting video driver detected, not using quirks.
/usr/lib64/pm-utils/sleep.d/98video-quirk-db-handler suspend suspend: success.
Running hook /usr/lib64/pm-utils/sleep.d/99video suspend suspend:
kernel.acpi_video_flags = 0
/usr/lib64/pm-utils/sleep.d/99video suspend suspend: success.
Tue Jan 22 08:48:44 +08 2019: performing suspend
any ideas what's wrong?
make -C /lib/modules/5.7.2-arch1-1/build M=/home/joaomanoel/git/tyton modules
make[1]: Entrando no diretório '/usr/lib/modules/5.7.2-arch1-1/build'
CC [M] /home/joaomanoel/git/tyton/src/core.o
CC [M] /home/joaomanoel/git/tyton/src/util.o
CC [M] /home/joaomanoel/git/tyton/src/proc.o
CC [M] /home/joaomanoel/git/tyton/src/module_list.o
CC [M] /home/joaomanoel/git/tyton/src/syscall_hooks.o
CC [M] /home/joaomanoel/git/tyton/src/network_hooks.o
CC [M] /home/joaomanoel/git/tyton/src/netfilter_hooks.o
CC [M] /home/joaomanoel/git/tyton/src/interrupt_hooks.o
LD [M] /home/joaomanoel/git/tyton/tyton.o
MODPOST 1 modules
ERROR: modpost: "kallsyms_lookup_name" [/home/joaomanoel/git/tyton/tyton.ko] undefined!
make[2]: *** [scripts/Makefile.modpost:94: __modpost] Erro 1
make[1]: *** [Makefile:1642: modules] Erro 2
make[1]: Saindo do diretório '/usr/lib/modules/5.7.2-arch1-1/build'
make: *** [Makefile:19: module] Erro 2
HELP-ME!!!
PS: i use updated blackarch linux
Currently we have Debian/Ubuntu/Kali and Arch. Adding CentOS to this list would be beneficial.
Currently we can't detect if KHOOK has been used to hook kernel functions. This is because it doesn't mess with the pointer, but the function itself by inserting assembly to get it to jump into a custom hook in the LKM.
This should be detectable by (at least in a non-extensible way), comparing the assembly to see if any suspicious jumps are performed immediately in the function.
y tho
I tried to launch tyton in my VirtualBox system: Linux debian 4.9.0-8-amd64 #1 SMP Debian 4.9.144-3 (2019-02-02) x86_64 GNU/Linux
I installed dependencies and compiled all.
When I run insmod tyton.ko
my system freeze and became unusable.
Hi, the build fails with the clear linux kernel.
$ make
make -C /lib/modules/5.3.7-3-clear/build M=/home/danhyal/tyton modules
make[1]: Entering directory '/usr/lib/modules/5.3.7-3-clear/build'
CC [M] /home/danhyal/tyton/src/core.o
CC [M] /home/danhyal/tyton/src/util.o
CC [M] /home/danhyal/tyton/src/proc.o
CC [M] /home/danhyal/tyton/src/module_list.o
CC [M] /home/danhyal/tyton/src/syscall_hooks.o
CC [M] /home/danhyal/tyton/src/network_hooks.o
CC [M] /home/danhyal/tyton/src/netfilter_hooks.o
/home/danhyal/tyton/src/netfilter_hooks.c: In function ‘nf_hook_entry_head’:
/home/danhyal/tyton/src/netfilter_hooks.c:125:15: error: ‘struct net_device’ has no member named ‘nf_hooks_ingress’
125 | return &dev->nf_hooks_ingress;
| ^~
make[2]: *** [scripts/Makefile.build:281: /home/danhyal/tyton/src/netfilter_hooks.o] Error 1
make[1]: *** [Makefile:1626: _module_/home/danhyal/tyton] Error 2
make[1]: Leaving directory '/usr/lib/modules/5.3.7-3-clear/build'
make: *** [Makefile:19: module] Error 2
https://github.com/nbulischeck/tyton/blob/master/src/syscall_hooks.c#L31
Currently it just says "Hooked by an unknown module". We can figure that out now.
Hi, nice idea, I really like it.
I'm trying to test the tool on my Gentoo (Pentoo) Linux where I chose not to use systemd. It currently uses udev with openrc.
Is it possible to use any other available mechanisms and get notifications working?
Thanks
https://github.com/nbulischeck/tyton/blob/master/src/syscall_hooks.c#L30
There should be a check here to make sure that a name was returned before suggesting that a syscall is hooked.
Please
https://github.com/nbulischeck/tyton/blob/master/src/interrupt_hooks.c#L28
Same concept as the syscall hook bug. Easy resolution.
Most likely the integration will be modeled off of the work done on Skeleton Tree.
Hi, I'm using the latest git (20200604) and getting the following error:
make -j12 HOSTCC=x86_64-pc-linux-gnu-gcc CROSS_COMPILE=x86_64-pc-linux-gnu- 'LDFLAGS=-m elf_x86_64' clean module
make -C /lib/modules/5.11.10-pentoo/build M=/var/tmp/portage/app-antivirus/tyton-1.2_p20200604/work/tyton-5c19411e181111774c7e2aca2b5c3d6fa6b8fe2e clean
make -C ./notify clean
make -C /lib/modules/5.11.10-pentoo/build M=/var/tmp/portage/app-antivirus/tyton-1.2_p20200604/work/tyton-5c19411e181111774c7e2aca2b5c3d6fa6b8fe2e modules
make[1]: warning: jobserver unavailable: using -j1. Add '+' to parent make rule.
make[1]: warning: jobserver unavailable: using -j1. Add '+' to parent make rule.
make[1]: Entering directory '/var/tmp/portage/app-antivirus/tyton-1.2_p20200604/work/tyton-5c19411e181111774c7e2aca2b5c3d6fa6b8fe2e/notify'
make[1]: warning: jobserver unavailable: using -j1. Add '+' to parent make rule.
make[1]: Entering directory '/usr/src/linux-5.11.10-pentoo'
make[1]: Entering directory '/usr/src/linux-5.11.10-pentoo'
Package libsystemd was not found in the pkg-config search path.
Perhaps you should add the directory containing `libsystemd.pc'
to the PKG_CONFIG_PATH environment variable
Package 'libsystemd', required by 'virtual:world', not found
Package libsystemd-journal was not found in the pkg-config search path.
Perhaps you should add the directory containing `libsystemd-journal.pc'
to the PKG_CONFIG_PATH environment variable
Package 'libsystemd-journal', required by 'virtual:world', not found
rm -f tyton-notify
make[1]: Leaving directory '/var/tmp/portage/app-antivirus/tyton-1.2_p20200604/work/tyton-5c19411e181111774c7e2aca2b5c3d6fa6b8fe2e/notify'
CLEAN /var/tmp/portage/app-antivirus/tyton-1.2_p20200604/work/tyton-5c19411e181111774c7e2aca2b5c3d6fa6b8fe2e/Module.symvers
make[1]: Leaving directory '/usr/src/linux-5.11.10-pentoo'
CC [M] /var/tmp/portage/app-antivirus/tyton-1.2_p20200604/work/tyton-5c19411e181111774c7e2aca2b5c3d6fa6b8fe2e/src/core.o
CC [M] /var/tmp/portage/app-antivirus/tyton-1.2_p20200604/work/tyton-5c19411e181111774c7e2aca2b5c3d6fa6b8fe2e/src/util.o
CC [M] /var/tmp/portage/app-antivirus/tyton-1.2_p20200604/work/tyton-5c19411e181111774c7e2aca2b5c3d6fa6b8fe2e/src/proc.o
CC [M] /var/tmp/portage/app-antivirus/tyton-1.2_p20200604/work/tyton-5c19411e181111774c7e2aca2b5c3d6fa6b8fe2e/src/module_list.o
CC [M] /var/tmp/portage/app-antivirus/tyton-1.2_p20200604/work/tyton-5c19411e181111774c7e2aca2b5c3d6fa6b8fe2e/src/syscall_hooks.o
CC [M] /var/tmp/portage/app-antivirus/tyton-1.2_p20200604/work/tyton-5c19411e181111774c7e2aca2b5c3d6fa6b8fe2e/src/network_hooks.o
CC [M] /var/tmp/portage/app-antivirus/tyton-1.2_p20200604/work/tyton-5c19411e181111774c7e2aca2b5c3d6fa6b8fe2e/src/netfilter_hooks.o
In file included from ./include/linux/rbtree.h:22,
from ./include/linux/mm_types.h:10,
from ./include/linux/mmzone.h:21,
from ./include/linux/gfp.h:6,
from ./include/linux/mm.h:10,
from ./include/linux/bvec.h:14,
from ./include/linux/skbuff.h:17,
from ./include/linux/netfilter.h:6,
from /var/tmp/portage/app-antivirus/tyton-1.2_p20200604/work/tyton-5c19411e181111774c7e2aca2b5c3d6fa6b8fe2e/src/netfilter_hooks.c:1:
/var/tmp/portage/app-antivirus/tyton-1.2_p20200604/work/tyton-5c19411e181111774c7e2aca2b5c3d6fa6b8fe2e/src/netfilter_hooks.c: In function ‘analyze_netfilter’:
/var/tmp/portage/app-antivirus/tyton-1.2_p20200604/work/tyton-5c19411e181111774c7e2aca2b5c3d6fa6b8fe2e/src/netfilter_hooks.c:10:48: error: ‘nf_hook_mutex’ undeclared (first use in this function); did you mean ‘nf_hook_entry’?
10 | rcu_dereference_protected(e, lockdep_is_held(&nf_hook_mutex))
| ^~~~~~~~~~~~~
./include/linux/rcupdate.h:339:52: note: in definition of macro ‘RCU_LOCKDEP_WARN’
339 | #define RCU_LOCKDEP_WARN(c, s) do { } while (0 && (c))
| ^
./include/linux/rcupdate.h:556:2: note: in expansion of macro ‘__rcu_dereference_protected’
556 | __rcu_dereference_protected((p), (c), __rcu)
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~
/var/tmp/portage/app-antivirus/tyton-1.2_p20200604/work/tyton-5c19411e181111774c7e2aca2b5c3d6fa6b8fe2e/src/netfilter_hooks.c:10:2: note: in expansion of macro ‘rcu_dereference_protected’
10 | rcu_dereference_protected(e, lockdep_is_held(&nf_hook_mutex))
| ^~~~~~~~~~~~~~~~~~~~~~~~~
/var/tmp/portage/app-antivirus/tyton-1.2_p20200604/work/tyton-5c19411e181111774c7e2aca2b5c3d6fa6b8fe2e/src/netfilter_hooks.c:203:8: note: in expansion of macro ‘nf_entry_dereference’
203 | p = nf_entry_dereference(*pp);
| ^~~~~~~~~~~~~~~~~~~~
/var/tmp/portage/app-antivirus/tyton-1.2_p20200604/work/tyton-5c19411e181111774c7e2aca2b5c3d6fa6b8fe2e/src/netfilter_hooks.c:10:48: note: each undeclared identifier is reported only once for each function it appears in
10 | rcu_dereference_protected(e, lockdep_is_held(&nf_hook_mutex))
| ^~~~~~~~~~~~~
./include/linux/rcupdate.h:339:52: note: in definition of macro ‘RCU_LOCKDEP_WARN’
339 | #define RCU_LOCKDEP_WARN(c, s) do { } while (0 && (c))
| ^
./include/linux/rcupdate.h:556:2: note: in expansion of macro ‘__rcu_dereference_protected’
556 | __rcu_dereference_protected((p), (c), __rcu)
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~
/var/tmp/portage/app-antivirus/tyton-1.2_p20200604/work/tyton-5c19411e181111774c7e2aca2b5c3d6fa6b8fe2e/src/netfilter_hooks.c:10:2: note: in expansion of macro ‘rcu_dereference_protected’
10 | rcu_dereference_protected(e, lockdep_is_held(&nf_hook_mutex))
| ^~~~~~~~~~~~~~~~~~~~~~~~~
/var/tmp/portage/app-antivirus/tyton-1.2_p20200604/work/tyton-5c19411e181111774c7e2aca2b5c3d6fa6b8fe2e/src/netfilter_hooks.c:203:8: note: in expansion of macro ‘nf_entry_dereference’
203 | p = nf_entry_dereference(*pp);
| ^~~~~~~~~~~~~~~~~~~~
make[2]: *** [scripts/Makefile.build:279: /var/tmp/portage/app-antivirus/tyton-1.2_p20200604/work/tyton-5c19411e181111774c7e2aca2b5c3d6fa6b8fe2e/src/netfilter_hooks.o] Error 1
make[1]: *** [Makefile:1808: /var/tmp/portage/app-antivirus/tyton-1.2_p20200604/work/tyton-5c19411e181111774c7e2aca2b5c3d6fa6b8fe2e] Error 2
make[1]: Leaving directory '/usr/src/linux-5.11.10-pentoo'
make: *** [Makefile:19: module] Error 2
It would be useful to whitelist the netfilter and iptables modules from the netfilter hook alerts, in order to remove false positives. In an ubuntu 18.04 I have: nf_conntrack_ipv4, iptable_nat, iptable_mangle, iptable_filter, nf_defrag_ipv4 and br_netfilter.
Thanks!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.