Learning by practicing: 2021

In the previous post, I added parameters to my module. In this post, I am learning more about reading information on Linux processes.

Here is my code.

/*
 * Learning about Linux Process Information
 * This code mereley reads various data about a process whose PID is entered as a parameter via the Loadable Kernel Module (LKM)
 * Author: Nik Alleyne
 * Author Blog: www.securitynik.com
 * Filename: processInfo.c
 */

// reference the header files to be used
#include <linux/init.h>
#include <linux/module.h>
#include <linux/kernel.h>
#include <asm/current.h>
#include <linux/sched/signal.h>
#include <linux/fs.h>
#include <linux/slab.h>
#include <net/sock.h>
#include <linux/socket.h>
#include <linux/net.h>
#include <linux/cred.h>

static int pid_to_lookup = 0;
module_param(pid_to_lookup, int, S_IRUGO);
MODULE_PARM_DESC(pid_to_lookup, "Specify a PIDr, 2 is invalid.");


// Define the code to execute at module installation
static int __init startup(void)
	{	
		printk(KERN_INFO "[*] Entering the kernel ...\n");
				
		// Print information for current PID - basically the insmod module
		// Get current process executable name
		printk(KERN_INFO "[*] Process Name: %s \n", current->comm);

		// Get current process PID
		printk(KERN_INFO "[*] Process %s has PID: %i \n", current->comm, current->pid);

		// Get current task group ID (TGID)
		printk(KERN_INFO "[*] Process %s has TGID: %i \n", current->comm, current->tgid);

		// Getting the UID and EUID of the current process. This process is more than likely insmod
		// This comes from linux/cred.h
		const struct cred *current_process_cred = current_cred();
		printk(KERN_INFO "\n[*] Current Process UID: %d\n", current_process_cred->uid);
		printk(KERN_INFO "[*] Current Process GID: %d \n ", current_process_cred->gid);
		printk(KERN_INFO "n[*] Current Process Effectie UID: %d\n", current_process_cred->uid);
		printk(KERN_INFO "[*] Current Process Effective GID: %d \n ", current_process_cred->egid);
		printk(KERN_INFO "[*] Current Process Saved SUID: %d\n", current_process_cred->suid);
		printk(KERN_INFO "[*] Current Process SGID: %d \n ", current_process_cred->sgid);
		
		// Create a pointer to the task structure
		struct task_struct *target_process_structure;
		
		// Create another pointer to the task structure. This one is to track the threads
		struct task_struct *thread_info;

		// Print information for the PID being looked up
		target_process_structure = pid_task(find_vpid(pid_to_lookup), PIDTYPE_PID);

		if (target_process_structure)
			{
				// Info on process executing calling this Kernel module
				printk(KERN_INFO " [*] The process you specified has name %s\n", target_process_structure->comm);
				printk(KERN_INFO " [*] The %s process is in state %ld\n", target_process_structure->comm, target_process_structure->state);
				printk(KERN_INFO " [*] The %s process has the following flags %ua\n\n", target_process_structure->comm, target_process_structure->flags);
				// printk(KERN_INFO " [*] The %s process ptrace info  %d\n", target_process_structure->comm, target_process_structure->ptrace);
				
				printk(KERN_INFO "[*] ******************************* BEGINNING OF PID:%d INFORMATION **********************************\n", target_process_structure->pid);

				// Info on the process which was entered as the parameter
				printk(KERN_INFO " [*] The %s process is running on CPU %d \n", target_process_structure->comm, target_process_structure->on_cpu);
				printk(KERN_INFO " [*] The %s process current CPU %d \n", target_process_structure->comm, target_process_structure->cpu);

				printk(KERN_INFO " [*] The %s process wakee flips %u \n", target_process_structure->comm, target_process_structure->wakee_flips);
				
				printk(KERN_INFO " [*] The %s process wakee Flip Decay Timestamp  %ld \n\n", target_process_structure->comm, target_process_structure->wakee_flip_decay_ts);
			
			
				printk(KERN_INFO " [*] The %s process is recently used CPU %d \n", target_process_structure->comm, target_process_structure->recent_used_cpu);
				printk(KERN_INFO " [*] The %s process wake CPU  %d \n\n", target_process_structure->comm, target_process_structure->wake_cpu);
				printk(KERN_INFO " [*] The %s process on rq %d \n", target_process_structure->comm, target_process_structure->on_rq);
				printk(KERN_INFO " [*] The %s process Prio  %d \n", target_process_structure->comm, target_process_structure->prio);
				printk(KERN_INFO " [*] The %s process Static Prio  %d \n", target_process_structure->comm, target_process_structure->static_prio);
				printk(KERN_INFO " [*] The %s process Normal Prio  %d \n", target_process_structure->comm, target_process_structure->normal_prio);
				printk(KERN_INFO " [*] The %s process Rt Prio  %u \n", target_process_structure->comm, target_process_structure->rt_priority);


				printk(KERN_INFO " [*] The %s process btrace seq  %d \n\n", target_process_structure->comm, target_process_structure->btrace_seq);
				printk(KERN_INFO " [*] The %s process Policy  %u \n", target_process_structure->comm, target_process_structure->policy);
				printk(KERN_INFO " [*] The %s process Number of CPUs allowed  %d \n", target_process_structure->comm, target_process_structure->nr_cpus_allowed);

				printk(KERN_INFO " [*] The %s process Exit State  %d \n\n", target_process_structure->comm, target_process_structure->exit_state);
				printk(KERN_INFO " [*] The %s process Exit Code  %d \n", target_process_structure->comm, target_process_structure->exit_code);
				printk(KERN_INFO " [*] The %s process Exit Signal  %d \n", target_process_structure->comm, target_process_structure->exit_signal);
				printk(KERN_INFO " [*] The %s process Pdeath signal  %d \n", target_process_structure->comm, target_process_structure->pdeath_signal);


				printk(KERN_INFO " [*] The %s process Job CTL  %ld \n\n", target_process_structure->comm, target_process_structure->jobctl);
				printk(KERN_INFO " [*] The %s process Peronality  %d \n", target_process_structure->comm, target_process_structure->personality);


				printk(KERN_INFO " [*] The %s process Atomic flags  %ld \n", target_process_structure->comm, target_process_structure->atomic_flags);

				printk(KERN_INFO " [*] The %s process has PID %d\n", target_process_structure->comm, target_process_structure->pid);
				printk(KERN_INFO " [*] The %s process has TGID %d\n\n", target_process_structure->comm, target_process_structure->tgid);

				// Real Parent Information 
				printk(KERN_INFO " [*] The %s process Real Parent executable  %s\n", target_process_structure->comm, target_process_structure->real_parent->comm);
				printk(KERN_INFO " [*] The %s process Real Parent PID  %d\n", target_process_structure->comm, target_process_structure->real_parent->pid);
				printk(KERN_INFO " [*] The %s process Real Parent TGID  %d\n\n", target_process_structure->comm, target_process_structure->real_parent->tgid);

				// Parent Information 
				printk(KERN_INFO " [*] The %s process Parent executable  %s\n", target_process_structure->comm, target_process_structure->real_parent->comm);
				printk(KERN_INFO " [*] The %s process parent PID  %d\n", target_process_structure->comm, target_process_structure->real_parent->pid);
				printk(KERN_INFO " [*] The %s process parent TGID  %d\n", target_process_structure->comm, target_process_structure->real_parent->tgid);
			
				printk(KERN_INFO " [*] The %s process Canary value  %lu \n", target_process_structure->comm, target_process_structure->stack_canary);
				
				printk(KERN_INFO " [*] The %s process UTIME   %llu \n\n", target_process_structure->comm, target_process_structure->utime);
				printk(KERN_INFO " [*] The %s process STIME  %llu \n", target_process_structure->comm, target_process_structure->stime);

				printk(KERN_INFO " [*] The %s process Start Time %lld \n", target_process_structure->comm, target_process_structure->start_time);
				printk(KERN_INFO " [*] The %s process Start Boot Time %lld \n\n", target_process_structure->comm, target_process_structure->start_boottime);
				
				//Get information on target process permission
				//This information comes from linux/cred.h
				printk(KERN_INFO "[*] The process %s has real UID:%d \n", target_process_structure->comm, task_uid(target_process_structure).val);
				printk(KERN_INFO "[*] The process %s has effective UID:%d \n", target_process_structure->comm, task_euid(target_process_structure).val);

				// Thread Information
				// Leverages linux/sched/signal.h
				printk(KERN_INFO " [*] The %s process has %d threads \n", target_process_structure->comm, target_process_structure->signal->nr_threads);	

			
				// Enumerate the threads in the process
				// print information on the binary, PID, PPID
				for_each_thread(target_process_structure, thread_info)
					{
						printk(KERN_INFO "[*] Thread executable name:%s  :: Thread PID:%d :: Thread TGID:%d \n :: Running on CPU:%d :: Current CPU:%d", thread_info->comm, thread_info->pid, thread_info->tgid, thread_info->on_cpu, thread_info->cpu); 
					}


				// Get full path of the binary
				// relies on fs.h. This information is not available by default.
				
				// Check to see if the process memory map is null
				printk(KERN_INFO "\n");
				
				// Setup two pointers for the binary paths
				char *temporary_path;
				char *full_binary_path;

				if (target_process_structure->mm)
					{
						printk(KERN_INFO "[*] Memory map exists \n");

						// Semaphore with read bias
						down_read(&target_process_structure->mm->mmap_sem);
						
						if (target_process_structure->mm->exe_file)
							{
								printk(KERN_INFO "[*] Info found on executable \n");
								
								// allocate normal kernel ram. May sleep 
								// Below sees to allocate memory in 4096 bytes chunk
								temporary_path = kmalloc(PATH_MAX, GFP_KERNEL);
								
								if (!temporary_path)
									{
										// printk(KERN_ERR "[!] Error occurred while allocating memory \n");
										panic("[!] FAILED TO ALLOCATE MEMORY in Kerneln");
									}
								else
									{
										printk(KERN_INFO "[*] Allocated memory in %lu bytes chunk\n", ksize(temporary_path));
										printk(KERN_INFO "[*] Target Process Memory Address: %p", &target_process_structure);
										
										// Get the full binary path of the executable
										full_binary_path = d_path(&target_process_structure->mm->exe_file->f_path, temporary_path, PATH_MAX);
										printk(KERN_INFO "[*] Full binary path is: %s \n", full_binary_path);	
									}

								// Free the previously allocated memory
								kfree(temporary_path);

							}
						else
							{
								printk(KERN_INFO "[*] Looks like we have an error ... \n");
							}

						// release the memory map semaphore
						up_read(&target_process_structure->mm->mmap_sem);
					}
				else
					{
						printk(KERN_INFO "[!] WARNING. No memory map found \n");
					}
				
				printk(KERN_INFO "[*] ************************************ END OF PROCESS INFORMATION **********************************\n");
							
			}

		else
			{
				printk(KERN_ERR "[!] ERROR! PID %d is an invalid PID \n", pid_to_lookup);
				return -EINVAL;
			}

		return 0;
	}


// Define the code to execute at module uninstall time
static void __exit exiting(void)
	{
		printk(KERN_INFO "[*] See ya! ...\n");
	}


module_init(startup);
module_exit(exiting);


MODULE_LICENSE("GPL v2");
MODULE_AUTHOR("Nik Alleyne - www.securitynik.com");
MODULE_DESCRIPTION("In this code, I am learning about processes \n");
MODULE_VERSION("0.1a");

/* 
 * References:
 * https://elixir.bootlin.com/linux/v5.5.6/source/include/linux/sched.h
 * https://elixir.bootlin.com/linux/latest/source/include/linux/pid.h
 * https://stackoverflow.com/questions/21259672/kernel-right-way-to-check-if-process-is-running-in-c
 * https://elixir.bootlin.com/linux/v5.5.6/source/include/linux/sched.h
 * https://www-numi.fnal.gov/offline_software/srt_public_context/WebDocs/Errors/unix_system_errors.html
 * https://www.man7.org/linux/man-pages/man3/errno.3.html
 * https://elixir.bootlin.com/linux/latest/source/include/linux/sched/signal.h
 * https://0xax.gitbooks.io/linux-insides/content/SyncPrim/linux-sync-3.html
 * https://0xax.gitbooks.io/linux-insides/content/SyncPrim/linux-sync-5.html
 * https://www.kernel.org/doc/html/latest/core-api/printk-formats.html
 */

Now that we have the code, here is my "Makefile":

obj-m += processInfo.o

all:
	make --directory=/lib/modules/$(shell uname --kernel-release)/build/ M=$(PWD) modules

clean:
	make --directory=/lib/modules/$(shell uname --kernel-release)/build/    M=$(PWD) clean

Let's execute "make all". Honestly, as you can see below, there are a number of warnings. However, all the necessary output file were created and I choose not to spend more time figuring out the warnings as I ran out of time learning this. I had a SANS SEC504 class to teach in a few days. Here is what I got.

kali@securitynik:~/rootkits/processInfo$ make all
make --directory=/lib/modules/5.5.0-kali2-amd64/build/ M=/home/kali/rootkits/processInfo modules
make[1]: Entering directory '/usr/src/linux-headers-5.5.0-kali2-amd64'
  CC [M]  /home/kali/rootkits/processInfo/processInfo.o
/home/kali/rootkits/processInfo/processInfo.c: In function ‘startup’:
/home/kali/rootkits/processInfo/processInfo.c:44:3: warning: ISO C90 forbids mixed declarations and code [-Wdeclaration-after-statement]
   44 |   const struct cred *current_process_cred = current_cred();
      |   ^~~~~
In file included from /usr/src/linux-headers-5.5.0-kali2-common/include/linux/printk.h:7,
                 from /usr/src/linux-headers-5.5.0-kali2-common/include/linux/kernel.h:15,
                 from /usr/src/linux-headers-5.5.0-kali2-common/include/linux/list.h:9,
                 from /usr/src/linux-headers-5.5.0-kali2-common/include/linux/module.h:12,
                 from /home/kali/rootkits/processInfo/processInfo.c:11:
/usr/src/linux-headers-5.5.0-kali2-common/include/linux/kern_levels.h:5:18: warning: format ‘%d’ expects argument of type ‘int’, but argument 2 has type ‘kuid_t’ {aka ‘const struct <anonymous>’} [-Wformat=]
    5 | #define KERN_SOH "\001"  /* ASCII Start Of Header */
      |                  ^~~~~~
/usr/src/linux-headers-5.5.0-kali2-common/include/linux/kern_levels.h:14:19: note: in expansion of macro ‘KERN_SOH’
   14 | #define KERN_INFO KERN_SOH "6" /* informational */
      |                   ^~~~~~~~
/home/kali/rootkits/processInfo/processInfo.c:45:10: note: in expansion of macro ‘KERN_INFO’
   45 |   printk(KERN_INFO "\n[*] Current Process UID: %d\n", current_process_cred->uid);
      |          ^~~~~~~~~
/home/kali/rootkits/processInfo/processInfo.c:45:49: note: format string is defined here
   45 |   printk(KERN_INFO "\n[*] Current Process UID: %d\n", current_process_cred->uid);
      |                                                ~^
      |                                                 |
      |                                                 int
In file included from /usr/src/linux-headers-5.5.0-kali2-common/include/linux/printk.h:7,
                 from /usr/src/linux-headers-5.5.0-kali2-common/include/linux/kernel.h:15,
                 from /usr/src/linux-headers-5.5.0-kali2-common/include/linux/list.h:9,
                 from /usr/src/linux-headers-5.5.0-kali2-common/include/linux/module.h:12,
                 from /home/kali/rootkits/processInfo/processInfo.c:11:
/usr/src/linux-headers-5.5.0-kali2-common/include/linux/kern_levels.h:5:18: warning: format ‘%d’ expects argument of type ‘int’, but argument 2 has type ‘kgid_t’ {aka ‘const struct <anonymous>’} [-Wformat=]
    5 | #define KERN_SOH "\001"  /* ASCII Start Of Header */
      |                  ^~~~~~
/usr/src/linux-headers-5.5.0-kali2-common/include/linux/kern_levels.h:14:19: note: in expansion of macro ‘KERN_SOH’
   14 | #define KERN_INFO KERN_SOH "6" /* informational */
      |                   ^~~~~~~~
/home/kali/rootkits/processInfo/processInfo.c:46:10: note: in expansion of macro ‘KERN_INFO’
   46 |   printk(KERN_INFO "[*] Current Process GID: %d \n ", current_process_cred->gid);
      |          ^~~~~~~~~
/home/kali/rootkits/processInfo/processInfo.c:46:47: note: format string is defined here
   46 |   printk(KERN_INFO "[*] Current Process GID: %d \n ", current_process_cred->gid);
      |                                              ~^
      |                                               |
      |                                               int
In file included from /usr/src/linux-headers-5.5.0-kali2-common/include/linux/printk.h:7,
                 from /usr/src/linux-headers-5.5.0-kali2-common/include/linux/kernel.h:15,
                 from /usr/src/linux-headers-5.5.0-kali2-common/include/linux/list.h:9,
                 from /usr/src/linux-headers-5.5.0-kali2-common/include/linux/module.h:12,
                 from /home/kali/rootkits/processInfo/processInfo.c:11:
/usr/src/linux-headers-5.5.0-kali2-common/include/linux/kern_levels.h:5:18: warning: format ‘%d’ expects argument of type ‘int’, but argument 2 has type ‘kuid_t’ {aka ‘const struct <anonymous>’} [-Wformat=]
    5 | #define KERN_SOH "\001"  /* ASCII Start Of Header */
      |                  ^~~~~~
/usr/src/linux-headers-5.5.0-kali2-common/include/linux/kern_levels.h:14:19: note: in expansion of macro ‘KERN_SOH’
   14 | #define KERN_INFO KERN_SOH "6" /* informational */
      |                   ^~~~~~~~
/home/kali/rootkits/processInfo/processInfo.c:47:10: note: in expansion of macro ‘KERN_INFO’
   47 |   printk(KERN_INFO "n[*] Current Process Effectie UID: %d\n", current_process_cred->uid);
      |          ^~~~~~~~~
/home/kali/rootkits/processInfo/processInfo.c:47:57: note: format string is defined here
   47 |   printk(KERN_INFO "n[*] Current Process Effectie UID: %d\n", current_process_cred->uid);
      |                                                        ~^
      |                                                         |
      |                                                         int
In file included from /usr/src/linux-headers-5.5.0-kali2-common/include/linux/printk.h:7,
                 from /usr/src/linux-headers-5.5.0-kali2-common/include/linux/kernel.h:15,
                 from /usr/src/linux-headers-5.5.0-kali2-common/include/linux/list.h:9,
                 from /usr/src/linux-headers-5.5.0-kali2-common/include/linux/module.h:12,
                 from /home/kali/rootkits/processInfo/processInfo.c:11:
/usr/src/linux-headers-5.5.0-kali2-common/include/linux/kern_levels.h:5:18: warning: format ‘%d’ expects argument of type ‘int’, but argument 2 has type ‘kgid_t’ {aka ‘const struct <anonymous>’} [-Wformat=]
    5 | #define KERN_SOH "\001"  /* ASCII Start Of Header */
      |                  ^~~~~~
/usr/src/linux-headers-5.5.0-kali2-common/include/linux/kern_levels.h:14:19: note: in expansion of macro ‘KERN_SOH’
   14 | #define KERN_INFO KERN_SOH "6" /* informational */
      |                   ^~~~~~~~
/home/kali/rootkits/processInfo/processInfo.c:48:10: note: in expansion of macro ‘KERN_INFO’
   48 |   printk(KERN_INFO "[*] Current Process Effective GID: %d \n ", current_process_cred->egid);
      |          ^~~~~~~~~
/home/kali/rootkits/processInfo/processInfo.c:48:57: note: format string is defined here
   48 |   printk(KERN_INFO "[*] Current Process Effective GID: %d \n ", current_process_cred->egid);
      |                                                        ~^
      |                                                         |
      |                                                         int
In file included from /usr/src/linux-headers-5.5.0-kali2-common/include/linux/printk.h:7,
                 from /usr/src/linux-headers-5.5.0-kali2-common/include/linux/kernel.h:15,
                 from /usr/src/linux-headers-5.5.0-kali2-common/include/linux/list.h:9,
                 from /usr/src/linux-headers-5.5.0-kali2-common/include/linux/module.h:12,
                 from /home/kali/rootkits/processInfo/processInfo.c:11:
/usr/src/linux-headers-5.5.0-kali2-common/include/linux/kern_levels.h:5:18: warning: format ‘%d’ expects argument of type ‘int’, but argument 2 has type ‘kuid_t’ {aka ‘const struct <anonymous>’} [-Wformat=]
    5 | #define KERN_SOH "\001"  /* ASCII Start Of Header */
      |                  ^~~~~~
/usr/src/linux-headers-5.5.0-kali2-common/include/linux/kern_levels.h:14:19: note: in expansion of macro ‘KERN_SOH’
   14 | #define KERN_INFO KERN_SOH "6" /* informational */
      |                   ^~~~~~~~
/home/kali/rootkits/processInfo/processInfo.c:49:10: note: in expansion of macro ‘KERN_INFO’
   49 |   printk(KERN_INFO "[*] Current Process Saved SUID: %d\n", current_process_cred->suid);
      |          ^~~~~~~~~
/home/kali/rootkits/processInfo/processInfo.c:49:54: note: format string is defined here
   49 |   printk(KERN_INFO "[*] Current Process Saved SUID: %d\n", current_process_cred->suid);
      |                                                     ~^
      |                                                      |
      |                                                      int
In file included from /usr/src/linux-headers-5.5.0-kali2-common/include/linux/printk.h:7,
                 from /usr/src/linux-headers-5.5.0-kali2-common/include/linux/kernel.h:15,
                 from /usr/src/linux-headers-5.5.0-kali2-common/include/linux/list.h:9,
                 from /usr/src/linux-headers-5.5.0-kali2-common/include/linux/module.h:12,
                 from /home/kali/rootkits/processInfo/processInfo.c:11:
/usr/src/linux-headers-5.5.0-kali2-common/include/linux/kern_levels.h:5:18: warning: format ‘%d’ expects argument of type ‘int’, but argument 2 has type ‘kgid_t’ {aka ‘const struct <anonymous>’} [-Wformat=]
    5 | #define KERN_SOH "\001"  /* ASCII Start Of Header */
      |                  ^~~~~~
/usr/src/linux-headers-5.5.0-kali2-common/include/linux/kern_levels.h:14:19: note: in expansion of macro ‘KERN_SOH’
   14 | #define KERN_INFO KERN_SOH "6" /* informational */
      |                   ^~~~~~~~
/home/kali/rootkits/processInfo/processInfo.c:50:10: note: in expansion of macro ‘KERN_INFO’
   50 |   printk(KERN_INFO "[*] Current Process SGID: %d \n ", current_process_cred->sgid);
      |          ^~~~~~~~~
/home/kali/rootkits/processInfo/processInfo.c:50:48: note: format string is defined here
   50 |   printk(KERN_INFO "[*] Current Process SGID: %d \n ", current_process_cred->sgid);
      |                                               ~^
      |                                                |
      |                                                int
/home/kali/rootkits/processInfo/processInfo.c:53:3: warning: ISO C90 forbids mixed declarations and code [-Wdeclaration-after-statement]
   53 |   struct task_struct *target_process_structure;
      |   ^~~~~~
/home/kali/rootkits/processInfo/processInfo.c:151:5: warning: ISO C90 forbids mixed declarations and code [-Wdeclaration-after-statement]
  151 |     char *temporary_path;
      |     ^~~~
  Building modules, stage 2.
  MODPOST 1 modules
  CC [M]  /home/kali/rootkits/processInfo/processInfo.mod.o
  LD [M]  /home/kali/rootkits/processInfo/processInfo.ko
make[1]: Leaving directory '/usr/src/linux-headers-5.5.0-kali2-amd64'

However, even with the errors, here is what we got from the make process.

1
2
3

kali@securitynik:~/rootkits/processInfo$ ls
Makefile       Module.symvers  processInfo.c.ORIG          processInfo.ko   processInfo.mod.c  processInfo.o
modules.order  processInfo.c   processInfo.c.WITH_THREADS  processInfo.mod  processInfo.mod.o

Learning about the module before installing it.

kali@securitynik:~/rootkits/processInfo$ sudo modinfo processInfo.ko
filename:       /home/kali/rootkits/processInfo/processInfo.ko
version:        0.1a
description:    In this code, I am learning about processes 

author:         Nik Alleyne - www.securitynik.com
license:        GPL v2
srcversion:     87C84D6F8E9BEF120883007
depends:        
retpoline:      Y
name:           processInfo
vermagic:       5.5.0-kali2-amd64 SMP mod_unload modversions 
parm:           pid_to_lookup:Specify a PIDr, 2 is invalid. (int)

Let's now remove the clutter from my "dmesg" using "dmesg --clear".

1	kali@securitynik:~/rootkits/processInfo$ sudo dmesg --clear

Let's now take a process to learn about. Specifically, let's look at the "qterminal" process.

Here is what is returned when we execute "ps -eLf | grep qterm"

kali@securitynik:~/rootkits/processInfo$ ps -eLf | grep qterm
kali        1402       1    1402  1    7 Jul17 ?        00:02:06 /usr/bin/qterminal
kali        1402       1    1406  0    7 Jul17 ?        00:00:16 /usr/bin/qterminal
kali        1402       1    1423  0    7 Jul17 ?        00:00:00 /usr/bin/qterminal
kali        1402       1    1451  0    7 Jul17 ?        00:00:00 /usr/bin/qterminal
kali        1402       1    1452  0    7 Jul17 ?        00:00:00 /usr/bin/qterminal
kali        1402       1    1453  0    7 Jul17 ?        00:00:00 /usr/bin/qterminal
kali        1402       1    1454  0    7 Jul17 ?        00:00:00 /usr/bin/qterminal
kali       18118    1543   18118  0    1 00:32 pts/1    00:00:00 grep qterm

Using PID "1402", let's insert this module into the kernel.

1	kali@securitynik:~/rootkits/processInfo$ sudo insmod processInfo.ko pid_to_lookup=1402

We can confirm the module installed successfully, by using "lsmod".

kali@securitynik:~/rootkits/processInfo$ lsmod | more
Module                  Size  Used by
processInfo            16384  0
fuse                  139264  3
vboxvideo              45056  0
rfkill                 28672  2
vboxsf                 94208  1

....

Now that we have all the information above, let's see what dmesg reports for the module we inserted.

kali@securitynik:~/rootkits/processInfo$ sudo dmesg --ctime 
[Sat Jul 18 00:35:57 2020] [*] See ya! ...
[Sat Jul 18 00:36:01 2020] [*] Entering the kernel ...
[Sat Jul 18 00:36:01 2020] [*] Process Name: insmod 
[Sat Jul 18 00:36:01 2020] [*] Process insmod has PID: 18139 
[Sat Jul 18 00:36:01 2020] [*] Process insmod has TGID: 18139 
[Sat Jul 18 00:36:01 2020] 
                           [*] Current Process UID: 0
[Sat Jul 18 00:36:01 2020] [*] Current Process GID: 0 
                            
[Sat Jul 18 00:36:01 2020] n[*] Current Process Effectie UID: 0
[Sat Jul 18 00:36:01 2020] [*] Current Process Effective GID: 0 
                            
[Sat Jul 18 00:36:01 2020] [*] Current Process Saved SUID: 0
[Sat Jul 18 00:36:01 2020] [*] Current Process SGID: 0 
                            
[Sat Jul 18 00:36:01 2020]  [*] The process you specified has name qterminal
[Sat Jul 18 00:36:01 2020]  [*] The qterminal process is in state 1
[Sat Jul 18 00:36:01 2020]  [*] The qterminal process has the following flags 4194304a

[Sat Jul 18 00:36:01 2020] [*] ******************************* BEGINNING OF PID:1402 INFORMATION **********************************
[Sat Jul 18 00:36:01 2020]  [*] The qterminal process is running on CPU 0 
[Sat Jul 18 00:36:01 2020]  [*] The qterminal process current CPU 1 
[Sat Jul 18 00:36:01 2020]  [*] The qterminal process wakee flips 13 
[Sat Jul 18 00:36:01 2020]  [*] The qterminal process wakee Flip Decay Timestamp  4297021013 

[Sat Jul 18 00:36:01 2020]  [*] The qterminal process is recently used CPU 0 
[Sat Jul 18 00:36:01 2020]  [*] The qterminal process wake CPU  1 

[Sat Jul 18 00:36:01 2020]  [*] The qterminal process on rq 0 
[Sat Jul 18 00:36:01 2020]  [*] The qterminal process Prio  120 
[Sat Jul 18 00:36:01 2020]  [*] The qterminal process Static Prio  120 
[Sat Jul 18 00:36:01 2020]  [*] The qterminal process Normal Prio  120 
[Sat Jul 18 00:36:01 2020]  [*] The qterminal process Rt Prio  0 
[Sat Jul 18 00:36:01 2020]  [*] The qterminal process btrace seq  0 

[Sat Jul 18 00:36:01 2020]  [*] The qterminal process Policy  0 
[Sat Jul 18 00:36:01 2020]  [*] The qterminal process Number of CPUs allowed  2 
[Sat Jul 18 00:36:01 2020]  [*] The qterminal process Exit State  0 

[Sat Jul 18 00:36:01 2020]  [*] The qterminal process Exit Code  0 
[Sat Jul 18 00:36:01 2020]  [*] The qterminal process Exit Signal  17 
[Sat Jul 18 00:36:01 2020]  [*] The qterminal process Pdeath signal  0 
[Sat Jul 18 00:36:01 2020]  [*] The qterminal process Job CTL  0 

[Sat Jul 18 00:36:01 2020]  [*] The qterminal process Peronality  0 
[Sat Jul 18 00:36:01 2020]  [*] The qterminal process Atomic flags  0 
[Sat Jul 18 00:36:01 2020]  [*] The qterminal process has PID 1402
[Sat Jul 18 00:36:01 2020]  [*] The qterminal process has TGID 1402

[Sat Jul 18 00:36:01 2020]  [*] The qterminal process Real Parent executable  systemd
[Sat Jul 18 00:36:01 2020]  [*] The qterminal process Real Parent PID  1
[Sat Jul 18 00:36:01 2020]  [*] The qterminal process Real Parent TGID  1

[Sat Jul 18 00:36:01 2020]  [*] The qterminal process Parent executable  systemd
[Sat Jul 18 00:36:01 2020]  [*] The qterminal process parent PID  1
[Sat Jul 18 00:36:01 2020]  [*] The qterminal process parent TGID  1
[Sat Jul 18 00:36:01 2020]  [*] The qterminal process Canary value  1452616746712831488 
[Sat Jul 18 00:36:01 2020]  [*] The qterminal process UTIME   48780000000 

[Sat Jul 18 00:36:01 2020]  [*] The qterminal process STIME  39144000000 
[Sat Jul 18 00:36:01 2020]  [*] The qterminal process Start Time 1460655914727 
[Sat Jul 18 00:36:01 2020]  [*] The qterminal process Start Boot Time 1460655914834 

[Sat Jul 18 00:36:01 2020] [*] The process qterminal has real UID:1000 
[Sat Jul 18 00:36:01 2020] [*] The process qterminal has effective UID:1000 
[Sat Jul 18 00:36:01 2020]  [*] The qterminal process has 7 threads 
[Sat Jul 18 00:36:01 2020] [*] Thread executable name:qterminal  :: Thread PID:1402 :: Thread TGID:1402 
                            :: Running on CPU:0 :: Current CPU:1
[Sat Jul 18 00:36:01 2020] [*] Thread executable name:QXcbEventQueue  :: Thread PID:1406 :: Thread TGID:1402 
                            :: Running on CPU:0 :: Current CPU:1
[Sat Jul 18 00:36:01 2020] [*] Thread executable name:QDBusConnection  :: Thread PID:1423 :: Thread TGID:1402 
                            :: Running on CPU:0 :: Current CPU:0
[Sat Jul 18 00:36:01 2020] [*] Thread executable name:llvmpipe-0  :: Thread PID:1451 :: Thread TGID:1402 
                            :: Running on CPU:0 :: Current CPU:1
[Sat Jul 18 00:36:01 2020] [*] Thread executable name:llvmpipe-1  :: Thread PID:1452 :: Thread TGID:1402 
                            :: Running on CPU:0 :: Current CPU:1
[Sat Jul 18 00:36:01 2020] [*] Thread executable name:qterminal  :: Thread PID:1453 :: Thread TGID:1402 
                            :: Running on CPU:0 :: Current CPU:1
[Sat Jul 18 00:36:01 2020] [*] Thread executable name:qterminal  :: Thread PID:1454 :: Thread TGID:1402 
                            :: Running on CPU:0 :: Current CPU:1

[Sat Jul 18 00:36:01 2020] [*] Memory map exists 
[Sat Jul 18 00:36:01 2020] [*] Info found on executable 
[Sat Jul 18 00:36:01 2020] [*] Allocated memory in 4096 bytes chunk
[Sat Jul 18 00:36:01 2020] [*] Target Process Memory Address: 000000004dc12ef2
[Sat Jul 18 00:36:01 2020] [*] Full binary path is: /usr/bin/qterminal 
[Sat Jul 18 00:36:01 2020] [*] ************************************ END OF PROCESS INFORMATION **********************************
kali@securitynik:~/rootkits/processInfo$

That's it for this post. My code is in no way perfect. Especially as can be seen from the compilation. However, I learned a lot more than I knew before about Linux processes.

Reference:
Linux Rootkits for Red-Blue Teams (pentesteracademy.com)

Learning by practicing

Thursday, July 15, 2021

Continuing Linux Kernel Development - Learning about processes information