A forum for reverse engineering, OS internals and malware analysis 

TRON & SMP issue

Forum for discussion about kernel-mode development.

TRON & SMP issue

 #2764  by Orkblutt
 Thu Sep 16, 2010 3:36 pm
Hi,

I'm currently studying Tron's code... I'm not sure to understand why this technic can't be used on SMP systems without a major rewrite.
Someone can give me more information about this issue?

Regards,

Orkblutt

Re: TRON & SMP issue

 #2773  by Alex
 Fri Sep 17, 2010 6:52 pm
Could you post a link to sources of TRON?

Re: TRON & SMP issue

 #2775  by Orkblutt
 Fri Sep 17, 2010 7:51 pm
Hi Alex,

You can find the src and the slide here: http://www.openrce.org/downloads/details/234/

It's in fact an improvment of the "Shadow walker" rootkit. ( http://www.blackhat.com/presentations/b ... butler.pdf )
One of the knowed issue to this thechnic is to not support SMP systems. Look at page 50 of the Butler/Sparks presentation.

Actually I don't see why exactly... I must be missing something. Any idea?

Regards,

Orkblutt

Re: TRON & SMP issue

 #2788  by DeepBlueSea
 Sat Sep 18, 2010 11:58 pm
When writing to usermode memory in order to delete the Dll-Entries from the Ldr-Lists, he simply delays all interrupts with CLI on the actual CPU, which is unsafe for multiprocessor systems. He should have used queued spinlocks instead.
Also his whole sourcecode is only designed for singleprocessor systems. It needs some adjustments.

Re: TRON & SMP issue

 #2793  by Orkblutt
 Sun Sep 19, 2010 9:25 am
Hi DBS,
When writing to usermode memory in order to delete the Dll-Entries from the Ldr-Lists, he simply delays all interrupts with CLI on the actual CPU, which is unsafe for multiprocessor systems.
Yes... I noticed this point.
In fact I'm not interested at all by this part. The only interesting part, from my point of view, are the AddCloak/RemoveCloak methods. As mentioned in the Butler/Sparks paper, it's not safe on SMP system. But they not saying why exactly and I can't catch it atm.

Re: TRON & SMP issue

 #2794  by DeepBlueSea
 Sun Sep 19, 2010 10:34 am
Well he didn't really say it's not possible rather than support wasn't added.
Why don't you give it a go and try it?

Re: TRON & SMP issue

 #2808  by Orkblutt
 Mon Sep 20, 2010 10:08 am
Why don't you give it a go and try it?
In fact I am since 2 weeks and it looks to work fine with just some minor modifications. I was wondering there is something I couldn't see needing a major rewrite to be SMP compatible. Looks like I was wrong.
Anyway, thanks.

Orkblutt

Re: TRON & SMP issue

 #2849  by Alex
 Thu Sep 23, 2010 10:45 am
Also his whole sourcecode is only designed for singleprocessor systems. It needs some adjustments.
Process Hunter 1.1 (http://dl.dropbox.com/u/3760172/PHunter+PowerKILL.rar) contains good piece of synchronization code allowing for example to hook interrupts on multi core CPUs.

I also found this source based on Shadow Walker accidentally - http://vinay.uhooroo.com/ReverseEngineering/crcVert/

Alex
 Return to “Kernel-Mode Development”