Reverse Engineering Reptile Kernel module to Extract Authentication code
This time I will show how to (partially) reverse engineer a linux kernel module. The linux kernel module is larger than usual kernel module because it is actually a Reptile-based rootkit dropped by some hacker. Part 1. Get basic module information First we gather basic module info by using modinfo : [root@lb lkrg-0.9.1]# modinfo falc0n filename: /lib/modules/3.10.0-1127.10.1.el7.x86_64/kernel/sdc/falc0n.ko intree: Y license: GPL retpoline: Y rhelversion: 7.8 srcversion: 81F508029A53F7490CCDB44 depends: vermagic: 3.10.0-1127.10.1.el7.x86_64 SMP mod_unload modversions We could also refer to the kernel module file not yet installed in the OS : [root@lb lkrg-0.9.1]# file falc0n.ko falc0n.ko: ELF 64-bit LSB relocatable, x86-64, version 1 (SYSV), BuildID[sha1]=1bde6abf4732eb620983032a47fbcf07689ece11, not stripped [root@lb lkrg-0.9.1]# modinfo falc0n.ko filename: /root/lkrg-0.9.1/falc0n.ko intree: Y license: GPL retp