neXus Posted September 25, 2013 Share #101 Posted September 25, 2013 I don't find any, I cam across AVU but there is no source / binary available. You can digg on it, could be usefull Quote Link to comment Share on other sites More sharing options...
VeNoM Posted September 25, 2013 Author Share #102 Posted September 25, 2013 http://arcane-labratory.blogspot.ro/ http://arcane-labratory.blogspot.ro/201 ... ector.html http://arcane-labratory.blogspot.ro/201 ... ering.html http://www.blackhat.com/presentations/b ... -mehta.pdf Quote Link to comment Share on other sites More sharing options...
neXus Posted September 25, 2013 Share #103 Posted September 25, 2013 This the site I was talking about : http://arcane-labratory.blogspot.ro/sea ... 0antivirus No sources / no binaries to use. (I have read all of theses paper, if you can spend some time to find / try to unpack binaries, it could be useful). Quote Link to comment Share on other sites More sharing options...
doedels Posted September 25, 2013 Share #104 Posted September 25, 2013 cat /proc/bus/pci/devices > bus_pci_devices from my ds1010+ https://mega.co.nz/#!j5wlnahQ!TwVrowCvP ... eKbNCPqj8s Quote Link to comment Share on other sites More sharing options...
Vortex Posted September 27, 2013 Share #105 Posted September 27, 2013 (edited) I want to note: 1) that if you use synology_bromolow_3612xs, you need 3612xs bus_pci_devices. It is important! 2) not all models have the same number of dev inspections. 3612xs has the largest number of (curiously enough)... Edited September 27, 2013 by Guest Quote Link to comment Share on other sites More sharing options...
VeNoM Posted September 27, 2013 Author Share #106 Posted September 27, 2013 I want to test with 1511 but I don't have the 1511 bus_pci_devices Quote Link to comment Share on other sites More sharing options...
Vortex Posted September 27, 2013 Share #107 Posted September 27, 2013 quicksilver was ready to help. Ask him. viewtopic.php?f=2&t=1082&start=50#p5861 Quote Link to comment Share on other sites More sharing options...
VeNoM Posted September 27, 2013 Author Share #108 Posted September 27, 2013 I sent him a private message. Vortex, can you help with the unpacking of scemd ? Quote Link to comment Share on other sites More sharing options...
Vortex Posted September 27, 2013 Share #109 Posted September 27, 2013 I will not do it. Sorry. Quote Link to comment Share on other sites More sharing options...
VeNoM Posted September 27, 2013 Author Share #110 Posted September 27, 2013 Can we override unlink only for /dev/sd* with LD_PRELOAD or from the kernel ? 6465 stat64("/dev/sda", {st_mode=S_IFBLK|0644, st_rdev=makedev(8, 0), ...}) = 0 6465 unlink("/dev/sda") = 0 6465 stat64("/dev/sda1", {st_mode=S_IFBLK|0644, st_rdev=makedev(8, 1), ...}) = 0 6465 unlink("/dev/sda1") = 0 6465 stat64("/dev/sda2", {st_mode=S_IFBLK|0644, st_rdev=makedev(8, 2), ...}) = 0 6465 unlink("/dev/sda2") = 0 6465 stat64("/dev/sda3", {st_mode=S_IFBLK|0644, st_rdev=makedev(8, 3), ...}) = 0 6465 unlink("/dev/sda3") = 0 Or open for the list of checked files and replace them with /PROC /LIB /USR ... Quote Link to comment Share on other sites More sharing options...
Trantor Posted September 27, 2013 Share #111 Posted September 27, 2013 If you want DS412+ (cedarview) files I can help. Sorry no bromolow syno available right now Quote Link to comment Share on other sites More sharing options...
neXus Posted September 30, 2013 Share #112 Posted September 30, 2013 Ok, my hooking kernel module is almost ready, now we have to find the /proc/bus/pci/devices to feed it. I tried why an handcrafted one, no luck DiskStation> cat /proc/bus/pci/devices | openssl dgst -sha1 (stdin)= 0420d5aff0e976362758ec21d0d7e6def6730921 DiskStation> cat /root/devices | openssl dgst -sha1 (stdin)= 5d901113beb9d0b2a0ca458693d20a5697951c4e DiskStation> insmod dsmcheck.ko DiskStation> cat /proc/bus/pci/devices | openssl dgst -sha1 (stdin)= 5d901113beb9d0b2a0ca458693d20a5697951c4e Quote Link to comment Share on other sites More sharing options...
VeNoM Posted September 30, 2013 Author Share #113 Posted September 30, 2013 Try it with 1511+ https://mega.co.nz/#!pEVljT4Z!bPaL0A4ZG ... bz4p6a8V4U to see if it works. For a quick test use Vortex's 1511+ build https://dl.dropboxusercontent.com/u/753 ... y_3776.zip or I can try it on a VM on 1511+ using your module. Quote Link to comment Share on other sites More sharing options...
VeNoM Posted September 30, 2013 Author Share #114 Posted September 30, 2013 Can you share on github your module sources ? Quote Link to comment Share on other sites More sharing options...
VeNoM Posted September 30, 2013 Author Share #115 Posted September 30, 2013 This may help https://github.com/mfontanini/Programs- ... /rootkit.c Quote Link to comment Share on other sites More sharing options...
VeNoM Posted October 1, 2013 Author Share #116 Posted October 1, 2013 I did it on 1511+! I created a custom kernel module that replaces /proc/bus/pci/devices with https://mega.co.nz/#!pEVljT4Z!bPaL0A4ZG ... bz4p6a8V4U and it works! So the protection is a simple "hash check" that uses /proc/bus/pci/devices /usr/syno/bin/findhostd /usr/syno/bin/scemd /lib/libdsm.so /lib/libsynocgi.so /usr/syno/synoman/webman/modules/StorageManager/storagehandler.cgi /usr/syno/synoman/webman/modules/StorageManager/volumehandler.cgi /usr/syno/synoman/webman/modules/PkgManApp/PkgMan.cgi /usr/syno/synoman/webman/modules/PkgManApp/PkgSynoMan.cgi /usr/syno/synoman/webman/modules/DSMNotify/dsmnotify.cgi PS : I did this for fun. I would not use this in production. Quote Link to comment Share on other sites More sharing options...
Vortex Posted October 1, 2013 Share #117 Posted October 1, 2013 No, it is not "hash check". Thoes files checks special table for allowed devices and compares it with strings in /proc/bus/pci/devices. If more than two devices are not found in /proc/bus/pci/devices, then drives off. Note the number of checks for 3612xs and ds1511+ ;) Here is the table: synology_bromolow_3611xs 0200 111d806e pcieport 0310 111d806e pcieport 0318 111d806e pcieport 0320 111d806e pcieport 0328 111d806e pcieport 0400 11ab7042 sata_mv 0500 11ab7042 sata_mv 0600 11ab7042 sata_mv 0700 11ab7042 sata_mv 0800 11ab7042 sata_mv 0a00 808610d3 e1000e 0b00 808610d3 e1000e 0c00 808610d3 e1000e 0d00 808610d3 e1000e synology_bromolow_3612xs 0200 111d806e pcieport 0310 111d806e pcieport 0318 111d806e pcieport 0320 111d806e pcieport 0328 111d806e pcieport 0400 11ab7042 sata_mv 0500 11ab7042 sata_mv 0600 11ab7042 sata_mv 0700 11ab7042 sata_mv 0800 11ab7042 sata_mv 0a00 808610d3 e1000e 0b00 808610d3 e1000e 0c00 808610d3 e1000e 0d00 808610d3 e1000e synology_bromolow_rs3411rpxs 0200 111d806e pcieport 0310 111d806e pcieport 0318 111d806e pcieport 0320 111d806e pcieport 0328 111d806e pcieport 0400 11ab7042 sata_mv 0500 11ab7042 sata_mv 0600 11ab7042 sata_mv 0700 11ab7042 sata_mv 0800 11ab7042 sata_mv 0a00 808610d3 e1000e 0b00 808610d3 e1000e 0c00 808610d3 e1000e 0d00 808610d3 e1000e synology_bromolow_rs3411xs 0200 111d806e pcieport 0310 111d806e pcieport 0318 111d806e pcieport 0320 111d806e pcieport 0328 111d806e pcieport 0400 11ab7042 sata_mv 0500 11ab7042 sata_mv 0600 11ab7042 sata_mv 0700 11ab7042 sata_mv 0800 11ab7042 sata_mv 0a00 808610d3 e1000e 0b00 808610d3 e1000e 0c00 808610d3 e1000e 0d00 808610d3 e1000e synology_bromolow_rs3412rpxs 0200 111d806e pcieport 0310 111d806e pcieport 0318 111d806e pcieport 0320 111d806e pcieport 0328 111d806e pcieport 0400 11ab7042 sata_mv 0500 11ab7042 sata_mv 0600 11ab7042 sata_mv 0700 11ab7042 sata_mv 0800 11ab7042 sata_mv 0a00 808610d3 e1000e 0b00 808610d3 e1000e 0c00 808610d3 e1000e 0d00 808610d3 e1000e synology_bromolow_rs3412xs 0200 111d806e pcieport 0310 111d806e pcieport 0318 111d806e pcieport 0320 111d806e pcieport 0328 111d806e pcieport 0400 11ab7042 sata_mv 0500 11ab7042 sata_mv 0600 11ab7042 sata_mv 0700 11ab7042 sata_mv 0800 11ab7042 sata_mv 0a00 808610d3 e1000e 0b00 808610d3 e1000e 0c00 808610d3 e1000e 0d00 808610d3 e1000e synology_bromolow_rs3413xs+ 0200 111d806e pcieport 0310 111d806e pcieport 0318 111d806e pcieport 0320 111d806e pcieport 0328 111d806e pcieport 0400 11ab7042 sata_mv 0500 11ab7042 sata_mv 0600 11ab7042 sata_mv 0700 11ab7042 sata_mv 0800 11ab7042 sata_mv 0a00 808610d3 e1000e 0b00 808610d3 e1000e 0c00 808610d3 e1000e 0d00 808610d3 e1000e synology_bromolow_rs10613xs+ 0100 10000072 mpt2sas 0300 808610d3 e1000e 0400 808610d3 e1000e 0500 808610d3 e1000e 0600 808610d3 e1000e synology_cedarview_412+ 0100 808610d3 e1000e 0200 808610d3 e1000e 0300 10953531 sata_sil24 synology_cedarview_713+ 0100 808610d3 e1000e 0200 808610d3 e1000e 0300 10953531 sata_sil24 synology_cedarview_1512+ 0100 808610d3 e1000e 0200 808610d3 e1000e 0300 10953132 sata_sil24 synology_cedarview_1513+ 0100 80861533 igb 0200 80861533 igb 0300 10953132 sata_sil24 0400 1b6f7023 etxhci_hcd 0500 80861533 igb 0600 80861533 igb synology_cedarview_1812+ 0100 808610d3 e1000e 0200 808610d3 e1000e 0300 10953132 sata_sil24 0400 10953132 sata_sil24 synology_cedarview_1813+ 0200 80861533 igb 0300 10953132 sata_sil24 0400 10953132 sata_sil24 0500 1b6f7023 etxhci_hcd 0600 10b58603 pcieport 0708 10b58603 pcieport 0710 10b58603 pcieport 0800 80861533 igb 0900 80861533 igb synology_cedarview_2413+ 0100 808610d3 e1000e 0200 808610d3 e1000e 0300 11ab7042 sata_mv 0400 10953132 sata_sil24 0500 11ab7042 sata_mv 0600 1b6f7023 etxhci_hcd synology_cedarview_rs812+ 0100 808610d3 e1000e 0200 808610d3 e1000e 0300 10953531 sata_sil24 synology_cedarview_rs812rp+ 0100 808610d3 e1000e 0200 808610d3 e1000e 0300 10953531 sata_sil24 synology_cedarview_rs2212+ 0100 808610d3 e1000e 0200 808610d3 e1000e 0300 11ab7042 sata_mv 0500 11ab7042 sata_mv synology_cedarview_rs2212rp+ 0100 808610d3 e1000e 0200 808610d3 e1000e 0300 11ab7042 sata_mv 0500 11ab7042 sata_mv synology_cedarview_rs2414+ 0100 80861533 igb 0200 10b58603 pcieport 0308 10b58603 pcieport 0310 10b58603 pcieport 0400 1b6f7023 etxhci_hcd 0500 80861533 igb 0600 10953132 sata_sil24 0700 11ab7042 sata_mv 0800 1b4b9235 ahci 0900 10b58603 pcieport 0a08 10b58603 pcieport 0a10 10b58603 pcieport 0b00 80861533 igb 0c00 80861533 igb synology_cedarview_rs2414rp+ 0100 80861533 igb 0200 10b58603 pcieport 0308 10b58603 pcieport 0310 10b58603 pcieport 0400 1b6f7023 etxhci_hcd 0500 80861533 igb 0600 10953132 sata_sil24 0700 11ab7042 sata_mv 0800 1b4b9235 ahci 0900 10b58603 pcieport 0a08 10b58603 pcieport 0a10 10b58603 pcieport 0b00 80861533 igb 0c00 80861533 igb synology_x86_411+ 00d0 80862937 uhci_hcd 00d1 80862938 uhci_hcd 00d2 80862939 uhci_hcd 00d7 8086293c ehci_hcd 00e8 80862934 uhci_hcd 00e9 80862935 uhci_hcd 00ea 80862936 uhci_hcd 00ef 8086293a ehci_hcd 00fa 80862922 ahci 0200 10953531 sata_sil24 synology_x86_411+II 00d0 80862937 uhci_hcd 00d1 80862938 uhci_hcd 00d2 80862939 uhci_hcd 00d7 8086293c ehci_hcd 00e8 80862934 uhci_hcd 00e9 80862935 uhci_hcd 00ea 80862936 uhci_hcd 00ef 8086293a ehci_hcd 00fa 80862922 ahci 0200 10953531 sata_sil24 synology_x86_710+ 00c8 808610e5 e1000e 00d0 80862937 uhci_hcd 00d1 80862938 uhci_hcd 00d2 80862939 uhci_hcd 00d7 8086293c ehci_hcd 00e8 80862934 uhci_hcd 00e9 80862935 uhci_hcd 00ea 80862936 uhci_hcd 00ef 8086293a ehci_hcd 00fa 80862922 ahci 0100 10953132 sata_sil24 synology_x86_712+ 0100 10953531 sata_sil24 0200 808610d3 e1000e 0300 808610d3 e1000e synology_x86_1010+ 0100 10953132 sata_sil24 0200 808610d3 e1000e 0300 808610d3 e1000e synology_x86_1511+ 0100 10953132 sata_sil24 0200 808610d3 e1000e 0300 808610d3 e1000e synology_x86_2411+ 0100 11ab7042 sata_mv 0200 11ab7042 sata_mv 0300 11ab7042 sata_mv 0400 11ab7042 sata_mv 0500 808610d3 e1000e 0600 808610d3 e1000e synology_x86_rs810+ 0100 10953531 sata_sil24 0200 808610d3 e1000e 0300 808610d3 e1000e synology_x86_rs810rp+ 0100 10953531 sata_sil24 0200 808610d3 e1000e 0300 808610d3 e1000e synology_x86_rs2211+ 0100 11ab7042 sata_mv 0200 11ab7042 sata_mv 0300 11ab7042 sata_mv 0400 11ab7042 sata_mv 0500 808610d3 e1000e 0600 808610d3 e1000e synology_x86_rs2211rp+ 0100 11ab7042 sata_mv 0200 11ab7042 sata_mv 0300 11ab7042 sata_mv 0400 11ab7042 sata_mv 0500 808610d3 e1000e 0600 808610d3 e1000e synology_evansport_214+ 0160 80862e6e e1000 0200 1b6f7023 etxhci_hcd 0300 10953531 sata_sil24 synology_evansport_114+ 0160 80862e6e e1000 0200 1b6f7023 etxhci_hcd 0300 10953531 sata_sil24 Quote Link to comment Share on other sites More sharing options...
VeNoM Posted October 1, 2013 Author Share #118 Posted October 1, 2013 (edited) With the info you posted I can probably manualy create a devices file for synology_bromolow_3612xs Yes, you're right, it is a hash check for files + check for hardcodes devices (like sata controller/network controller) in files vs /proc/bus/pci/devices. I do not understand why they did not also check synobios.ko Edited October 1, 2013 by Guest Quote Link to comment Share on other sites More sharing options...
neXus Posted October 1, 2013 Share #119 Posted October 1, 2013 Works fine here too with my module. I was digging on the disassembly code to check what was really checked. Vortex is faster than me I have some issue with my coredump as there is no symbols on it. I'm not a professional so I have to make it step by step. Quote Link to comment Share on other sites More sharing options...
Vortex Posted October 1, 2013 Share #120 Posted October 1, 2013 I do not understand why they did not also check synobios.ko I think that a cat-mouse game has been started Quote Link to comment Share on other sites More sharing options...
neXus Posted October 1, 2013 Share #121 Posted October 1, 2013 As long we will have the hand on the kernel, we could fool the checks. My next challenge will be to simulate the ttyS1 serial device and the Uart device check by synobios to avoid any patching. It will be harder but that's a nice playground They don't seems to have hardware "protection" stuff as we can found on readynas for example (encryption key in OTP for example). Quote Link to comment Share on other sites More sharing options...
tsygam Posted October 1, 2013 Share #122 Posted October 1, 2013 no idea what happened, but today I powered on 4.3 on esxi (4.3 already was sleeping there for a while) SSHed into and for some reason ls /volume1 and there was @scemd.core which seems to be unpacked scemd. Linking just in case it helps https://www.dropbox.com/s/6wrg5g5ufvmmtq6/scemd.core.tgz Quote Link to comment Share on other sites More sharing options...
neXus Posted October 1, 2013 Share #123 Posted October 1, 2013 It's a core dump when a process crash. That's from it we found some clues. Quote Link to comment Share on other sites More sharing options...
tsygam Posted October 1, 2013 Share #124 Posted October 1, 2013 so is it then possible to 0 the vid/pid table in there and repack it? or others need to be dumped and repacked with a different key? Quote Link to comment Share on other sites More sharing options...
neXus Posted October 1, 2013 Share #125 Posted October 1, 2013 I dont think so as in the dump we have the memory dump with shared objects in it. It's more the memory program (un packed). It's like rebuild the the windows kernel from a bsod kernel dump. No need to repack we found the way to fake the system to make it believe it's a genuine one (except for synobios which still need to be patched). Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.