[WLUG] A question about kernel modules

sallyvdv sallyvdv at gmail.com
Thu Dec 12 14:31:26 EST 2013 

Hello,
I am currently doing some testing (strictly white hat, I am in the computer
security field) on linux kernel mode rootkits.
I have a rootkit sample that I downloaded and would like to test it in my
lab.  The problem is that I have a compiled kernel module, not the source
code for the module.

When I look at the strings embedded in the module I see this (among many
other strings):

$ strings security.ko
vermagic=3.2.0-32-generic SMP mod_unload modversions 686

So I installed a linux kernel and the corresponding linux-headers to match
this version.
I was hoping, perhaps naively, that since I couldn't recompile the kernel
module it might work if I could match the kernel to what the compiled
module expects.  Alas, when I do this and try to load the module I get:

$ sudo insmod security.ko
[sudo] password for sally:
insmod: error inserting 'security.ko': -1 Invalid module format

My syslog file shows this corresponding error:
security: disagrees about version of symbol module_layout

My question for you experts is: Is it even possible to install a kernel
module that has not been compiled on the system on which you are trying to
install it?  If it is, what am I missing? Does modversions option have
something to do with it?  Can I rebuild the kernel with different options
to make this work?

Here are a few specifics on my setup in case it helps.  It is running in
VMware:

$ uname -a
Linux ubuntu 3.2.0-32-generic-pae #51-Ubuntu SMP Wed Sep 26 21:54:23 UTC
2012 i686 i686 i386 GNU/Linux

$ cat /proc/version
Linux version 3.2.0-32-generic-pae (buildd at roseapple) (gcc version 4.6.3
(Ubuntu/Linaro 4.6.3-1ubuntu5) ) #51-Ubuntu SMP Wed Sep 26 21:54:23 UTC 2012

$ dpkg  -l | grep linux-image
ii  linux-image-3.2.0-32-generic
3.2.0-32.51                             Linux kernel image for version
3.2.0 on 32 bit x86 SMP
ii  linux-image-3.2.0-32-generic-pae
3.2.0-32.51                             Linux kernel image for version
3.2.0 on 32 bit x86 SMP
ii  linux-image-3.2.0-32-virtual
3.2.0-32.51                             Linux kernel image for version
3.2.0 on 32 bit x86 Virtual Guests

$ dpkg  -l | grep linux-headers
ii  linux-headers-3.2.0-32
3.2.0-32.51                             Header files related to Linux
kernel version 3.2.0
ii  linux-headers-3.2.0-32-generic-pae
3.2.0-32.51                             Linux kernel headers for version
3.2.0 on 32 bit x86 SMP

$ locate modversions.h
/usr/src/linux-headers-3.2.0-32-generic-pae/include/config/modversions.h
    (it's an empty file by the way)

I would really appreciate any ideas you might have for me.

Thanks,
Sally Vandeven
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://linux.marcdatabase.com/pipermail/washlug/attachments/20131212/03ccabc8/attachment.html

More information about the washlug mailing list