<div dir="ltr"><div><div><div><div><div><div><div><div><div><div>Hello,<br></div>I am currently doing some testing (strictly white hat, I am in the computer security field) on linux kernel mode rootkits. <br></div>I have a rootkit sample that I downloaded and would like to test it in my lab. The problem is that I have a compiled kernel module, not the source code for the module. <br>
<br></div>When I look at the strings embedded in the module I see this (among many other strings):<br><br></div>$ strings security.ko<br>vermagic=3.2.0-32-generic SMP mod_unload modversions 686<br><br></div>So I installed a linux kernel and the corresponding linux-headers to match this version.<br>
</div>I was hoping, perhaps naively, that since I couldn't recompile the kernel module it might work if I could match the kernel to what the compiled module expects. Alas, when I do this and try to load the module I get:<br>
<br></div>$ sudo insmod security.ko<br>[sudo] password for sally: <br>insmod: error inserting 'security.ko': -1 Invalid module format<br><br></div><div>My syslog file shows this corresponding error:<br>security: disagrees about version of symbol module_layout<br>
</div><div><br></div>My question for you experts is: Is it even possible to install a kernel module that has not been compiled on the system on which you are trying to install it? If it is, what am I missing? Does modversions option have something to do with it? Can I rebuild the kernel with different options to make this work?<br>
<br></div>Here are a few specifics on my setup in case it helps. It is running in VMware:<br><br>$ uname -a<br>Linux ubuntu 3.2.0-32-generic-pae #51-Ubuntu SMP Wed Sep 26 21:54:23 UTC 2012 i686 i686 i386 GNU/Linux<br><br>
</div>$ cat /proc/version<br><div>Linux version 3.2.0-32-generic-pae (buildd@roseapple) (gcc version 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5) ) #51-Ubuntu SMP Wed Sep 26 21:54:23 UTC 2012<br><br></div><div>$ dpkg -l | grep linux-image<br>
</div><div>ii linux-image-3.2.0-32-generic 3.2.0-32.51 Linux kernel image for version 3.2.0 on 32 bit x86 SMP<br>ii linux-image-3.2.0-32-generic-pae 3.2.0-32.51 Linux kernel image for version 3.2.0 on 32 bit x86 SMP<br>
ii linux-image-3.2.0-32-virtual 3.2.0-32.51 Linux kernel image for version 3.2.0 on 32 bit x86 Virtual Guests<br><br>$ dpkg -l | grep linux-headers<br>ii linux-headers-3.2.0-32 3.2.0-32.51 Header files related to Linux kernel version 3.2.0<br>
ii linux-headers-3.2.0-32-generic-pae 3.2.0-32.51 Linux kernel headers for version 3.2.0 on 32 bit x86 SMP<br><div><div><div><br></div><div>$ locate modversions.h<br></div><div>/usr/src/linux-headers-3.2.0-32-generic-pae/include/config/modversions.h<br>
</div><div> (it's an empty file by the way)<br></div><div><br></div><div>I would really appreciate any ideas you might have for me.<br></div><div><br></div><div>Thanks,<br></div><div>Sally Vandeven<br></div></div></div>
</div></div>