This post is simply just a quick note about how to install systemtap on a fresh install of CentOS 6.5. This will also be the development environment and OS I’ll be using for the development of my rootkit. Below you will find a very simple script I wrote to complete this process.
We will need to first acquire the kernel debuginfo packages for our current kernel version. This will allow Systemtap to take full advantage of the the kernel probing system it requires to operate. The debug packages we need to install are kernel-debuginfo, kernel-debuginfo-common and kernel-devel.
We then also need to install systemtap. You can find the script below. You may also find that after you update/upgrade your kernel, the debuginfo packages may need to be installed again. Running this script in these scenarios should also work.
#!/bin/bash WEB="http://debuginfo.centos.org/6/i386/" RELEASE=`uname -r` MACHINE=`uname -m` PKG1="kernel-debuginfo-$RELEASE.rpm" PKG2="kernel-debuginfo-common-$MACHINE-$RELEASE.rpm" wget $WEB$PKG1 wget $WEB$PKG2 #Build Downloaded debuginfo packages rpm -Uhv kernel-debuginfo-*.rpm #Install systemtap and kernel-developemnt packages yum install systemtap kernel-devel
After running this, systemtap should be installed and ready to go. I ran this on a fresh install without any other previous tampering. You can test if it worked by running something such as the following.
stap -L 'kernel.function("*")'
Running this should present a list of kernel functions. In my next post I will be discussing how an IO device such as a keyboard operates, I will also be fully investigating the various components within the kernel using systemtap and how keyboard input is processed. This will preempt the development of my kernel key logger.