redstar-tools
Tools
Shell
Tools for Red Star OS (붉은별)
This repository includes several binaries from and tools for Red Star OS. These can be used for further research work.
Disable malicious components
The easiest way is to run the defuse.sh
script on Red Star OS 3.0 Desktop (requires root privileges), make sure it’s executable by running chmod u+x defuse.sh
.
Manual steps
-
Get root privileges via
/usr/sbin/rootsetting
-
Disable SELinux
SELinux protects several files an directories (e.g. /var/log). It should be disabled in order to make changes to some parts of the system.setenforce 0
<p> In order to keep SELinux disabled after rebooting, append <code>selinux=0</code> to the kernel line in the GRUB config file (/boot/grub/grub.conf). </li> <li> Kill <code>securityd</code><br /> Killing <code>securityd</code> will prevent the system from rebooting when editing/deleting various protected files.</p> <pre class="notranslate"><code> killall -9 securityd
<li>
Disable <code>rtscan</code> kernel module<br /> Either via <code>resctl.py</code> (see <code>rtscan</code>) or via a Python shell as follows:</p> <pre class="notranslate"><code> [root@localhost ~]# python
Python 2.6 (r26:66714, Oct 7 2012, 13:39:47) [GCC 4.4.0 20090506 (Red Hat 4.4.0-4)] on linux2 Type “help”, “copyright”, “credits” or “license” for more information. >>> import fcntl >>> fcntl.ioctl(open(’/dev/res’, ‘wb’), 29187) 0
<p>
After disabling <code>rtscan</code> protected processes like <code>opprc</code> will become killable. </li>
<li>
Kill <code>scnprc</code> and <code>opprc</code></p> <pre class="notranslate"><code> killall scnprc
killall opprc
<li>
Replace <code>/usr/lib/libos.so.0.0.0</code><br /> See <code>libos</code> for further information. Replacing this file will prevent the system from rebooting via <code>securityd</code> after rebooting the system. It also will prevent reboot loops by <code>kdm</code> rendering the system unusable.
</li>
<li>
Delete <code>/usr/share/autostart/scnprc.desktop</code><br /> Deleting this file will prevent <code>kdeinit</code> from starting the framework after a system reboot.
</li>
<li>
Delete <code>/etc/init/ctguard.conf</code><br /> Deleting this file will prevent <code>init</code> from starting <code>opprc</code> even when <code>scnprc</code> is not running.
</li>
<li>
Reboot the system
</li></ol>
<h2 dir="auto">
<a rel="nofollow noopener" target="_blank" id="user-content-debugging" class="anchor" aria-hidden="true" href="#debugging"></a>Debugging
</h2>
<h3 dir="auto">
<a rel="nofollow noopener" target="_blank" id="user-content-prepare-building-environment" class="anchor" aria-hidden="true" href="#prepare-building-environment"></a>Prepare building environment
</h3>
<p>
The default installation of Red Star OS 3.0 Desktop does not include GCC but the ISO includes the required packages.
</p>
<ol dir="auto">
<li>
Insert the Red Star OS ISO into the system
</li>
<li>
Go to <code>/media/RedStar Desktop 3.0/RedStar/RPMS</code>
</li>
<li>
Install the following packages:</p> <pre class="notranslate"><code> yum localinstall glibc-headers-2.10.1-2.i386.rpm
yum localinstall glibc-devel-2.10.1-2.i386.rpm yum localinstall ncurses-devel-5.6-0.rs3.0.i386.rpm yum localinstall gcc-4.4.0-4.i386.rpm
<p>
Now it is possible to build a recent (e.g. the latest) version of GDB for better debugging.
</p>
<h3 dir="auto">
<a rel="nofollow noopener" target="_blank" id="user-content-install-non-stripped-threading-libraries" class="anchor" aria-hidden="true" href="#install-non-stripped-threading-libraries"></a>Install non-stripped threading libraries
</h3>
<p>
The default installation of Red Star OS 3.0 Desktop does not allow to debug threads with the shipped version of GDB in e.g. <code>scnprc</code> and <code>opprc</code> because the required <code>libpthread.so.0</code> library is stripped.<br /> Use the <code>libpthread-2.10.1.so</code>/<code>libpthread.so.0</code> and <code>libthread_db-1.0.so</code>/<code>libthread_db.so.1</code> libraries from the <code>glibc-2.10.1-2.i686.rpm</code> package of <a rel="nofollow noopener" target="_blank" href="http://rpm.pbone.net/index.php3/stat/4/idpl/18887613/dir/fedora_11/com/glibc-2.10.1-2.i686.rpm.html">Fedora 11</a>.
</p>
<h2 dir="auto">
<a rel="nofollow noopener" target="_blank" id="user-content-disclaimer" class="anchor" aria-hidden="true" href="#disclaimer"></a>Disclaimer
</h2>
<p>
All of the information is based on research dedicated to analyzing Red Star OS. The authors take no responsibility for the accuracy, completeness or quality of the information provided.
</p>