| 3880 | Jun 28 | 2003 | ||
| 150 | Jun 28 | 2003 | ||
| 20 | Aug 28 | 2005 | ||
| 2467 | Jun 28 | 2003 | ||
| 2467 | Jun 28 | 2003 | ||
| 29 | Aug 28 | 2005 | ||
| 32 | Aug 28 | 2005 |
The goal of the freeze script is simple: to halt most of the running processes on a system that may have been hacked so that potential malicious applications are stopped in their tracks. This allows a forensic analyst to examine the state of the system without worrying about a malicious app that would otherwise have continued to run.
The "freeze" script gathers all the PID's on a system and
sends a "kill -STOP" to every PID on the system except for:
Now that all the pids except for the above are halted, the analyst can take their time in examining the state of the running system. I had thought a memory image could be copied from /proc/{pid}/mem to offsystem storage, but can't seem to make that happen at the moment.
Known good apps can be restarted by hand with "kill
-CONT {pid}" or "killall -CONT httpd". If the
analyst doesn't care about the state of the application, it can simply
be killed off with "killall -9 httpd".
Known malicious apps can be examined with gdb,
simply killed outright with "kill -9 {pid}", or killed with
a core file left for future analysis with "kill -ABRT
{pid}".
Unfreezing the system is a one line command:
cd /proc ; kill -CONT [0-9]*
The tool is a shell script, and so depends on known good copies of bash/sh, awk, grep, ls, pgrep, and tty. For that reason, I'll be putting a copy of this on the Static binary CD at http://www.stearns.org/staticiso/ .
The script also depends on having the kernel return correct information about running processes, so unfortunately, if a kernel module has been loaded, all bets are off. Freeze may work correctly if the module does not alter the process list, but I wouldn't count on it.
If there are any legitimate applications running that have active network connections, the analyst has about two minutes to manually unfreeze those applications without losing those connections, assuming the analyst decides those network connections should not be lost.
The tool is especially useful for malicious code with a panic button (a tool that looks for a disconnected ethernet cable and erases the hard drive if there has been no network activity for, say, 60 seconds). By halting the application entirely, the app has no chance to check that timer and perform a malicious act. Also, any backdoor programs are halted, stopping an attacker that may be currently connected without erasing the daemon he/she was using.
An application could choose to ignore any signal (with the
exception of the KILL signal which immediately destroys the application
without any attempt at graceful shutdown). For that reason, Freeze
reports the pids for which the kill -STOP command failed.
I'm considering allowing the analyst to define both a primary signal to
send (STOP, by default), and a secondary signal to send if the primary
fails for any reason (nothing by default, just report the fact, but an
analyst could choose ABRT to create a core file, or KILL to destroy the
app entirely).
This is completely new and only lightly tested code. Do not use on a production system.
The files in this collection are part of William Stearns' software archive. If any of the links on this page do not work, you may be viewing an incomplete mirror. There is a complete list of the mirror sites at the starting page for this mirror and at the primary mirror.