Fork: 1
21a5032 / linux_kernel_hacking
forked from miura250/linux_kernel_hacking
Download ZIP 107commits
Transfer to URL with SHA
linux_kernel_hacking / 3_RootkitTechniques / 3.6_hiding_ports /
latest commit 7178b834ce
@Motoki Miura Motoki Miura authored on 6 Dec 2022
..
Makefile hiding ports wip 4 years ago
README.md add link to blog 4 years ago
ftrace_helper.h support 5.15.0 2 years ago
rootkit.c Add hide remote port (#11) 3 years ago
README.md

Linux Kernel Hacking

3.6: Hiding open ports (8080)

A more in-depth writeup for this technique is available on the blog here

Most linux applications that search for local open ports (netstat included) use the /proc/net/tcp pseudo-file to do so. In particular, parsing this file is handled by tcp4_seq_show in net/ipv4/tcp_ipv4.c. By hooking this function, we can choose to hide a particular open port from userspace.

As far as the function hooking goes, it's quite simple. We give a function declaration for the original tcp4_seq_show(), then we define the function hook_tcp4_seq_show(). This hook simply checks to see if the local port number given by sk->sk_num is 8080 (0x1f90 in hex), and if so it just returns 0. Otherwise, we go ahead and pass the given arguments to the real tcp4_seq_show().

Note that because we aren't hooking a syscall this time, we don't have to worry about pt_regs because the arguments are passed on the stack rather than in registers!

To use:

  • Build with make
  • Load with insmod rootkit.ko
  • In another terminal, create a netcat listener on port 8080 with nc -lvnp 8080
  • Check all the open local ports with netstat -tunelp
  • Observe that port 8080 is not listed!
  • Unload with rmmod rootkit
  • Check the output of netstat -tunelp again and see that port 8080 now shows up!