Fork: 1
miura250 / linux_kernel_hacking
Download ZIP 52 commits
Transfer to URL with SHA
linux_kernel_hacking / 3_RootkitTechniques / 3.6_hiding_ports /
latest commit 6ea33b8b11
@Harvey Phillips Harvey Phillips authored on 25 Aug 2020
..
Makefile hiding ports wip 5 years ago
README.md remove ftrace comments 5 years ago
ftrace_helper.h hide ports: builds and hooks, still needs guts 5 years ago
rootkit.c hiding port 8080 now works! 5 years ago
README.md

Linux Kernel Hacking

3.6: Hiding open ports (8080)

Most linux applications that search for local open ports (netstat included) use the /proc/net/tcp pseudo-file to do so. In particular, parsing this file is handled by tcp4_seq_show in net/ipv4/tcp_ipv4.c. By hooking this function, we can choose to hide a particular open port from userspace.

As far as the function hooking goes, it's quite simple. We give a function declaration for the original tcp4_seq_show(), then we define the function hook_tcp4_seq_show(). This hook simply checks to see if the local port number given by sk->sk_num is 8080 (0x1f90 in hex), and if so it just returns 0. Otherwise, we go ahead and pass the given arguments to the real tcp4_seq_show().

Note that because we aren't hooking a syscall this time, we don't have to worry about pt_regs because the arguments are passed on the stack rather than in registers!

To use:

  • Build with make
  • Load with insmod rootkit.ko
  • In another terminal, create a netcat listener on port 8080 with nc -lvnp 8080
  • Check all the open local ports with netstat -tunelp
  • Observe that port 8080 is not listed!
  • Unload with rmmod rootkit
  • Check the output of netstat -tunelp again and see that port 8080 now shows up!