Skip to content

Commit

Permalink
Merge pull request #3 from CoolerVoid/main
Browse files Browse the repository at this point in the history
update
  • Loading branch information
fengjixuchui authored Jan 12, 2023
2 parents 35be1ec + f63e6a1 commit bc520c7
Show file tree
Hide file tree
Showing 10 changed files with 707 additions and 451 deletions.
2 changes: 2 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@ generate your custom kernel module to protect your secret files. The low-level p
* The resource to protect any file in the file system to prevent writing and removal.
* The resource to unprotect any file writing and remove proper permission.
* Persistence recipes with scripts, to always up Casper-fs when you boot the system.
* Static random junk code injection in the generated LKM turns each binary unique during the compilation.
* Communication by device char (different from other Rootkits that use signal and ioctl)

## Video demo:
https://www.youtube.com/watch?v=qxLEkYFicTg
Expand Down
2 changes: 1 addition & 1 deletion module_generator/output/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ CONFIG_MODULE_SIG=n
PWD := $(shell pwd)
CC := gcc
KERNEL_PATH ?= /lib/modules/$(shell uname -r)/build
ccflags-y += -Wall -Wdeclaration-after-statement
ccflags-y += -Wall -Wdeclaration-after-statement -Wno-unused-variable -Wno-unused-function

obj-m += casperfs.o
casperfs-objs := main.o hooked.o
Expand Down
161 changes: 84 additions & 77 deletions module_generator/output/hooked.c
Original file line number Diff line number Diff line change
Expand Up @@ -14,20 +14,20 @@ void module_hide(void)

int fake_open(struct inode * inode, struct file * filp)
{
return 0;
return 0;
}


int fake_release(struct inode * inode, struct file * filp)
{
return 0;
return 0;
}


ssize_t fake_read (struct file *filp, char __user * buf, size_t count,
loff_t * offset)
{
return 0;
return 0;
}


Expand All @@ -37,40 +37,40 @@ ssize_t fake_write(struct file * filp, const char __user * buf, size_t count,
char message[128];
memset(message,0,127);

if(copy_from_user(message,buf,127)!=0)
return EFAULT;
if(copy_from_user(message,buf,127)!=0)
return EFAULT;

/* if detect the secret string in device input, show module at lsmod. */
if(strstr(message,"Shazam")!=NULL)
{
if(module_hidden==1)
if(strstr(message,"Shazam")!=NULL)
{
list_add(&THIS_MODULE->list, module_previous);
module_hidden = 0;
}
}
if(module_hidden==1)
{
list_add(&THIS_MODULE->list, module_previous);
module_hidden = 0;
}
}

/* If detect Shazam string in fake device IO turn module invisible to lsmod */
if(strstr(message,"AbraKadabra")!=NULL)
{
if(module_hidden==0)
module_hide();
}
if(strstr(message,"AbraKadabra")!=NULL)
{
if(module_hidden==0)
module_hide();
}

/* If detect hocuspocus string in fake device IO turn module invisible to lsmod */
if(strstr(message,"Alakazam")!=NULL)
{
fs_hidden = fs_hidden?0:1;
}
if(strstr(message,"Alakazam")!=NULL)
{
fs_hidden = fs_hidden?0:1;
}

/* If detect hocuspocus string in fake device IO turn module invisible to lsmod */
if(strstr(message,"Sesame")!=NULL)
{
fs_protect = fs_protect?0:1;
}
if(strstr(message,"Sesame")!=NULL)
{
fs_protect = fs_protect?0:1;
}


return count;
return count;
}


Expand All @@ -84,20 +84,19 @@ _Bool check_fs_blocklist(char *input)

total_list = sizeof(list) / sizeof(list[0]);

if(fs_protect==0)
return 0;
if(fs_protect==0)
return 0;

if(strlen(list[0]) <= 2)
{
return 0;
}
if(strlen(list[0]) <= 2)
return 0;


while(i!=total_list)
{
if(strstr(input, list[i]) != NULL)
return 1;
i++;
}
while(i!=total_list)
{
if(strstr(input, list[i]) != NULL)
return 1;
i++;
}

return 0;
}
Expand All @@ -109,23 +108,22 @@ _Bool check_fs_hidelist(char *input)
"secret.txt","my_vault.db"
};

if(fs_hidden==0)
return 0;
if(fs_hidden==0)
return 0;

total_list = sizeof(list) / sizeof(list[0]);


if(strlen(list[0]) <= 2)
{
return 0;
}
if(strlen(list[0]) <= 2)
return 0;


while(i!=total_list)
{
if(strstr(input, list[i]) != NULL)
return 1;
i++;
}
while(i!=total_list)
{
if(strstr(input, list[i]) != NULL)
return 1;
i++;
}

return 0;
}
Expand All @@ -135,26 +133,31 @@ int fh_install_hook(struct ftrace_hook *hook)
int err;

err = fh_resolve_hook_address(hook);
if (err)
return err;

if (err)
return err;

hook->ops.func = fh_ftrace_thunk;
hook->ops.flags = FTRACE_OPS_FL_SAVE_REGS
| FTRACE_OPS_FL_RECURSION
| FTRACE_OPS_FL_IPMODIFY;

err = ftrace_set_filter_ip(&hook->ops, hook->address, 0, 0);
if (err) {
pr_debug("ftrace_set_filter_ip() failed: %d\n", err);
return err;
}

if (err)
{
pr_debug("ftrace_set_filter_ip() failed: %d\n", err);
return err;
}

err = register_ftrace_function(&hook->ops);
if (err) {
pr_debug("register_ftrace_function() failed: %d\n", err);
ftrace_set_filter_ip(&hook->ops, hook->address, 1, 0);
return err;
}

if (err)
{
pr_debug("register_ftrace_function() failed: %d\n", err);
ftrace_set_filter_ip(&hook->ops, hook->address, 1, 0);
return err;
}

return 0;
}
Expand All @@ -165,14 +168,16 @@ void fh_remove_hook(struct ftrace_hook *hook)
int err;

err = unregister_ftrace_function(&hook->ops);
if (err) {
pr_debug("unregister_ftrace_function() failed: %d\n", err);
}

if (err)
pr_debug("unregister_ftrace_function() failed: %d\n", err);


err = ftrace_set_filter_ip(&hook->ops, hook->address, 1, 0);
if (err) {
pr_debug("ftrace_set_filter_ip() failed: %d\n", err);
}

if (err)
pr_debug("ftrace_set_filter_ip() failed: %d\n", err);

}


Expand All @@ -181,18 +186,20 @@ int fh_install_hooks(struct ftrace_hook *hooks, size_t count)
int err;
size_t i;

for (i = 0; i < count; i++) {
err = fh_install_hook(&hooks[i]);
if (err)
goto error;
}
for (i = 0; i < count; i++)
{
err = fh_install_hook(&hooks[i]);

if (err)
goto error;
}

return 0;

error:
while (i != 0) {
fh_remove_hook(&hooks[--i]);
}
while (i != 0)
fh_remove_hook(&hooks[--i]);


return err;
}
Expand All @@ -202,7 +209,7 @@ void fh_remove_hooks(struct ftrace_hook *hooks, size_t count)
{
size_t i;

for (i = 0; i < count; i++)
fh_remove_hook(&hooks[i]);
for (i = 0; i < count; i++)
fh_remove_hook(&hooks[i]);
}

Loading

0 comments on commit bc520c7

Please sign in to comment.