Hi, I am having problems with getdents...
ncorbuk opened this issue · 2 comments
ncorbuk commented
I have been enjoying reading your articles on https://xcellerator.github.io/posts/linux_rootkits_06/ , thank you for them :)
I am having problems with getdents... even when i copy the code excatly as you have done. I have the syscalls hooked fine and so on but the compare doesnt work with the PREFIX. I printed out the d_name to see what it was seeing and i get this....
[42483.162289] rootkit init...
[42483.169124] orig_getdents64 table entry successfully stored
[42483.169124] orig_kill table entry successfully stored
[42483.169129] unprotected memory
[42483.169129] hack_getdents64 successfully overwritten to table entry
[42483.169130] hack_kill successfully overwritten to table entry
[42483.169132] protected memory
[42495.120329] ***** hacked kill syscall *****
[42499.988370] ***** hacked kill syscall *****
[42500.028880] ***** hacked kill syscall *****
[42510.162327] ***** hacked kill syscall *****
[42510.164126] rootkit: d_name .
[42510.164128] rootkit: d_name ..
[42510.164129] rootkit: d_name 0
[42510.164130] rootkit: d_name 1
[42510.164130] rootkit: d_name 2
[42510.164131] rootkit: d_name 3
[42510.164132] rootkit: d_name 4
[42510.164133] rootkit: d_name 5
[42510.164134] rootkit: d_name 6
[42510.164134] rootkit: d_name 8
[42510.164135] rootkit: d_name 10
[42510.164136] ***** hacked getdents64 syscall *****
[42510.167389] rootkit: d_name .
[42510.167390] rootkit: d_name ..
[42510.167391] rootkit: d_name 0
[42510.167391] rootkit: d_name 1
[42510.167391] rootkit: d_name 2
[42510.167392] rootkit: d_name 3
[42510.167392] rootkit: d_name 4
[42510.167393] rootkit: d_name 5
[42510.167393] rootkit: d_name 6
[42510.167394] rootkit: d_name 8
[42510.167394] rootkit: d_name 10
[42510.167395] ***** hacked getdents64 syscall *****
Do you know what is happening?
ncorbuk commented
I fixed it lol in the end sorry. My system was using mostly getdents so adding that fixed it.
xcellerator commented
Yeah, different distros/kernels seem to prefer getdents
over getdents64
, or vice versa. That's why the example techniques in the repo hook both. Glad you're enjoying the articles though!