rafael-santiago / icloak Goto Github PK

iCloak
------

What is this?
-------------

iCloak is a simple collection of codes for making invisible your stuff in kernel mode. This is done merely by using DKOM
techniques. Until now it works in Linux (4.4.x or later), FreeBSD and NetBSD.

How can I clone this?
---------------------

You can do the following:

    you@somewhere_over_a_tainted_rainbow:~/src# git clone https://github.com/rafael-santiago/icloak
    you@somewhere_over_a_tainted_rainbow:~/src# cd icloak/src
    you@somewhere_over_a_tainted_rainbow:~/src/icloak/src# git submodule update --init

or:

    you@somewhere_over_a_tainted_rainbow:~/src# git clone https://github.com/rafael-santiago/icloak --recursive

How can I build it?
-------------------

You should not build anything. All you should do is to include the icloak src sub-directory and the platform dependent
code (within src/<platform-name>) in your own LKM stuff. Anyway, if you want to execute the icloak tests you need to
install my build system (https://github.com/rafael-santiago/hefesto).

Once the build system well installed, you should clone another repo of mine:

    you@somewhere_over_a_tainted_rainbow:~/src# git clone https://github.com/rafael-santiago/helios
    you@somewhere_over_a_tainted_rainbow:~/src# cd helios
    you@somewhere_over_a_tainted_rainbow:~/src/helios#

#if defined(__linux__)

    you@somewhere_over_a_tainted_rainbow:~/src/helios# hefesto --install=lnx-module-toolset

#elif defined(__FreeBSD__)

    you@somewhere_over_a_tainted_rainbow:~/src/helios# hefesto --install=freebsd-module-toolset

#elif defined(__NetBSD__)

    you@somewhere_over_a_tainted_rainbow:~/src/helios# hefesto --install=netbsd-module-toolset

#else

# error "what are you doing here?"

#endif

    you@somewhere_over_a_tainted_rainbow:~/src/helios# cd ..
    you@somewhere_over_a_tainted_rainbow:~/src# rm -rf helios

Now your build system copy knows how to make the icloak tests, so let's go back to the icloak repo and run the build:

    you@somewhere_over_a_tainted_rainbow:~/src# cd icloak/src
    you@somewhere_over_a_tainted_rainbow:~/src/icloak/src# hefesto
    [  210.547192] *** icloak_test_monkey loaded...
    [  210.550091] -- running icloak_ko_nullity_tests...
    [  210.568997] -- passed.
    [  210.570002] -- running icloak_mk_ko_perm_nullity_tests...
    [  210.571817] -- passed.
    [  210.572462] -- running icloak_mk_ko_perm_tests...
    [  210.572996] -- passed.
    [  210.573997] -- running icloak_ko_tests...
    [  210.574695] -- passed.
    [  210.575002] *** all tests passed. [4 test(s) ran]
    you@somewhere_over_a_tainted_rainbow:~/src/icloak/src# _

In normal conditions you will get the output described above. You should notice that will be possible successfully execute
the tests only once before restarting. Because the test module hide itself in order to ascertain that all 'invisibility
incantation' is working well.

Wearing icloak on your LKM
--------------------------

Pretty simple. All you should do is to include the main icloak header:

    #include <icloak.h>

...and pass to icloak_ko() macro your LKM's name:

    icloak_ko("hidden_mod");

There is a trick to get a better invisibility in FreeBSD, you should let the kernel object file with the same name used
for naming your module during the struct 'moduledata_t' definition.

You can also include two icloak_ko():

    // One for the kernel object file.
    icloak_ko("hidden_mod.ko");

    // Another for the module name.
    // This second will return a non zero value...
    // Just ignore this return...
    // This return is only saying 'You really should simplify this stuff' ;)
    icloak_ko("rootkit_sample");

You also can make your LKM permanent by using the macro icloak_mk_ko_perm():

    icloak_mk_ko_perm("hidden_mod", NULL);

The second argument of icloak_mk_ko_perm() is a (void **). When not null it will point to the old exit module's function.
This is handy when you intend to make it non permanent again:

    void *hidden_mod_exit;

    icloak_mk_ko_perm("hidden_mod", &hidden_mod_exit);

By the way, in order to make the module non permanent you should use the macro icloak_mk_ko_nonperm():

    icloak_mk_ko_nonperm("hidden_mod", hidden_mod_exit);

All these 'invisibility macros' return zero on success.

Until now icloak_mk_ko_perm() and icloak_mk_ko_nonperm() are not available for NetBSD.

Wearing icloak on ordinary files
--------------------------------

iCloak can also hide secondary files. The file hiding feature is based on file names not full paths. Supposing you want to
hide the file '/etc/mr.hide', you should use icloak_hide_file() as follows:

    // It will hide any 'mr.hide' occurrence in the filesystem.
    icloak_hide_file("mr.hide");

The icloak_hide_file() macro does not expect an exact file name, you can use globs instead:

    // Globs are awesome and handy! :)
    icloak_hide_file("test[0123456789].*");
    icloak_hide_file("*.l0g");
    icloak_hide_file("test?.txt.hidden");

If for some reason you want to show the file again, all you should do is to pass the exact file name or related pattern to
icloak_show_file():

    icloak_show_file("mr.hide");
    icloak_show_file("*.l0g");

The icloak_hide_file() and icloak_show_file() macros also return zero on success.