Every technique used in this rootkit can be found from internet, I am NOT responsible for any damage you might cause using my code

apt

how ss/netstat fetch TCP/UDP connections

lets do a strace netstat -antu:

...
openat(AT_FDCWD, "/proc/net/tcp", O_RDONLY) = 3
read(3, "  sl  local_address rem_address "..., 4096) = 4050
read(3, "  26: 6EF9650A:C438 44465667:01B"..., 4096) = 150
read(3, "", 4096)                       = 0
close(3)                                = 0
openat(AT_FDCWD, "/proc/net/tcp6", O_RDONLY) = 3
read(3, "  sl  local_address             "..., 4096) = 1565
read(3, "", 4096)                       = 0
close(3)                                = 0
openat(AT_FDCWD, "/proc/net/udp", O_RDONLY) = 3
read(3, "  sl  local_address rem_address "..., 4096) = 1408
read(3, "", 4096)                       = 0
close(3)                                = 0
openat(AT_FDCWD, "/proc/net/udp6", O_RDONLY) = 3
read(3, "  sl  local_address             "..., 4096) = 998
write(1, "Active Internet connections (ser"..., 4096Active Internet connections (servers and established)")")
...

it simply reads /proc/net

ss -antu takes a different approach (via netlink socket)

...
socket(AF_NETLINK, SOCK_RAW|SOCK_CLOEXEC, NETLINK_SOCK_DIAG) = 3
setsockopt(3, SOL_SOCKET, SO_SNDBUF, [32768], 4) = 0
setsockopt(3, SOL_SOCKET, SO_RCVBUF, [1048576], 4) = 0
setsockopt(3, SOL_NETLINK, NETLINK_EXT_ACK, [1], 4) = 0
bind(3, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 0
getsockname(3, {sa_family=AF_NETLINK, nl_pid=12284, nl_groups=00000000}, [12]) = 0
sendmsg(3, {msg_name={sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, msg_namelen=12, msg_iov=[{iov_base={{len=72, type=SOCK_DIAG_BY_FAMILY, flags=NLM_F_REQUEST|NLM_F_DUMP, seq=123456, pid=0}, {sdiag_family=AF_INET, sdiag_protocol=IPPROTO_TCP, idiag_ext=0, idiag_states=1<<TCP_ESTABLISHED|1<<TCP_SYN_SENT|1<<TCP_SYN_RECV|1<<TCP_FIN_WAIT1|1<<TCP_FIN_WAIT2|1<<TCP_TIME_WAIT|1<<TCP_CLOSE|1<<TCP_CLOSE_WAIT|1<<TCP_LAST_ACK|1<<TCP_LISTEN|1<<TCP_CLOSING|0x1, id={idiag_sport=htons(0), idiag_dport=htons(0), idiag_src=inet_addr("0.0.0.0"), idiag_dst=inet_addr("0.0.0.0"), idiag_if=0, idiag_cookie=[0, 0]}}}, iov_len=72}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 72
recvmsg(3, {msg_name={sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, msg_namelen=12, msg_iov=[{iov_base=NULL, iov_len=0}], msg_iovlen=1, msg_controllen=0, msg_flags=MSG_TRUNC}, MSG_PEEK|MSG_TRUNC) = 2384
recvmsg(3, {msg_name={sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, msg_namelen=12, msg_iov=[{iov_base=[{{len=96, type=SOCK_DIAG_BY_FAMILY, flags=NLM_F_MULTI, seq=123456, pid=12284}, {idiag_family=AF_INET, idiag_state=TCP_LISTEN, idiag_timer=0, idiag_retrans=0, id={idiag_sport=htons(53), idiag_dport=htons(0), idiag_src=inet_addr("192.168.122.1"), idiag_dst=inet_addr("0.0.0.0"), idiag_if=0, idiag_cookie=[98, 0]}, idiag_expires=0, idiag_rqueue=0, idiag_wqueue=32, idiag
...

theres a good example demonstrating how to hijack both ss and netstat

for netstat its about tcp4_seq_show, for ss its recvmsg


Comments

comments powered by Disqus