Creed brings you... KNARK V0.41!!!

Knark is a kernelbased "rootkit" for Linux 2.1-2.2 (and some 2.3 kernels).
This package includes knark.c, the heart of the package, the evil lkm
(loadable kernel module) which wraps some syscalls.

Remember that none of the programs/files included in the knark package may
be used in an illegal way, or to cause damage of any kind.


CHANGES IN 0.41:
Added a self-promotion file in /proc, HEHEHE! :-)
Moved some defines from knark.c to knark.h.
Fixed some memory leaks (I'm sure there are more to find).
Changed loads of *inode* function and variable names to *file* names.
Changed file name from /proc/knark/inodes to /proc/knark/files, and made
file names appear instead of inode numbers/dev numbers.
Changed Makefile so knark.c compiles without warnings.
Changed knark_read() to make /proc/modules act normal when knark is hidden.
Hacked sys_time so you can get root without setuid binaries.
Minor changes in inode functions in knark.c.
rootme.c added to use the sys_time shit.
hidefile renamed to hidef, and unhidef (to unhide hidden files) has been
added.


KNOWN BUGS:
/proc/knark/files will only show the directory tree from the file system
where the file is. /proc/ioports will be shown as /ioports.
The kernel crashes sometimes when the module is unloaded. Though it seems
to work quite ok when it's loaded.
Please notify me by email if you find other nasty bugs.


What is changed in the kernel when knark.o is loaded?

sys_getdents is hacked to hide arbitrary files with the hidefile program
and to hide process directories in /proc.

sys_kill is hacked to hide processes when sending signal 31, and unhide
hidden processes with signal 32.

sys_read is hacked to hide arbitrary parts in arbitrary files. This
isn't implemented yet, so just ignore this feature for now. All it does is
now is hiding MODULE_NAME in /proc/modules and NETSTATHIDE in
/proc/net/[udp|tcp].

sys_ioctl is hacked to hide IFF_PROMISC flag on network devices when
SIOCGIFFLAGS is requested.

sys_fork is hacked to hide childs of hidden processes.

sys_clone does the same thing as fork.

sys_query_module is hacked to hide the module and prevent unloading of
it if knark.c is compiled with HIDEMODULE defined.

sys_time is hacked to give you *uid and *gid 0 when it's called with
TIMEROOTNUM as it's argument. The program rootme.c uses this feature.

A hidden directory is created, called /proc/knark. You can read
information about hidden processes in /proc/knark/pids and hidden files
can be read in /proc/knark/files. You can change the name of the
/proc directory by change MODULE_NAME in knark.h.




I'm lame! How do I use this lkm?

First of all, remove -DHIDEMODULE from Makefile if you wan't to be able to
unload the module (however, the kernel crashes sometimes when you unload
knark.o).

then type:
make
modprobe ./knark.o
*done*

when you're not root and want root privs, type ./rootme /bin/sh (or
something else if you don't like /bin/sh).

Hide files with hidef and unhide them with unhidef. Try to figure out the
syntax if you can ;-).



Remember that sniffers can't be detected by promisc-mode checking. And
files inside a hidden directory are just as invisible as the directory
itself. Don't load and unload the lkm many times since processes may die
and the kernel may crash (email me bugfixes if you care).

This is a beta release! It may crash your system! Don't blame me! (hehe).
And don't use this program in an illegal way.

email: creed@sekure.net
ircnet: #linux.se, #hack.se (don't ask me for the key if it's +k)
efnet: #hack.se
