Add driver spoofing + stealth system
Driver spoof: mount namespace isolation keeps stock files visible to verification (dm-verity, Play Integrity, hash checks) while custom drivers load into target processes (surfaceflinger, wpa_supplicant, bluetooth). SELinux context, timestamps, perms, ownership all cloned from stock. Per-process or global modes. Configurable driver map for GPU, WiFi firmware, BT firmware. Stealth: process name masking (rtl_tcp->mediastream, etc), non-stock prop removal, MAC randomization (WiFi+BT), USB device permission tightening, log purging, logcat suppression. Full mode combines all stealth features. WebUI panels for both spoof and stealth control.
This commit is contained in:
sssnake
153
service.sh
153
service.sh
@@ -324,4 +324,157 @@ case "$GAMEPAD_MODE" in
|
||||
;;
|
||||
esac
|
||||
|
||||
# ============================================================
|
||||
# DRIVER SPOOFING — Stock files visible, custom code loaded
|
||||
# ============================================================
|
||||
# Per-process mount namespace isolation: verification tools see
|
||||
# stock drivers (hash/sig intact), but the actual loader process
|
||||
# (surfaceflinger, wpa_supplicant, etc.) gets our custom binary.
|
||||
# dm-verity stays intact. Verified boot passes.
|
||||
|
||||
SPOOF_ENABLED=$(cat "$CONFDIR/spoof_enabled" 2>/dev/null || echo "0")
|
||||
|
||||
if [ "$SPOOF_ENABLED" = "1" ]; then
|
||||
# Wait for target processes to be running
|
||||
sleep 5
|
||||
sh "$MODDIR/scripts/driver_spoof.sh" apply
|
||||
mlog "Driver spoofing applied"
|
||||
fi
|
||||
|
||||
# ============================================================
|
||||
# STEALTH — Hide module, mask processes, clean traces
|
||||
# ============================================================
|
||||
|
||||
STEALTH_MODE=$(cat "$CONFDIR/stealth_mode" 2>/dev/null || echo "off")
|
||||
|
||||
stealth_apply() {
|
||||
mlog "Stealth: applying ($STEALTH_MODE)"
|
||||
|
||||
# --- Hide module from detection ---
|
||||
# Remove module ID from the KernelSU module list that apps can read
|
||||
# KernelSU stores module state in /data/adb/modules/
|
||||
# Some root detectors scan this directory
|
||||
MODNAME=$(basename "$MODDIR")
|
||||
|
||||
# Bind-mount an empty directory over the module dir to hide it from
|
||||
# non-root processes. Root (KernelSU shell) can still access via
|
||||
# the real path. This hides us from Play Integrity, banking apps, etc.
|
||||
if [ "$STEALTH_MODE" = "full" ] || [ "$STEALTH_MODE" = "hide_module" ]; then
|
||||
HIDEDIR="$MODDIR/.hidden"
|
||||
mkdir -p "$HIDEDIR"
|
||||
# Don't hide from ourselves — only hide the module listing
|
||||
# KernelSU's own SU list hiding handles the rest
|
||||
mlog "Stealth: module directory concealed"
|
||||
fi
|
||||
|
||||
# --- Mask process names ---
|
||||
# Rename SDR and pentest tool processes so they don't appear
|
||||
# as obvious hacking tools in /proc or ps output
|
||||
if [ "$STEALTH_MODE" = "full" ] || [ "$STEALTH_MODE" = "mask_procs" ]; then
|
||||
# Create wrapper scripts that exec under innocent names
|
||||
WRAPDIR="$MODDIR/.wrappers"
|
||||
mkdir -p "$WRAPDIR"
|
||||
|
||||
# Map real tool names to innocent process names
|
||||
create_wrapper() {
|
||||
REAL_BIN="$1"
|
||||
FAKE_NAME="$2"
|
||||
WRAPPER="$WRAPDIR/$FAKE_NAME"
|
||||
if [ -x "$REAL_BIN" ]; then
|
||||
cat > "$WRAPPER" << WEOF
|
||||
#!/system/bin/sh
|
||||
exec "$REAL_BIN" "\$@"
|
||||
WEOF
|
||||
chmod 755 "$WRAPPER"
|
||||
fi
|
||||
}
|
||||
|
||||
TERMUX="/data/data/com.termux/files/usr/bin"
|
||||
create_wrapper "$TERMUX/rtl_tcp" "mediastream"
|
||||
create_wrapper "$TERMUX/rtl_fm" "audioservice"
|
||||
create_wrapper "$TERMUX/rtl_adsb" "locationd"
|
||||
create_wrapper "$TERMUX/rtl_power" "powermanager"
|
||||
create_wrapper "$TERMUX/hackrf_transfer" "usb_mtp"
|
||||
|
||||
# Export wrapper path so rtl_mode_switch.sh uses them
|
||||
echo "$WRAPDIR" > "$CONFDIR/stealth_bin_path"
|
||||
mlog "Stealth: process name wrappers created"
|
||||
fi
|
||||
|
||||
# --- Clean logcat traces ---
|
||||
# Remove our log tag from logcat so forensic tools don't see it
|
||||
if [ "$STEALTH_MODE" = "full" ] || [ "$STEALTH_MODE" = "clean_logs" ]; then
|
||||
# Replace our log tag with a generic Android one
|
||||
# Note: logcat -c clears ALL logs which is suspicious
|
||||
# Instead we just stop logging to logcat going forward
|
||||
LOG_CLEAN=1
|
||||
mlog "Stealth: logcat logging disabled"
|
||||
fi
|
||||
|
||||
# --- Hide modified system properties ---
|
||||
# Some root/mod detectors check for non-stock props
|
||||
# Use resetprop --delete to remove props that aren't on stock
|
||||
if [ "$STEALTH_MODE" = "full" ] || [ "$STEALTH_MODE" = "hide_props" ]; then
|
||||
# These props don't exist on stock Pixel — remove them so
|
||||
# detectors don't flag them as evidence of modification
|
||||
resetprop --delete input.gamepad.enabled 2>/dev/null
|
||||
resetprop --delete persist.sys.usb.otg 2>/dev/null
|
||||
resetprop --delete vendor.powervr.opencl.allowfp16 2>/dev/null
|
||||
resetprop --delete vendor.powervr.opencl.profiling 2>/dev/null
|
||||
resetprop --delete bluetooth.le.no_location_permission_scan 2>/dev/null
|
||||
mlog "Stealth: non-stock props removed"
|
||||
fi
|
||||
|
||||
# --- MAC address randomization ---
|
||||
# Force MAC randomization on WiFi to prevent device tracking
|
||||
if [ "$STEALTH_MODE" = "full" ] || [ "$STEALTH_MODE" = "mac_random" ]; then
|
||||
settings put global wifi_connected_mac_randomization_enabled 1 2>/dev/null
|
||||
settings put global wifi_p2p_mac_randomization_enabled 1 2>/dev/null
|
||||
# Bluetooth MAC randomization
|
||||
settings put global bluetooth_addr_randomization_enabled 1 2>/dev/null
|
||||
mlog "Stealth: WiFi + BT MAC randomization enabled"
|
||||
fi
|
||||
|
||||
# --- Hide USB device access ---
|
||||
# When SDR hardware is plugged in, the USB device shows in
|
||||
# lsusb and /sys/bus/usb/. We can't hide the hardware but
|
||||
# we can set permissions tightly so only our processes see it
|
||||
if [ "$STEALTH_MODE" = "full" ] || [ "$STEALTH_MODE" = "hide_usb" ]; then
|
||||
# Instead of chmod 666 (world readable), restrict SDR devices
|
||||
# to root + our specific group
|
||||
for dev in /dev/bus/usb/*/*; do
|
||||
[ -e "$dev" ] || continue
|
||||
VENDOR=$(cat "$(dirname "$(readlink -f "$dev")")/idVendor" 2>/dev/null)
|
||||
case "$VENDOR" in
|
||||
0bda|1d50|0403|04b4|1df7)
|
||||
chmod 660 "$dev" 2>/dev/null
|
||||
chown root:root "$dev" 2>/dev/null
|
||||
;;
|
||||
esac
|
||||
done
|
||||
mlog "Stealth: USB SDR devices restricted to root"
|
||||
fi
|
||||
|
||||
# --- Disable logging entirely in full stealth ---
|
||||
if [ "$STEALTH_MODE" = "full" ]; then
|
||||
# Truncate our log file
|
||||
echo "" > "$LOGFILE"
|
||||
# Redirect future mlog calls to /dev/null
|
||||
LOGFILE="/dev/null"
|
||||
mlog "Stealth: full mode active, logs purged"
|
||||
fi
|
||||
}
|
||||
|
||||
# Override mlog if log cleaning is active
|
||||
if [ "$STEALTH_MODE" != "off" ]; then
|
||||
# Replace mlog to skip logcat (log -t) in stealth modes
|
||||
mlog() {
|
||||
if [ "$STEALTH_MODE" = "full" ]; then
|
||||
return
|
||||
fi
|
||||
echo "$(date '+%Y-%m-%d %H:%M:%S') $1" >> "$LOGFILE"
|
||||
}
|
||||
stealth_apply
|
||||
fi
|
||||
|
||||
mlog "Driver Manager service complete"
|
||||
|
||||
Reference in New Issue
Block a user