mod_defecator

1. /*
2.         Program bazuje na ROOTKICIE Reptile, jednak ma odwrotny cel, posiada kradziona funkcje *sys_call_table()
3.         Dodano timer
4.  
5.         TODO: POROWNYWANIE sys_call_table i alert:
6.  
7.         SAMPLE_OUTPUT:
8.         Apr 21 10:19:56 ubuntu kernel: [  330.941219] READ:ffff8801365abc88
9. Apr 21 10:20:06 ubuntu kernel: [  340.871328] SETREUID:ffffffff810944a0
10. Apr 21 10:20:06 ubuntu kernel: [  340.871328] KILL:810919f0
11. Apr 21 10:20:06 ubuntu kernel: [  340.871328] GETDENTS64:ffffffff81222fe0
12. Apr 21 10:20:06 ubuntu kernel: [  340.871328] GETDENTS:ffffffff8120f6a0
13. Apr 21 10:20:06 ubuntu kernel: [  340.871328] READ:ffff880139603e78
14.  
15. Apr 21 10:20:16 ubuntu kernel: [  350.861391] SETREUID:ffffffff810944a0
16. Apr 21 10:20:16 ubuntu kernel: [  350.861391] KILL:810919f0
17. Apr 21 10:20:16 ubuntu kernel: [  350.861391] GETDENTS64:ffffffff81222fe0
18. Apr 21 10:20:16 ubuntu kernel: [  350.861391] GETDENTS:ffffffff8120f6a0
19. Apr 21 10:20:16 ubuntu kernel: [  350.861391] READ:ffff880139603e78
20.  
21. Apr 21 10:20:26 ubuntu kernel: [  360.867623] SETREUID:ffffffff810944a0
22. Apr 21 10:20:26 ubuntu kernel: [  360.867623] KILL:810919f0
23. Apr 21 10:20:26 ubuntu kernel: [  360.867623] GETDENTS64:ffffffff81222fe0 <-------------
24. Apr 21 10:20:26 ubuntu kernel: [  360.867623] GETDENTS:ffffffff8120f6a0                 |
25. Apr 21 10:20:26 ubuntu kernel: [  360.867623] READ:ffff880139603e78                     |
26.                                                                                           HOOK REPTILE'a                                                                                                       
27. Apr 21 10:20:36 ubuntu kernel: [  370.816977] SETREUID:ffffffffc0238000                 |
28. Apr 21 10:20:36 ubuntu kernel: [  370.816977] KILL:c02380f0                             |
29. Apr 21 10:20:36 ubuntu kernel: [  370.816977] GETDENTS64:ffffffffc0238370 <--------------      
30. Apr 21 10:20:36 ubuntu kernel: [  370.816977] GETDENTS:ffffffffc02387d0
31. Apr 21 10:20:36 ubuntu kernel: [  370.816977] READ:ffff880139603e78
32.  
33. Apr 21 10:20:46 ubuntu kernel: [  380.801425] SETREUID:ffffffffc0238000
34. Apr 21 10:20:46 ubuntu kernel: [  380.801425] KILL:c02380f0
35. Apr 21 10:20:46 ubuntu kernel: [  380.801425] GETDENTS64:ffffffffc0238370
36. Apr 21 10:20:46 ubuntu kernel: [  380.801425] GETDENTS:ffffffffc02387d0
37. Apr 21 10:20:46 ubuntu kernel: [  380.801425] READ:ffff880139603e78
38.  
39. */
40.  
41. #include <linux/module.h>
42. #include <linux/syscalls.h>
43. #include <linux/kernel.h>
44. #include <linux/unistd.h>
45. #include <asm/pgtable.h>
46. #include <linux/slab.h>
47. #include <linux/cred.h>
48. #include <asm/uaccess.h>
49. #include <linux/sched.h>
50. #include <linux/dirent.h>
51. #include <linux/slab.h>
52. #include <linux/version.h>
53. #include <linux/file.h>
54. #include <linux/init.h> /* Needed for the macros */
55. #include <linux/timer.h>
56. #if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 10, 0)
57.         #include <linux/proc_ns.h>
58. #else
59.         #include <linux/proc_fs.h>
60. #endif
61. #if LINUX_VERSION_CODE > KERNEL_VERSION(2, 6, 26)
62.         #include <linux/fdtable.h>
63. #endif
64.  
65. int g_time_interval = 10000;
66. struct timer_list g_timer;
67.  
68. asmlinkage int   o_setreuid ;
69. asmlinkage int  o_kill;
70. asmlinkage int   o_getdents64;
71. asmlinkage int o_getdents;
72. asmlinkage int o_read ;
73. char CURRENT_DUMP[2048];
74.  
75.  
76.  
77. static unsigned long *sct;
78. atomic_t read_on;
79.  
80.  
81. struct linux_dirent {
82.         unsigned long   d_ino;
83.         unsigned long   d_off;
84.         unsigned short  d_reclen;
85.         char            d_name[1];
86. };
87.  
88.  
89.  
90. struct task_struct *find_task(pid_t pid){
91.         struct task_struct *p = current;
92.         for_each_process(p) {
93.                 if (p->pid == pid)
94.                         return p;
95.         }
96.         return NULL;
97. }
98. void *memmem(const void *haystack, size_t haystack_size, const void *needle, size_t needle_size) {
99.     char *p;
100.  
101.     for(p = (char *)haystack; p <= ((char *)haystack - needle_size + haystack_size); p++) {
102.         if(memcmp(p, needle, needle_size) == 0) return (void *)p;
103.     }
104.     return NULL;
105. }
106.  
107. #if defined(x86_64) || defined(amd64)
108.  
109. unsigned long *find_sys_call_table(void) {
110.         unsigned long sct_off = 0;
111.         unsigned char code[512];
112.         char **p;
113.  
114.         rdmsrl(MSR_LSTAR, sct_off);
115.         memcpy(code, (void *)sct_off, sizeof(code));
116.  
117.         p = (char **)memmem(code, sizeof(code), "\xff\x14\xc5", 3);
118.  
119.         if(p) {
120.                 unsigned long *table = *(unsigned long **)((char *)p + 3);
121.                 table = (unsigned long *)(((unsigned long)table & 0xffffffff) | 0xffffffff00000000);
122.                 return table;
123.         }
124.         return NULL;
125. }
126.  
127. unsigned long *ia32_find_sys_call_table(void) {
128.         unsigned char *p = 0;
129.         void *system_call = 0;
130.         int i=0, low, high, ia32_lstar=0xC0000082;
131.  
132.         asm("rdmsr" : "=a" (low), "=d" (high) : "c" (ia32_lstar));
133.         system_call = (void*)(((long)high<<32)|low);
134.  
135.         for(p = system_call, i=0; i<500; i++){
136.                 if(p[0]==0xff && p[1]==0x14 && p[2]==0xc5)
137.                         return (void*)(0xffffffff00000000 | *((unsigned int *)(p + 3)));
138.                 p++;
139.         }
140.         return NULL;
141. }
142.  
143. #elif defined(i686) || defined(i386) || defined(x86)
144.  
145. struct {
146.         unsigned short limit;
147.         unsigned long base;
148. } __attribute__ ((packed))idtr;
149.  
150. struct {
151.         unsigned short off1;
152.         unsigned short sel;
153.         unsigned char none, flags;
154.         unsigned short off2;
155. } __attribute__ ((packed))idt;
156.  
157. unsigned long *find_sys_call_table(void) {
158.         char **p;
159.         unsigned long sct_off = 0;
160.         unsigned char code[255];
161.  
162.         asm("sidt %0":"=m" (idtr));
163.         memcpy(&idt, (void *)(idtr.base + 8 * 0x80), sizeof(idt));
164.         sct_off = (idt.off2 << 16) | idt.off1;
165.         memcpy(code, (void *)sct_off, sizeof(code));
166.  
167.         p = (char **)memmem(code, sizeof(code), "\xff\x14\x85", 3);
168.  
169.         if(p) return *(unsigned long **)((char *)p + 3);
170.         else return NULL;
171. }
172.  
173. #endif
174.  
175. unsigned long *generic_find_sys_call_table(void){
176.         unsigned long *syscall_table;
177.         unsigned long int i;
178.  
179.         for (i = PAGE_OFFSET; i < ULONG_MAX; i += sizeof(void *)) {
180.                 syscall_table = (unsigned long *)i;
181.  
182.                 if (syscall_table[__NR_close] == (unsigned long)sys_close)
183.                         return syscall_table;
184.         }
185.         return NULL;
186. }
187.  
188.  
189.  
190.  
191.  
192.  
193. void UpdateSysCallTable(void)
194. {
195.         sct = (unsigned long *)find_sys_call_table();
196.  
197. #if defined(x86_64) || defined(amd64)
198.         if(!sct) sct = (unsigned long *)ia32_find_sys_call_table();
199. #endif
200.         if(!sct) sct = (unsigned long *)generic_find_sys_call_table();
201.         if(!sct) return -1;
202.  
203.         o_setreuid = (void *)sct[__NR_setreuid];
204.         o_kill = (void *)sct[__NR_kill];
205.         o_getdents64 = (void *)sct[__NR_getdents64];
206.         o_getdents = (void *)sct[__NR_getdents];
207.         o_read = (void *)sct[__NR_read];
208.         memset(&CURRENT_DUMP,0,sizeof(CURRENT_DUMP));
209.         sprintf(&CURRENT_DUMP,  "SETREUID:%llx\r\nKILL:%llx\r\nGETDENTS64:%llx\r\nGETDENTS:%llx\r\nREAD:%llx\r\n",o_setreuid,o_kill,o_getdents64,o_read);
210.  
211. }
212.  
213.  
214.  
215.  
216. void _TimerHandler(unsigned long data)
217. {
218.     /*Restarting the timer...*/
219.     mod_timer( &g_timer, jiffies + msecs_to_jiffies(g_time_interval));
220.         UpdateSysCallTable();
221.         printk(CURRENT_DUMP);
222. //    printk(KERN_INFO "Timer Handler called.\n");
223.  
224. }
225.  
226.  
227.  
228. static int __init defecator_init(void) {
229.  
230.         printk(KERN_INFO "DEFECAT00R inserted into KELNER!!!.\n");
231.  
232.                 /*Starting the timer.*/
233.         setup_timer(&g_timer, _TimerHandler, 0);
234.         mod_timer( &g_timer, jiffies + msecs_to_jiffies(g_time_interval));
235.         atomic_set(&read_on, 0);
236.         sct = (unsigned long *)find_sys_call_table();
237.  
238. #if defined(x86_64) || defined(amd64)
239.         if(!sct) sct = (unsigned long *)ia32_find_sys_call_table();
240. #endif
241.         if(!sct) sct = (unsigned long *)generic_find_sys_call_table();
242.         if(!sct) return -1;
243.         UpdateSysCallTable();
244.         printk(CURRENT_DUMP);
245. //      write_cr0(read_cr0() & (~0x10000));
246. /*      sct[__NR_setreuid] = (unsigned long)l33t_setreuid;
247.         sct[__NR_kill] = (unsigned long)l33t_kill;
248.         sct[__NR_getdents64] = (unsigned long)l33t_getdents64;
249.         sct[__NR_getdents] = (unsigned long)l33t_getdents;
250.         sct[__NR_read] = (unsigned long)l33t_read;
251.         write_cr0(read_cr0() | 0x10000);
252. */
253.  
254.         return 0;
255. }
256.  
257.  
258.  
259. static void __exit defecator_exit(void)
260. {
261.         del_timer(&g_timer);
262.     printk(KERN_INFO "My module exited from kernel!!!\n");
263. }
264.  
265. module_init(defecator_init);
266. module_exit(defecator_exit);
267. MODULE_LICENSE("GPL");
268. MODULE_AUTHOR("zeroinside");
269. MODULE_DESCRIPTION("Defecator - A linux LKM rootkit detector based on Reptile");