Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /*
- Program bazuje na ROOTKICIE Reptile, jednak ma odwrotny cel, posiada kradziona funkcje *sys_call_table()
- Dodano timer
- TODO: POROWNYWANIE sys_call_table i alert:
- SAMPLE_OUTPUT:
- Apr 21 10:19:56 ubuntu kernel: [ 330.941219] READ:ffff8801365abc88
- Apr 21 10:20:06 ubuntu kernel: [ 340.871328] SETREUID:ffffffff810944a0
- Apr 21 10:20:06 ubuntu kernel: [ 340.871328] KILL:810919f0
- Apr 21 10:20:06 ubuntu kernel: [ 340.871328] GETDENTS64:ffffffff81222fe0
- Apr 21 10:20:06 ubuntu kernel: [ 340.871328] GETDENTS:ffffffff8120f6a0
- Apr 21 10:20:06 ubuntu kernel: [ 340.871328] READ:ffff880139603e78
- Apr 21 10:20:16 ubuntu kernel: [ 350.861391] SETREUID:ffffffff810944a0
- Apr 21 10:20:16 ubuntu kernel: [ 350.861391] KILL:810919f0
- Apr 21 10:20:16 ubuntu kernel: [ 350.861391] GETDENTS64:ffffffff81222fe0
- Apr 21 10:20:16 ubuntu kernel: [ 350.861391] GETDENTS:ffffffff8120f6a0
- Apr 21 10:20:16 ubuntu kernel: [ 350.861391] READ:ffff880139603e78
- Apr 21 10:20:26 ubuntu kernel: [ 360.867623] SETREUID:ffffffff810944a0
- Apr 21 10:20:26 ubuntu kernel: [ 360.867623] KILL:810919f0
- Apr 21 10:20:26 ubuntu kernel: [ 360.867623] GETDENTS64:ffffffff81222fe0 <-------------
- Apr 21 10:20:26 ubuntu kernel: [ 360.867623] GETDENTS:ffffffff8120f6a0 |
- Apr 21 10:20:26 ubuntu kernel: [ 360.867623] READ:ffff880139603e78 |
- HOOK REPTILE'a
- Apr 21 10:20:36 ubuntu kernel: [ 370.816977] SETREUID:ffffffffc0238000 |
- Apr 21 10:20:36 ubuntu kernel: [ 370.816977] KILL:c02380f0 |
- Apr 21 10:20:36 ubuntu kernel: [ 370.816977] GETDENTS64:ffffffffc0238370 <--------------
- Apr 21 10:20:36 ubuntu kernel: [ 370.816977] GETDENTS:ffffffffc02387d0
- Apr 21 10:20:36 ubuntu kernel: [ 370.816977] READ:ffff880139603e78
- Apr 21 10:20:46 ubuntu kernel: [ 380.801425] SETREUID:ffffffffc0238000
- Apr 21 10:20:46 ubuntu kernel: [ 380.801425] KILL:c02380f0
- Apr 21 10:20:46 ubuntu kernel: [ 380.801425] GETDENTS64:ffffffffc0238370
- Apr 21 10:20:46 ubuntu kernel: [ 380.801425] GETDENTS:ffffffffc02387d0
- Apr 21 10:20:46 ubuntu kernel: [ 380.801425] READ:ffff880139603e78
- */
- #include <linux/module.h>
- #include <linux/syscalls.h>
- #include <linux/kernel.h>
- #include <linux/unistd.h>
- #include <asm/pgtable.h>
- #include <linux/slab.h>
- #include <linux/cred.h>
- #include <asm/uaccess.h>
- #include <linux/sched.h>
- #include <linux/dirent.h>
- #include <linux/slab.h>
- #include <linux/version.h>
- #include <linux/file.h>
- #include <linux/init.h> /* Needed for the macros */
- #include <linux/timer.h>
- #if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 10, 0)
- #include <linux/proc_ns.h>
- #else
- #include <linux/proc_fs.h>
- #endif
- #if LINUX_VERSION_CODE > KERNEL_VERSION(2, 6, 26)
- #include <linux/fdtable.h>
- #endif
- int g_time_interval = 10000;
- struct timer_list g_timer;
- asmlinkage int o_setreuid ;
- asmlinkage int o_kill;
- asmlinkage int o_getdents64;
- asmlinkage int o_getdents;
- asmlinkage int o_read ;
- char CURRENT_DUMP[2048];
- static unsigned long *sct;
- atomic_t read_on;
- struct linux_dirent {
- unsigned long d_ino;
- unsigned long d_off;
- unsigned short d_reclen;
- char d_name[1];
- };
- struct task_struct *find_task(pid_t pid){
- struct task_struct *p = current;
- for_each_process(p) {
- if (p->pid == pid)
- return p;
- }
- return NULL;
- }
- void *memmem(const void *haystack, size_t haystack_size, const void *needle, size_t needle_size) {
- char *p;
- for(p = (char *)haystack; p <= ((char *)haystack - needle_size + haystack_size); p++) {
- if(memcmp(p, needle, needle_size) == 0) return (void *)p;
- }
- return NULL;
- }
- #if defined(x86_64) || defined(amd64)
- unsigned long *find_sys_call_table(void) {
- unsigned long sct_off = 0;
- unsigned char code[512];
- char **p;
- rdmsrl(MSR_LSTAR, sct_off);
- memcpy(code, (void *)sct_off, sizeof(code));
- p = (char **)memmem(code, sizeof(code), "\xff\x14\xc5", 3);
- if(p) {
- unsigned long *table = *(unsigned long **)((char *)p + 3);
- table = (unsigned long *)(((unsigned long)table & 0xffffffff) | 0xffffffff00000000);
- return table;
- }
- return NULL;
- }
- unsigned long *ia32_find_sys_call_table(void) {
- unsigned char *p = 0;
- void *system_call = 0;
- int i=0, low, high, ia32_lstar=0xC0000082;
- asm("rdmsr" : "=a" (low), "=d" (high) : "c" (ia32_lstar));
- system_call = (void*)(((long)high<<32)|low);
- for(p = system_call, i=0; i<500; i++){
- if(p[0]==0xff && p[1]==0x14 && p[2]==0xc5)
- return (void*)(0xffffffff00000000 | *((unsigned int *)(p + 3)));
- p++;
- }
- return NULL;
- }
- #elif defined(i686) || defined(i386) || defined(x86)
- struct {
- unsigned short limit;
- unsigned long base;
- } __attribute__ ((packed))idtr;
- struct {
- unsigned short off1;
- unsigned short sel;
- unsigned char none, flags;
- unsigned short off2;
- } __attribute__ ((packed))idt;
- unsigned long *find_sys_call_table(void) {
- char **p;
- unsigned long sct_off = 0;
- unsigned char code[255];
- asm("sidt %0":"=m" (idtr));
- memcpy(&idt, (void *)(idtr.base + 8 * 0x80), sizeof(idt));
- sct_off = (idt.off2 << 16) | idt.off1;
- memcpy(code, (void *)sct_off, sizeof(code));
- p = (char **)memmem(code, sizeof(code), "\xff\x14\x85", 3);
- if(p) return *(unsigned long **)((char *)p + 3);
- else return NULL;
- }
- #endif
- unsigned long *generic_find_sys_call_table(void){
- unsigned long *syscall_table;
- unsigned long int i;
- for (i = PAGE_OFFSET; i < ULONG_MAX; i += sizeof(void *)) {
- syscall_table = (unsigned long *)i;
- if (syscall_table[__NR_close] == (unsigned long)sys_close)
- return syscall_table;
- }
- return NULL;
- }
- void UpdateSysCallTable(void)
- {
- sct = (unsigned long *)find_sys_call_table();
- #if defined(x86_64) || defined(amd64)
- if(!sct) sct = (unsigned long *)ia32_find_sys_call_table();
- #endif
- if(!sct) sct = (unsigned long *)generic_find_sys_call_table();
- if(!sct) return -1;
- o_setreuid = (void *)sct[__NR_setreuid];
- o_kill = (void *)sct[__NR_kill];
- o_getdents64 = (void *)sct[__NR_getdents64];
- o_getdents = (void *)sct[__NR_getdents];
- o_read = (void *)sct[__NR_read];
- memset(&CURRENT_DUMP,0,sizeof(CURRENT_DUMP));
- sprintf(&CURRENT_DUMP, "SETREUID:%llx\r\nKILL:%llx\r\nGETDENTS64:%llx\r\nGETDENTS:%llx\r\nREAD:%llx\r\n",o_setreuid,o_kill,o_getdents64,o_read);
- }
- void _TimerHandler(unsigned long data)
- {
- /*Restarting the timer...*/
- mod_timer( &g_timer, jiffies + msecs_to_jiffies(g_time_interval));
- UpdateSysCallTable();
- printk(CURRENT_DUMP);
- // printk(KERN_INFO "Timer Handler called.\n");
- }
- static int __init defecator_init(void) {
- printk(KERN_INFO "DEFECAT00R inserted into KELNER!!!.\n");
- /*Starting the timer.*/
- setup_timer(&g_timer, _TimerHandler, 0);
- mod_timer( &g_timer, jiffies + msecs_to_jiffies(g_time_interval));
- atomic_set(&read_on, 0);
- sct = (unsigned long *)find_sys_call_table();
- #if defined(x86_64) || defined(amd64)
- if(!sct) sct = (unsigned long *)ia32_find_sys_call_table();
- #endif
- if(!sct) sct = (unsigned long *)generic_find_sys_call_table();
- if(!sct) return -1;
- UpdateSysCallTable();
- printk(CURRENT_DUMP);
- // write_cr0(read_cr0() & (~0x10000));
- /* sct[__NR_setreuid] = (unsigned long)l33t_setreuid;
- sct[__NR_kill] = (unsigned long)l33t_kill;
- sct[__NR_getdents64] = (unsigned long)l33t_getdents64;
- sct[__NR_getdents] = (unsigned long)l33t_getdents;
- sct[__NR_read] = (unsigned long)l33t_read;
- write_cr0(read_cr0() | 0x10000);
- */
- return 0;
- }
- static void __exit defecator_exit(void)
- {
- del_timer(&g_timer);
- printk(KERN_INFO "My module exited from kernel!!!\n");
- }
- module_init(defecator_init);
- module_exit(defecator_exit);
- MODULE_LICENSE("GPL");
- MODULE_AUTHOR("zeroinside");
- MODULE_DESCRIPTION("Defecator - A linux LKM rootkit detector based on Reptile");
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement