SHARE
TWEET

Untitled

a guest May 19th, 2019 68 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #include <linux/module.h>
  2. #include <linux/kernel.h>
  3. #include <asm/unistd.h>
  4.  
  5. #include <linux/syscalls.h>
  6. #include <linux/kallsyms.h>
  7. #include <linux/slab.h>     /* kmalloc() */
  8.  
  9.  
  10. unsigned long **sys_call_table;
  11.  
  12. static struct kobject *pblock_kobj;
  13.  
  14.  
  15. struct pblock_user_rule
  16. {
  17.     u_int uid;
  18.     int is_start;
  19.     int is_stop;
  20. };
  21.  
  22. struct pblock_rules
  23. {
  24.     char* proc_name,
  25.     struct list_head users_rule;
  26. };
  27.  
  28. asmlinkage long (*orig_sys_execve)(const char __user *filename, const char __user * const __user *argv, const char __user * const __user *envp);
  29.  
  30. static asmlinkage long hacked_sys_execve(const char __user *filename, const char __user * const __user *argv, const char __user * const __user *envp)
  31. {
  32.  
  33.     const struct cred *cred = current_cred();  
  34.     printk(KERN_INFO "user: %d/%d exec : %s\n", cred->uid, cred->euid, filename);
  35.    
  36.     return orig_sys_execve(filename, argv, envp);  
  37. }
  38.  
  39.  
  40. static unsigned long **get_sys_call_table(void)
  41. {
  42.     unsigned long int offset = PAGE_OFFSET; // 0xc0000000 by default
  43.     unsigned long **sct;
  44.  
  45.     while (offset < ULLONG_MAX) {
  46.         sct = (unsigned long **) offset;
  47.  
  48.         if (sct[__NR_close] == (unsigned long *) sys_close)
  49.             return sct;
  50.  
  51.         offset += sizeof(void *);
  52.     }
  53.  
  54.     return NULL;
  55. }
  56.  
  57.  
  58. static void disable_wp_protection(void)
  59. {
  60.     unsigned long value;
  61.     asm volatile ("mov %%cr0, %0":"=r" (value));
  62.  
  63.     if (!(value & 0x00010000))
  64.         return;
  65.  
  66.     asm volatile ("mov %0, %%cr0"::"r" (value & ~0x00010000));
  67. }
  68.  
  69. static void enable_wp_protection(void)
  70. {
  71.     unsigned long value;
  72.     asm volatile ("mov %%cr0, %0":"=r" (value));
  73.  
  74.     if ((value & 0x00010000))
  75.         return;
  76.  
  77.     asm volatile ("mov %0, %%cr0"::"r" (value | 0x00010000));
  78. }
  79.  
  80. int pblock_init(void)
  81. {
  82.     int retval;
  83.    
  84.     // метод с сканированием памяти ядра, работает в большинстве случаев
  85.     if (!(sys_call_table = get_sys_call_table())) {
  86.         printk(KERN_INFO "request sys_call_table failed!\n");
  87.             return -1;
  88.         }
  89.    
  90.     printk(KERN_INFO "sys_call_table [%p]\n", sys_call_table);
  91.  
  92.     disable_wp_protection();   
  93.     orig_sys_execve = sys_call_table[__NR_execve];
  94.     sys_call_table[__NR_execve] =  hacked_sys_execve;
  95.     enable_wp_protection();
  96.  
  97.     /*
  98.     * Sozdau kobject s imenem "pblock"
  99.     */
  100.     pblock_kobj = kobject_create_and_add("pblock", kernel_kobj);
  101.     if (!pblock_kobj)
  102.         return -ENOMEM;
  103.  
  104.     retval = sysfs_create_group(pblock_kobj, &attr_group);
  105.     if (retval)
  106.         kobject_put(pblock_kobj);
  107.    
  108.     return retval;
  109.    
  110. }
  111.  
  112. void pblock_exit(void)
  113. {
  114.    
  115.     disable_wp_protection();   
  116.     sys_call_table[__NR_execve] =  orig_sys_execve;
  117.     enable_wp_protection();
  118.    
  119.     kobject_put(pblock_kobj);
  120. }
  121.  
  122.  
  123. module_init(pblock_init);
  124. module_exit(pblock_exit);
  125. MODULE_LICENSE("GPL");
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top