Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #include <linux/module.h>
- #include <linux/kernel.h>
- #include <asm/unistd.h>
- #include <linux/syscalls.h>
- #include <linux/kallsyms.h>
- #include <linux/slab.h> /* kmalloc() */
- unsigned long **sys_call_table;
- static struct kobject *pblock_kobj;
- struct pblock_user_rule
- {
- u_int uid;
- int is_start;
- int is_stop;
- };
- struct pblock_rules
- {
- char* proc_name,
- struct list_head users_rule;
- };
- asmlinkage long (*orig_sys_execve)(const char __user *filename, const char __user * const __user *argv, const char __user * const __user *envp);
- static asmlinkage long hacked_sys_execve(const char __user *filename, const char __user * const __user *argv, const char __user * const __user *envp)
- {
- const struct cred *cred = current_cred();
- printk(KERN_INFO "user: %d/%d exec : %s\n", cred->uid, cred->euid, filename);
- return orig_sys_execve(filename, argv, envp);
- }
- static unsigned long **get_sys_call_table(void)
- {
- unsigned long int offset = PAGE_OFFSET; // 0xc0000000 by default
- unsigned long **sct;
- while (offset < ULLONG_MAX) {
- sct = (unsigned long **) offset;
- if (sct[__NR_close] == (unsigned long *) sys_close)
- return sct;
- offset += sizeof(void *);
- }
- return NULL;
- }
- static void disable_wp_protection(void)
- {
- unsigned long value;
- asm volatile ("mov %%cr0, %0":"=r" (value));
- if (!(value & 0x00010000))
- return;
- asm volatile ("mov %0, %%cr0"::"r" (value & ~0x00010000));
- }
- static void enable_wp_protection(void)
- {
- unsigned long value;
- asm volatile ("mov %%cr0, %0":"=r" (value));
- if ((value & 0x00010000))
- return;
- asm volatile ("mov %0, %%cr0"::"r" (value | 0x00010000));
- }
- int pblock_init(void)
- {
- int retval;
- // метод с сканированием памяти ядра, работает в большинстве случаев
- if (!(sys_call_table = get_sys_call_table())) {
- printk(KERN_INFO "request sys_call_table failed!\n");
- return -1;
- }
- printk(KERN_INFO "sys_call_table [%p]\n", sys_call_table);
- disable_wp_protection();
- orig_sys_execve = sys_call_table[__NR_execve];
- sys_call_table[__NR_execve] = hacked_sys_execve;
- enable_wp_protection();
- /*
- * Sozdau kobject s imenem "pblock"
- */
- pblock_kobj = kobject_create_and_add("pblock", kernel_kobj);
- if (!pblock_kobj)
- return -ENOMEM;
- retval = sysfs_create_group(pblock_kobj, &attr_group);
- if (retval)
- kobject_put(pblock_kobj);
- return retval;
- }
- void pblock_exit(void)
- {
- disable_wp_protection();
- sys_call_table[__NR_execve] = orig_sys_execve;
- enable_wp_protection();
- kobject_put(pblock_kobj);
- }
- module_init(pblock_init);
- module_exit(pblock_exit);
- MODULE_LICENSE("GPL");
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement