API tools faq
paste
Advertisement
Guest User

Untitled

a guest
May 19th, 2019
91
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.78 KB | None | 0 0
raw download clone embed print report
  1. #include <linux/module.h>
  2. #include <linux/kernel.h>
  3. #include <asm/unistd.h>
  4.  
  5. #include <linux/syscalls.h>
  6. #include <linux/kallsyms.h>
  7. #include <linux/slab.h> /* kmalloc() */
  8.  
  9.  
  10. unsigned long **sys_call_table;
  11.  
  12. static struct kobject *pblock_kobj;
  13.  
  14.  
  15. struct pblock_user_rule
  16. {
  17. u_int uid;
  18. int is_start;
  19. int is_stop;
  20. };
  21.  
  22. struct pblock_rules
  23. {
  24. char* proc_name,
  25. struct list_head users_rule;
  26. };
  27.  
  28. asmlinkage long (*orig_sys_execve)(const char __user *filename, const char __user * const __user *argv, const char __user * const __user *envp);
  29.  
  30. static asmlinkage long hacked_sys_execve(const char __user *filename, const char __user * const __user *argv, const char __user * const __user *envp)
  31. {
  32.  
  33. const struct cred *cred = current_cred();
  34. printk(KERN_INFO "user: %d/%d exec : %s\n", cred->uid, cred->euid, filename);
  35.  
  36. return orig_sys_execve(filename, argv, envp);
  37. }
  38.  
  39.  
  40. static unsigned long **get_sys_call_table(void)
  41. {
  42. unsigned long int offset = PAGE_OFFSET; // 0xc0000000 by default
  43. unsigned long **sct;
  44.  
  45. while (offset < ULLONG_MAX) {
  46. sct = (unsigned long **) offset;
  47.  
  48. if (sct[__NR_close] == (unsigned long *) sys_close)
  49. return sct;
  50.  
  51. offset += sizeof(void *);
  52. }
  53.  
  54. return NULL;
  55. }
  56.  
  57.  
  58. static void disable_wp_protection(void)
  59. {
  60. unsigned long value;
  61. asm volatile ("mov %%cr0, %0":"=r" (value));
  62.  
  63. if (!(value & 0x00010000))
  64. return;
  65.  
  66. asm volatile ("mov %0, %%cr0"::"r" (value & ~0x00010000));
  67. }
  68.  
  69. static void enable_wp_protection(void)
  70. {
  71. unsigned long value;
  72. asm volatile ("mov %%cr0, %0":"=r" (value));
  73.  
  74. if ((value & 0x00010000))
  75. return;
  76.  
  77. asm volatile ("mov %0, %%cr0"::"r" (value | 0x00010000));
  78. }
  79.  
  80. int pblock_init(void)
  81. {
  82. int retval;
  83.  
  84. // метод с сканированием памяти ядра, работает в большинстве случаев
  85. if (!(sys_call_table = get_sys_call_table())) {
  86. printk(KERN_INFO "request sys_call_table failed!\n");
  87. return -1;
  88. }
  89.  
  90. printk(KERN_INFO "sys_call_table [%p]\n", sys_call_table);
  91.  
  92. disable_wp_protection();
  93. orig_sys_execve = sys_call_table[__NR_execve];
  94. sys_call_table[__NR_execve] = hacked_sys_execve;
  95. enable_wp_protection();
  96.  
  97. /*
  98. * Sozdau kobject s imenem "pblock"
  99. */
  100. pblock_kobj = kobject_create_and_add("pblock", kernel_kobj);
  101. if (!pblock_kobj)
  102. return -ENOMEM;
  103.  
  104. retval = sysfs_create_group(pblock_kobj, &attr_group);
  105. if (retval)
  106. kobject_put(pblock_kobj);
  107.  
  108. return retval;
  109.  
  110. }
  111.  
  112. void pblock_exit(void)
  113. {
  114.  
  115. disable_wp_protection();
  116. sys_call_table[__NR_execve] = orig_sys_execve;
  117. enable_wp_protection();
  118.  
  119. kobject_put(pblock_kobj);
  120. }
  121.  
  122.  
  123. module_init(pblock_init);
  124. module_exit(pblock_exit);
  125. MODULE_LICENSE("GPL");
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!