firefox.c

1. #include <linux/module.h>
2. #include <linux/printk.h>
3. #include <linux/fs.h>
4. #include <linux/sched.h>
5. #include <asm/unistd.h>
6. #include <asm/pgtable_types.h>
7. #include <linux/highmem.h>
8.  
9. #include "hook_function_ptr.h"
10.  
11. MODULE_LICENSE("GPL");
12. MODULE_AUTHOR("MicroMike");
13. MODULE_DESCRIPTION("Hello World Module");
14.  
15.  
16. /* sys_call_table address */
17. unsigned long *sys_call_table = SYS_CALL_TABLE_ADDR;
18.  
19.  
20. /*
21.  * user function pointer for some linux kernel function call
22.  * since some of the function didn't export to the module.
23.  */
24. int (*real_do_execve)(const char *,
25.         const char __user *const __user *,
26.         const char __user *const __user *) = DO_EXECVE_ADDR;
27.  
28. int (*real_do_execve_common)(const char *,
29.             struct user_arg_ptr argv,
30.             struct user_arg_ptr envp) = DO_EXECVE_COMMON_ADDR;
31.  
32. void (*real_putname)(struct filename *name) = PUTNAME_ADDR;
33.  
34. /* real_execve address */
35. asmlinkage int (*real_execve)(const char __user *,
36.             const char __user *const __user *,
37.             const char __user *const __user *);
38.  
39. /*
40.  * custom do_execve for firefox process.
41.  * which will insert two new arguments which is our usermode monitor program,
42.  * append the rest of the arguments as the new argument for the usermdoe monitor.
43.  */
44. int custom_do_execve(const char __user *filename,
45.         const char __user *const __user *__argv,
46.         const char __user *const __user *__envp)
47. {
48.     /*
49.          * log some information you want ....
50.          * ...
51.      * ...
52.      */
53.  
54.     result = real_do_execve_common(filename, __argv, __envp);
55.     return result;
56.    
57. }
58. /* hook sys_execve which is */
59. asmlinkage int custom_execve(const char __user *filename, const char __user *const __user *argv, const char __user *const __user *envp)
60. {
61.     /* if the current process is firefox, hook it  */
62.     if( strstr(current->comm, "firefox")) {
63.         struct filename *path = getname(filename);
64.         int error = PTR_ERR(path);
65.         if (!IS_ERR(path)) {
66.             error = custom_do_execve(path->name, argv, envp);
67.             real_putname(path);
68.         }
69.         return error;
70.     }
71.  
72.     return real_execve(filename, argv, envp);
73. }
74.  
75. int make_rw(unsigned long address)
76. {
77.     unsigned int level;
78.     pte_t *pte = lookup_address(address, &level);
79.     if(pte->pte &~ _PAGE_RW)
80.         pte->pte |= _PAGE_RW;
81.     return 0;
82. }
83.  
84.  
85. int make_ro(unsigned long address)
86. {
87.     unsigned int level;
88.     pte_t *pte = lookup_address(address, &level);
89.     pte->pte = pte->pte & ~_PAGE_RW;
90.     return 0;
91. }
92.  
93.  
94. static int __init test_init(void)
95. {
96.     /* hook execve system call*/
97.     make_rw((unsigned long)sys_call_table);
98.     real_execve = (int (*)(const char __user *,
99.                    const char __user *const __user *,
100.                    const char __user *const __user *))
101.     *(sys_call_table + __NR_execve);
102.     *(sys_call_table + __NR_execve) = (unsigned long)custom_execve;
103.     make_ro((unsigned long)sys_call_table);
104.  
105.     return 0;
106. }
107.  
108. static void __exit test_exit(void)
109. {
110.     /* resume what it should be */
111.     make_rw((unsigned long)sys_call_table);
112.     *(sys_call_table + __NR_execve) = (unsigned long)real_execve;
113.     make_ro((unsigned long)sys_call_table);
114. }
115.  
116.  
117. module_init(test_init);
118. module_exit(test_exit);