Created
November 3, 2019 03:53
-
-
Save shivaluma/dd74e7fef537b3e45163578ef37f49e3 to your computer and use it in GitHub Desktop.
asd
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <linux/module.h> /* Needed by all kernel modules */ | |
| #include <linux/kernel.h> /* Needed for loglevels (KERN_WARNING, KERN_EMERG, KERN_INFO, etc.) */ | |
| #include <linux/init.h> /* Needed for __init and __exit macros. */ | |
| #include <linux/moduleparam.h> | |
| #include <linux/unistd.h> /* sys_call_table __NR_* system call function indices */ | |
| #include <linux/fs.h> /* filp_open */ | |
| #include <linux/slab.h> /* kmalloc */ | |
| #include <asm/paravirt.h> /* write_cr0 */ | |
| #include <asm/uaccess.h> /* get_fs, set_fs */ | |
| #include <linux/utsname.h> | |
| #include <asm/cacheflush.h> | |
| #include <linux/semaphore.h> | |
| MODULE_LICENSE("GPL"); | |
| unsigned long *syscall_table = NULL; | |
| void (*pages_rw)(struct page *page, int numpages) = (void *) 0xffffffff810849b0; | |
| void (*pages_ro)(struct page *page, int numpages) = (void *) 0xffffffff81084940; | |
| asmlinkage int (*original_open)(const char *pathname, int flags, int mode); | |
| asmlinkage int new_open(const char *pathname, int flags, int mode){ | |
| // Print openning file | |
| printk(KERN_EMERG "Openning file:%s\n",pathname); | |
| return original_open(pathname, flags, mode); | |
| } | |
| static int __init moduleInit(void){ | |
| syscall_table = (void*) 0xffffffff82000280; | |
| struct page *sys_call_table_temp = virt_to_page(&syscall_table[__NR_open]); | |
| pages_rw(sys_call_table_temp, 1); | |
| printk(KERN_EMERG "Syscall table address: %p\n", syscall_table); | |
| if (syscall_table != NULL) { | |
| write_cr0 (read_cr0 () & (~ 0x10000)); | |
| original_open = (void *)syscall_table[__NR_open]; | |
| syscall_table[__NR_open] = new_open; | |
| write_cr0 (read_cr0 () | 0x10000); | |
| printk(KERN_EMERG "[+] onload: sys_call_table hooked\n"); | |
| } else { | |
| printk(KERN_EMERG "[-] onload: syscall_table is NULL\n"); | |
| } | |
| return 0; | |
| } | |
| static void __exit moduleClear(void){ | |
| if (syscall_table != NULL) { | |
| write_cr0 (read_cr0 () & (~ 0x10000)); | |
| struct page *sys_call_table_temp = virt_to_page(&syscall_table[__NR_open]); | |
| syscall_table[__NR_open] = original_open; | |
| pages_ro(sys_call_table_temp, 1); | |
| printk(KERN_EMERG "[+] onunload: sys_call_table unhooked\n"); | |
| write_cr0 (read_cr0 () | 0x10000); | |
| } else { | |
| printk(KERN_EMERG "[-] onunload: syscall_table is NULL\n"); | |
| } | |
| } | |
| module_init(moduleInit); | |
| module_exit(moduleClear); | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment