2008 May 16th Friday (五月 十六日 金曜日)
2008-06-28 21:35
465 查看
To hack system call.
#include <linux/module.h>
#include <linux/moduleparam.h>
#include <linux/kernel.h>
#include <linux/unistd.h>
#include <linux/sched.h>
#include <asm/uaccess.h>
/*
* The system call table (a table of functions). We
* just define this as external, and the kernel will
* fill it up for us when we are insmod'ed
*
* sys_call_table is no longer exported in 2.6.x kernels.
* If you really want to try this DANGEROUS module you will
* have to apply the supplied patch against your current kernel
* and recompile it.
*/
extern void *sys_call_table[];
/*
* UID we want to spy on - wil lbe filled from the
* command line
*/
static int uid;
module_param(uid,int,0644);
/*
* A pointer to the original system call. The reason
* we keep this, rather than call the original function
* (sys_open), is because somebody else might have
* replaced the system call before us. Note that this
* is not 100% safe, because if another module
* replaced sys_open before us, then when we're inserted
* we'll call the function in that module - andit
* might be removed before we are.
*
* Another reason for this is that we can't get sys_open.
* It's a static variable, so it is not exported.
*/
asmlinkage int(*original_call)(const char*,int,int);
/*
* The function we'll replace sys_open (thefunction
* called when you call the open system call) with. To
* find the exact prototype, with the number and type
* of arguments, we find the original function first
* (it's at fs/open.c).
*
* In theory, this means that we'retiedtothe
* current version of the kernel. In practice, the
* system calls almost never change (it would wreck havoc
* and require programs to be recompiled, since the system
* calls are the interface between the kernel and the
* processes).
*/
asmlinkage int our_sys_open(const char *filename, int flags, int mode)
{
int i=0;
char ch;
/*
* Check if this is the user we're spying on
*/
if(uid==current->uid){
/*
* Reportthefile,ifrelevant
*/
printk("Opened file by%d:",uid);
do{
get_user(ch,filename+i);
i++;
printk("%c",ch);
} while (ch != 0);
printk("/n");
}
/*
* Call the original sys_open - otherwise,welose
* the ability to open files
*/
return original_call(filename,flags,mode);
}
int init_module()
{
/*
* Warning - toolateforitnow,butmaybefor
* next time...
*/
printk("I'm dangerous. I hope you did a");
printk("sync before you insmod'ed me./n");
printk("My counterpart, cleanup_module(),is even");
printk("more dangerous. If/n");
printk("you value your file system,it will");
printk("be /"sync; rmmod/" /n");
printk("when you remove this module./n");
/*
* Keep a pointer to the original function in
* original_call, and then replace the system call
* in the system call table with our_sys_open
*/
original_call=sys_call_table[__NR_open];
sys_call_table[__NR_open]=our_sys_open;
/*
* To get the address of the function for system
* call foo, go to sys_call_table[__NR_foo].
*/
printk("Spying on UID:%d/n",uid);
return 0;
}
/*
* Cleanup - unregistertheappropriatefilefrom/proc
*/
void cleanup_module()
{
/*
* Return the system call back to normal
*/
if(sys_call_table[__NR_open]!=our_sys_open){
printk("Somebody else also played with the");
printk("open system call/n");
printk("The system may be left in");
printk("an unstable state./n");
}
sys_call_table[__NR_open]=original_call;
}
#include <linux/module.h>
#include <linux/moduleparam.h>
#include <linux/kernel.h>
#include <linux/unistd.h>
#include <linux/sched.h>
#include <asm/uaccess.h>
/*
* The system call table (a table of functions). We
* just define this as external, and the kernel will
* fill it up for us when we are insmod'ed
*
* sys_call_table is no longer exported in 2.6.x kernels.
* If you really want to try this DANGEROUS module you will
* have to apply the supplied patch against your current kernel
* and recompile it.
*/
extern void *sys_call_table[];
/*
* UID we want to spy on - wil lbe filled from the
* command line
*/
static int uid;
module_param(uid,int,0644);
/*
* A pointer to the original system call. The reason
* we keep this, rather than call the original function
* (sys_open), is because somebody else might have
* replaced the system call before us. Note that this
* is not 100% safe, because if another module
* replaced sys_open before us, then when we're inserted
* we'll call the function in that module - andit
* might be removed before we are.
*
* Another reason for this is that we can't get sys_open.
* It's a static variable, so it is not exported.
*/
asmlinkage int(*original_call)(const char*,int,int);
/*
* The function we'll replace sys_open (thefunction
* called when you call the open system call) with. To
* find the exact prototype, with the number and type
* of arguments, we find the original function first
* (it's at fs/open.c).
*
* In theory, this means that we'retiedtothe
* current version of the kernel. In practice, the
* system calls almost never change (it would wreck havoc
* and require programs to be recompiled, since the system
* calls are the interface between the kernel and the
* processes).
*/
asmlinkage int our_sys_open(const char *filename, int flags, int mode)
{
int i=0;
char ch;
/*
* Check if this is the user we're spying on
*/
if(uid==current->uid){
/*
* Reportthefile,ifrelevant
*/
printk("Opened file by%d:",uid);
do{
get_user(ch,filename+i);
i++;
printk("%c",ch);
} while (ch != 0);
printk("/n");
}
/*
* Call the original sys_open - otherwise,welose
* the ability to open files
*/
return original_call(filename,flags,mode);
}
int init_module()
{
/*
* Warning - toolateforitnow,butmaybefor
* next time...
*/
printk("I'm dangerous. I hope you did a");
printk("sync before you insmod'ed me./n");
printk("My counterpart, cleanup_module(),is even");
printk("more dangerous. If/n");
printk("you value your file system,it will");
printk("be /"sync; rmmod/" /n");
printk("when you remove this module./n");
/*
* Keep a pointer to the original function in
* original_call, and then replace the system call
* in the system call table with our_sys_open
*/
original_call=sys_call_table[__NR_open];
sys_call_table[__NR_open]=our_sys_open;
/*
* To get the address of the function for system
* call foo, go to sys_call_table[__NR_foo].
*/
printk("Spying on UID:%d/n",uid);
return 0;
}
/*
* Cleanup - unregistertheappropriatefilefrom/proc
*/
void cleanup_module()
{
/*
* Return the system call back to normal
*/
if(sys_call_table[__NR_open]!=our_sys_open){
printk("Somebody else also played with the");
printk("open system call/n");
printk("The system may be left in");
printk("an unstable state./n");
}
sys_call_table[__NR_open]=original_call;
}
相关文章推荐
- 2008 May 30 Friday (五月 三十日 金曜日)
- May 16th Wednesday (五月 十六日 水曜日)
- 2008 May 9th Friday (五月 九日 金曜日)
- 2008 May 23th Friday (五月 二十三日 金曜日)
- Februray 16th Friday (一月 十六日 金曜日)
- 2008 May 6th Tuesday (五月 六日 火曜日)
- 2008 May 19th Monday (五月 十九日 月曜日)
- 2008 May 29 Thrusday (五月 二十九日 木曜日)
- 2008 May 7th Wednesday (五月 七日 水曜日)
- 2008 May 20th Tuesday (五月 二十日 火曜日)
- May 25th Friday (五月 二十五日 金曜日)
- May 8th Friday (五月 八日 金曜日)
- 2008 October 31th Friday (十月 三十一日 金曜日)
- 2008 May 8th Thursday (五月 八日 木曜日)
- 2008 May 21th Wednesday (五月 二十一日 水曜日)
- March 16th Friday (三月 十六日 金曜日)
- 2008 May 22th Thursday (五月 二十二日 木曜日)
- 2008 April 16th Wednesday (四月 十六日 水曜日)
- 2008 May 12th Monday (五月 十二日 月曜日)
- 2008 September 16th Tuesday (九月 十六日 火曜日)