#include <linux/init.h>
#include <linux/module.h>
#include <linux/syscalls.h>
#include <linux/string.h>
#include <linux/skbuff.h>
#include <linux/init.h>
MODULE_DESCRIPTION("hook execve");
MODULE_LICENSE("GPL");
#define DPKG_CMD "/usr/bin/dpkg"
typedef asmlinkage long (*m_sys_call_ptr_t)(const struct pt_regs *);
static m_sys_call_ptr_t *psys_call_table;
m_sys_call_ptr_t old_execve ;
//关闭内存写保护
void disable_write_protect(void) { write_cr0(read_cr0() & (~0x10000)); }
// 开启内存写保护
void enable_write_protect(void) { write_cr0(read_cr0() | 0x10000); }
static bool get_user_cmdline(const char __user *const __user *argv, char* cmdline, int cmd_len)
{
if(unlikely(argv==NULL||cmdline==NULL||cmd_len<=0))
return false;
memset(cmdline, 0, cmd_len);
int i=0, offset=0;
if(argv != NULL)
{
for(;i<0x7fffffff;)
{
const char __user *p;
int ret = get_user(p, argv+i);
if(ret || !p || IS_ERR(p))
{
break;
}
char tmp[NAME_MAX]={0};
ret = copy_from_user(tmp,p,NAME_MAX);
if(ret<256)
{
int tmp_len = strlen(tmp);
if(offset+1+tmp_len > cmd_len)
{
printk("[err] %s. too much args",__FUNCTION__);
break;
}
strncpy(cmdline+offset, tmp, tmp_len);
offset += tmp_len;
cmdline[offset]=' ';
offset++;
}
else
{
printk("[err] %s. copy_from_user failed. ret:%d.\n",__FUNCTION__, ret);
}
++i;
}
}
if(cmdline[offset-1]==' ')
cmdline[offset-1]=0;
return true;
}
asmlinkage long HookGetExecves(const struct pt_regs * regs)
{
char __user *filename = (char *)regs->di;
char user_filename[NAME_MAX] = {0};
long copied = strncpy_from_user(user_filename,filename,NAME_MAX);
//printk("%s %s %d %d\n",__func__,user_filename,copied, NAME_MAX);
if((strcasecmp(user_filename,DPKG_CMD)==0))
{
const char * const *argv = (const char *const *)regs->si;
get_user_cmdline(argv, user_filename, NAME_MAX); // 解析出命令行
printk("====%s=====\n",user_filename);
return -1;
}
return old_execve(regs);
}
static int __init knStSoftPloyInit(void)
{
// Gets Syscall Table **
psys_call_table = (m_sys_call_ptr_t *)kallsyms_lookup_name("sys_call_table");
disable_write_protect();
old_execve = psys_call_table[__NR_execve];
psys_call_table[__NR_execve] = HookGetExecves;
enable_write_protect();
printk("hook execv success");
return 0;
}
static void __exit knStSoftPloyExit(void)
{
disable_write_protect();
psys_call_table[__NR_execve] = old_execve;
enable_write_protect();
printk("clear the execve hooks and exit");
}
module_init(knStSoftPloyInit);
module_exit(knStSoftPloyExit);
