source: trunk/src/samhain_hide.c@ 427

Last change on this file since 427 was 331, checked in by katerina, 14 years ago

Fix for ticket #243: samhain_hide compile errors

File size: 22.6 KB
RevLine 
[1]1/***************************************************************************
2 *
3 * Purpose:
4 * -------
5 * (1) Hide files with the string MAGIC_HIDE in filename,
6 * where MAGIC_HIDE is defined below.
7 * By default, MAGIC_HIDE is defined as "samhain".
8 *
9 * (2) Hide all processes, if the executable has the string MAGIC_HIDE
10 * in its name.
11 *
12 *
13 * Configuration:
14 * -------------
15 * If not building within the samhain system, you may remove the
16 * line '#include "config.h"' and in the line
17 * '#define MAGIC_HIDE SH_MAGIC_HIDE', replace SH_MAGIC_HIDE with
18 * "someString" (in quotes !).
19 */
20
21/* #define _(string) string */
22#include "config.h"
23
24#undef _
25#define _(string) string
26
27/* define if this is a 2.6 kernel */
28/* #define LINUX26 */
29
30#define MAGIC_HIDE SH_MAGIC_HIDE
31
32/* #define MAGIC_HIDE "someString" */
33
34/* define this if you have a modversioned kernel */
35/* #define MODVERSIONS */
36
37/* the address of the sys_call_table (not exported in 2.5 kernels) */
38#define MAGIC_ADDRESS SH_SYSCALLTABLE
39
40/*
41 * Install:
42 * -------
43 * gcc -Wall -O2 -c samhain_hide.c
44 * mv samhain_hide.o /lib/modules/KERNEL_VERSION/misc/
45 *
46 * (Replace KERNEL_VERSION with your kernel's version.)
47 *
48 * Usage:
49 * -----
50 * To load the module:
51 * insmod samhain_hide (for improved safety: 'sync && insmod samhain_hide')
52 *
[96]53 * Self-hiding can be switched off by passing the option
54 * 'removeme=0' to the module:
55 * insmod ./samhain_hide.ko removeme=0
56 *
57 * To unload the module (only possible if not hidden):
[1]58 * rmmod samhain_hide (for improved safety: 'sync && rmmod samhain_hide')
59 *
60 *
61 * Details:
62 * -------
63 * The following kernel syscalls are replaced:
64 * sys_getdents [hide files/directories/processes (/proc/PID)]
65 *
66 * Tested on:
67 * ---------
68 * Linux 2.2, 2.4, 2.6
69 *
70 * Copyright:
71 * ---------
72 * Copyright (C) 2001, 2002 Rainer Wichmann (http://la-samhna.de)
73 *
74 * License:
75 * -------
76 * This program is free software; you can redistribute it and/or modify
77 * it under the terms of the GNU General Public License, version 2, as
78 * published by the Free Software Foundation.
79 *
80 * This program is distributed in the hope that it will be useful,
81 * but WITHOUT ANY WARRANTY; without even the implied warranty of
82 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
83 * GNU General Public License for more details.
84 *
85 * You should have received a copy of the GNU General Public License
86 * along with this program; if not, write to the Free Software
87 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
88 *
89 ***************************************************************************/
90
91
92
93/*****************************************************
94 *
95 * The defines:
96 *
97 *****************************************************/
98
99/* This is a Linux Loadable Kernel Module.
100 */
101
102#ifndef LINUX26
103#define __KERNEL__
104#define MODULE
105#endif
106#define LINUX
107
108/* Define for debugging.
109 */
110/* #define HIDE_DEBUG */ /* query_module */
111/* #define FILE_DEBUG */ /* getdents */
112/* #define READ_DEBUG */ /* read */
113/* #define PROC_DEBUG */ /* procfs */
[331]114/* #define INIT_DEBUG */ /* module init */
[1]115
116/*****************************************************
117 *
118 * The include files:
119 *
120 *****************************************************/
121
122
123/* The configure options (#defines) for the Kernel
124 */
[327]125#define KERNEL_VERSION(a,b,c) (((a) << 16) + ((b) << 8) + (c))
[91]126/* 2.6.19 (((2) << 16) + ((6) << 8) + (19)) */
127#define SH_KERNEL_MIN 132627
128
[327]129#if SH_KERNEL_NUMERIC >= KERNEL_VERSION(2,6,33)
[331]130#include <generated/autoconf.h>
[327]131#else
132#if SH_KERNEL_NUMERIC >= KERNEL_VERSION(2,6,19)
[90]133#include <linux/autoconf.h>
134#else
[1]135#include <linux/config.h>
[90]136#endif
[327]137#endif
[1]138
139#ifndef LINUX26
140#ifdef CONFIG_MODVERSIONS
141#include <linux/modversions.h>
142#endif
143#endif
144
145
146#ifdef LINUX26
147#include <linux/init.h>
148#endif
149
150#include <linux/module.h>
151
152/* File tables structures. If directory caching is used,
153 * <linux/dcache.h> will be included here, and __LINUX_DCACHE_H
154 * will thus be defined.
155 */
156#include <linux/fs.h>
157#include <linux/proc_fs.h>
158
159/* Include the SYS_syscall defines.
160 */
161#ifndef LINUX26
162#include <sys/syscall.h>
163#else
164#define SYS_getdents 141
165#define SYS_getdents64 220
166#endif
167
168
169/* Includes for 'getdents' per the manpage.
170 */
171#include <linux/types.h>
172#include <linux/dirent.h>
173#include <linux/unistd.h>
174
175/* To access userspace memory.
176 */
177#include <asm/uaccess.h>
178
179/* Include for lock_kernel().
180 */
181#include <linux/smp_lock.h>
182
[91]183#if SH_KERNEL_NUMERIC >= SH_KERNEL_MIN
[90]184#include <linux/mutex.h>
185#endif
186
[1]187/* Include for fget().
188 */
189#include <linux/file.h>
[327]190#if SH_KERNEL_NUMERIC >= KERNEL_VERSION(2,6,26)
191#include <linux/fdtable.h>
192#endif
[1]193
194/*****************************************************
195 *
196 * The global variables:
197 *
198 *****************************************************/
199
200/* The kernel syscall table. Not exported anymore in 2.5 ff., and also
201 * not in the RedHat 2.4 kernel.
202 */
203
204#if 0
205extern void * sys_call_table[];
206#define sh_sys_call_table sys_call_table
207#endif
208
209unsigned long * sh_sys_call_table = (unsigned long *) MAGIC_ADDRESS;
210
211/* The old address of the sys_getdents syscall.
212 */
[327]213#if SH_KERNEL_NUMERIC < KERNEL_VERSION(2,6,27)
[1]214int (*old_getdents)(unsigned int, struct dirent *, unsigned int);
[327]215#else
216
217struct linux_dirent {
218 unsigned long d_ino;
219 unsigned long d_off;
220 unsigned short d_reclen;
221 char d_name[1];
222};
223
224int (*old_getdents)(unsigned int, struct linux_dirent *, unsigned int);
225#endif
226
[1]227#ifdef __NR_getdents64
[96]228#if SH_KERNEL_NUMERIC >= 132628
229/*
230 * 'asmlinkage' is __required__ to get this to work.
231 */
232asmlinkage long (*old_getdents64)(unsigned int, struct linux_dirent64 __user *, unsigned int);
233#else
[1]234long (*old_getdents64)(unsigned int, struct dirent64 *, unsigned int);
235#endif
[96]236#endif
[1]237
238char hidden[] = MAGIC_HIDE;
239
240
241/*****************************************************
242 *
243 * The functions:
244 *
245 *****************************************************/
246
247
248MODULE_AUTHOR("Rainer Wichmann");
249MODULE_DESCRIPTION("Hide files/processes/modules with MAGIC_HIDE in name.");
250#if defined(MODULE_LICENSE) || defined(LINUX26)
251MODULE_LICENSE("GPL");
252#endif
253
254#ifdef LINUX26
255/* Default is to hide ourselves.
256 */
257static int removeme = 1;
258
[51]259#ifdef MODULE_PARM
[1]260MODULE_PARM (removeme, "i");
[51]261#else
262module_param(removeme, int, 0444);
[1]263#endif
264
[51]265#ifdef MODULE_PARM_DESC
266MODULE_PARM_DESC(removeme, "Choose zero for not hiding.");
267#endif
[1]268
[51]269/* LINUX26 */
270#endif
271
272
[1]273/*
274 * struct task_struct is defined in linux/sched.h
275 *
276 * as of 2.4.20, the vanilla kernel holds (among others):
277 * struct task_struct *next_task, *prev_task;
278 *
279 * Redhat kernel seems to have a different scheduler.
280 * use:
281 * struct task_struct * find_task_by_pid (int pid);
282 */
283
284#if defined(SH_VANILLA_KERNEL) && !defined(LINUX26)
285/*
286 * Fetch the task struct for a given PID.
287 */
288struct task_struct * fetch_task_struct (int pid)
289{
290 struct task_struct * task_ptr;
291
292#ifdef PROC_DEBUG
293 printk("FETCH TASK %d\n", pid);
294#endif
295
296 task_ptr = current;
297
298 do
299 {
300 if (task_ptr->pid == (pid_t) pid )
301 return (task_ptr);
302 task_ptr = task_ptr->next_task;
303 }
304 while (task_ptr != current);
305
306#ifdef PROC_DEBUG
307 printk("FETCH TASK: NOT FOUND !!!\n");
308#endif
309
310 return (NULL);
311}
312
313#else
[327]314#if SH_KERNEL_NUMERIC < KERNEL_VERSION(2,6,25)
[1]315struct task_struct * fetch_task_struct (int pid)
316{
317 struct task_struct * task_ptr = NULL;
318 task_ptr = find_task_by_pid (pid);
319 return (task_ptr);
320}
[327]321#else
322struct task_struct * fetch_task_struct (int pid)
323{
324 struct task_struct * task_ptr = NULL;
325 struct pid * task_pid = find_vpid(pid);
326 if (task_pid)
327 {
328 task_ptr = pid_task (task_pid, PIDTYPE_PID);
329 }
330 return (task_ptr);
331}
[1]332#endif
[327]333#endif
[1]334
335/* Convert a string to an int.
336 * Does not recognize integers with a sign (+/-) in front.
337 */
338int my_atoi(char * in_str)
339{
340 int i = 0;
341 int retval = 0;
342 int conv = 0;
343
344 if (in_str == NULL)
345 return (-1);
346
347 while(in_str[i] != '\0')
348 {
349 /* Break if not numeric.
350 */
351 if (in_str[i] < '0' || in_str[i] > '9')
352 break;
353
354 ++conv;
355
356 /* Leading zeroes (should not happen in /proc)
357 */
358 if (retval == 0 && in_str[i] == '0')
359 retval = retval;
360 else
361 retval = retval * 10;
362
363 retval = retval + (in_str[i] - '0');
364
365 i++;
366 }
367
368 if (conv == 0)
369 return (-1);
370 else
371 return (retval);
372}
373
374/* Purpose:
375 *
376 * Hide all files/dirs that include the string MAGIC_HIDE in their
377 * name.
378 */
[327]379#if SH_KERNEL_NUMERIC < KERNEL_VERSION(2,6,27)
[1]380int new_getdents (unsigned int fd, struct dirent *dirp, unsigned int count)
[327]381#else
382int new_getdents (unsigned int fd, struct linux_dirent *dirp, unsigned int count)
383#endif
[1]384{
385 int status = 0; /* Return value from original getdents */
386 struct inode * dir_inode;
[6]387 struct file * fd_file;
[1]388 int dir_is_proc = 0;
389
[327]390#if SH_KERNEL_NUMERIC < KERNEL_VERSION(2,6,27)
[1]391 struct dirent * dirp_prev;
392 struct dirent * dirp_new;
393 struct dirent * dirp_current;
[327]394#else
395 struct linux_dirent * dirp_prev;
396 struct linux_dirent * dirp_new;
397 struct linux_dirent * dirp_current;
398#endif
[1]399
400 int dir_table_bytes;
401 int forward_bytes;
402 struct task_struct * task_ptr;
403 int hide_it = 0;
404 long dirp_offset;
405
[90]406 unsigned long dummy;
407
[1]408 lock_kernel();
409
410 status = (*old_getdents)(fd, dirp, count);
411
412#ifdef FILE_DEBUG
413 printk("STATUS %d\n", status);
414#endif
[6]415
[1]416 /* 0: end of directory.
417 * -1: some error
418 */
419 if (status <= 0)
420 {
421 unlock_kernel();
422 return (status);
423 }
[6]424
[1]425 /* Handle directory caching. dir_inode is the inode of the directory.
426 */
[6]427#if defined(files_fdtable)
428 {
429 struct fdtable *fdt = files_fdtable(current->files);
430 fd_file = rcu_dereference(fdt->fd[fd]);
431 }
432#else
433 {
434 fd_file = current->files->fd[fd];
435 }
436#endif
437
[1]438#if defined(__LINUX_DCACHE_H)
[6]439 dir_inode = fd_file->f_dentry->d_inode;
[1]440#else
[6]441 dir_inode = fd_file->f_inode;
[1]442#endif
443
444 /* Check for the /proc directory
445 */
446 if (dir_inode->i_ino == PROC_ROOT_INO
447#ifndef LINUX26
448 && !MAJOR(dir_inode->i_dev) &&
449 MINOR(dir_inode->i_dev) == 1
450#endif
451 )
452 dir_is_proc = 1;
453
454 /* Allocate space for new dirent table. Can't use GFP_KERNEL
455 * (kernel oops)
456 */
[327]457#if SH_KERNEL_NUMERIC < KERNEL_VERSION(2,6,27)
[1]458 dirp_new = (struct dirent *) kmalloc (status, GFP_ATOMIC);
[327]459#else
460 dirp_new = (struct linux_dirent *) kmalloc (status, GFP_ATOMIC);
461#endif
[1]462
463 if (dirp_new == NULL)
464 {
465 unlock_kernel();
466 return (status);
467 }
468
469 /* Copy the dirp table to kernel space.
470 */
[90]471 dummy = (unsigned long) copy_from_user(dirp_new, dirp, status);
[1]472
473#ifdef FILE_DEBUG
[96]474 printk("COPY to kernel: %ld\n", dummy);
[1]475#endif
476
477 /* Loop over the dirp table to find entries to hide.
478 */
479 dir_table_bytes = status;
480 dirp_current = dirp_new;
481 dirp_prev = NULL;
482
483 while (dir_table_bytes > 0)
484 {
485 hide_it = 0;
486
487 if (dirp_current->d_reclen == 0)
488 break;
489
490 dirp_offset = dirp_current->d_off;
491
492#ifdef FILE_DEBUG
493 printk("DIRENT %d %d %ld\n",
494 dir_table_bytes,
495 dirp_current->d_reclen,
496 dirp_current->d_off);
497#endif
498
499 dir_table_bytes -= dirp_current->d_reclen;
500 forward_bytes = dirp_current->d_reclen;
501
502#ifdef FILE_DEBUG
503 printk("ENTRY %s\n", dirp_current->d_name);
504#endif
505
506 /* If /proc is scanned (e.g. by 'ps'), hide the entry for
507 * any process where the executable has MAGIC_HIDE in its name.
508 */
509 if (dir_is_proc == 1)
510 {
511 task_ptr = fetch_task_struct(my_atoi(dirp_current->d_name));
512 if (task_ptr != NULL)
513 {
514 if (strstr(task_ptr->comm, hidden) != NULL)
515 hide_it = 1;
516 }
517 }
518 /* If it is a regular directory, hide any entry with
519 * MAGIC_HIDE in its name.
520 */
521 else
522 {
523 if (strstr (dirp_current->d_name, hidden) != NULL)
524 hide_it = 1;
525 }
526
527 if (hide_it == 1)
528 {
529#ifdef FILE_DEBUG
530 printk(" -->HIDDEN %s\n", dirp_current->d_name);
531#endif
532 if (dir_table_bytes > 0)
533 {
534 status -= dirp_current->d_reclen;
535 memmove (dirp_current,
536 (char *) dirp_current + dirp_current->d_reclen,
537 dir_table_bytes);
538
539 /* Set forward_bytes to 0, because now dirp_current is the
540 * (previously) next entry in the dirp table.
541 */
542 forward_bytes = 0;
543 dirp_prev = dirp_current;
544 }
545 else
546 {
547 status -= dirp_current->d_reclen;
548 if (dirp_prev != NULL)
549 dirp_prev->d_off = dirp_offset;
550 }
551
552 }
553 else
554 {
555 dirp_prev = dirp_current;
556 if (dir_table_bytes == 0 && dirp_prev != NULL)
557 dirp_prev->d_off = dirp_offset;
558 }
559
560 /* Next entry in dirp table.
561 */
[327]562#if SH_KERNEL_NUMERIC < KERNEL_VERSION(2,6,27)
[1]563 if (dir_table_bytes > 0)
564 dirp_current = (struct dirent *) ( (char *) dirp_current +
565 forward_bytes);
[327]566#else
567 if (dir_table_bytes > 0)
568 dirp_current = (struct linux_dirent *) ( (char *) dirp_current +
569 forward_bytes);
570#endif
[1]571 }
572
573 /* Copy our modified dirp table back to user space.
574 */
[90]575 dummy = (unsigned long) copy_to_user(dirp, dirp_new, status);
[1]576#ifdef FILE_DEBUG
[96]577 printk("COPY to user: %ld\n", dummy);
[1]578#endif
579
580 kfree (dirp_new);
581#ifdef FILE_DEBUG
582 printk("KFREE\n");
583#endif
584
585 unlock_kernel();
586 return (status);
587}
588
[327]589
590
[1]591/* For 2.4 kernel
592 */
593#ifdef __NR_getdents64
[96]594
595#if SH_KERNEL_NUMERIC >= 132628
596/*
597 * 'asmlinkage' is __required__ to get this to work.
598 */
599asmlinkage long new_getdents64 (unsigned int fd, struct linux_dirent64 __user *dirp,
600 unsigned int count)
601#else
602long new_getdents64 (unsigned int fd, struct dirent64 *dirp, unsigned int count)
603#endif
[1]604{
605 long status = 0; /* Return value from original getdents */
606 struct inode * dir_inode;
[6]607 struct file * fd_file;
[1]608 int dir_is_proc = 0;
609
[327]610#if SH_KERNEL_NUMERIC < KERNEL_VERSION(2,6,27)
[1]611 struct dirent64 * dirp_prev;
612 struct dirent64 * dirp_new;
613 struct dirent64 * dirp_current;
[327]614#else
615 struct linux_dirent64 * dirp_prev;
616 struct linux_dirent64 * dirp_new;
617 struct linux_dirent64 * dirp_current;
618#endif
[1]619
620 int dir_table_bytes;
621 int forward_bytes;
622 struct task_struct * task_ptr;
623 int hide_it = 0;
624 __s64 dirp_offset;
625
[90]626 unsigned long dummy;
627
[96]628#ifdef FILE_DEBUG
629 printk("FD64 %d\n", fd);
630#endif
631
[1]632 lock_kernel();
633
[96]634#ifdef FILE_DEBUG
635 if (!access_ok(VERIFY_WRITE, dirp, count))
636 printk("ACCESS64_BAD\n");
637 else
638 printk("ACCESS64_OK\n");
639#endif
640
641#if SH_KERNEL_NUMERIC >= 132628
[1]642 status = (*old_getdents64)(fd, dirp, count);
[237]643 /* status = my_real_getdents64(fd, dirp, count); */
[96]644#else
645 status = (*old_getdents64)(fd, dirp, count);
646#endif
[1]647
648#ifdef FILE_DEBUG
649 printk("STATUS64 %ld\n", status);
650#endif
651
652 /* 0: end of directory.
653 * -1: some error
654 */
655 if (status <= 0)
656 {
657 unlock_kernel();
658 return (status);
659 }
660
661 /* Handle directory caching. dir_inode is the inode of the directory.
662 */
[6]663#if defined(files_fdtable)
664 {
665 struct fdtable *fdt = files_fdtable(current->files);
666 fd_file = rcu_dereference(fdt->fd[fd]);
667 }
668#else
669 {
670 fd_file = current->files->fd[fd];
671 }
672#endif
673
[1]674#if defined(__LINUX_DCACHE_H)
[96]675
676/* 2.6.20 (((2) << 16) + ((6) << 8) + (20)) */
677#if SH_KERNEL_NUMERIC >= 132628
678 dir_inode = fd_file->f_path.dentry->d_inode;
679#else
[6]680 dir_inode = fd_file->f_dentry->d_inode;
[96]681#endif
682
[1]683#else
[6]684 dir_inode = fd_file->f_inode;
[1]685#endif
686
687#ifdef FILE_DEBUG
688 printk("INODE64\n");
689#endif
690
691 /* Check for the /proc directory
692 */
693 if (dir_inode->i_ino == PROC_ROOT_INO
694#ifndef LINUX26
695 && !MAJOR(dir_inode->i_dev) /* &&
696 MINOR(dir_inode->i_dev) == 1 */
697 /* MINOR commented out because of problems with 2.4.17 */
698#endif
699 )
700 {
701 dir_is_proc = 1;
702
703#ifdef PROC_DEBUG
704 printk("PROC_CHECK64\n");
705#endif
706 }
707
708 /* Allocate space for new dirent table. Can't use GFP_KERNEL
709 * (kernel oops)
710 */
711 dirp_new = kmalloc ((size_t)status, GFP_ATOMIC);
712
713#ifdef FILE_DEBUG
714 printk("KMALLOC64_0\n");
715#endif
716
717 if (dirp_new == NULL)
718 {
719 unlock_kernel();
720 return (status);
721 }
722
723#ifdef FILE_DEBUG
724 printk("KMALLOC64\n");
725#endif
726
727 /* Copy the dirp table to kernel space.
728 */
[90]729 dummy = (unsigned long) copy_from_user(dirp_new, dirp, status);
[1]730
731#ifdef FILE_DEBUG
[96]732 printk("COPY64 to kernel: %ld\n", dummy);
[1]733#endif
734
735 /* Loop over the dirp table to find entries to hide.
736 */
737 dir_table_bytes = status;
738 dirp_current = dirp_new;
739 dirp_prev = NULL;
740
741 while (dir_table_bytes > 0)
742 {
743 hide_it = 0;
744
745 if (dirp_current->d_reclen == 0)
746 break;
747
748 dirp_offset = dirp_current->d_off;
749
750#ifdef FILE_DEBUG
751 printk("DIRENT %d %d %lld\n",
752 dir_table_bytes,
753 dirp_current->d_reclen,
754 dirp_current->d_off);
755#endif
756
757 dir_table_bytes -= dirp_current->d_reclen;
758 forward_bytes = dirp_current->d_reclen;
759
760#ifdef FILE_DEBUG
761 printk("ENTRY %s\n", dirp_current->d_name);
762#endif
763
764 /* If /proc is scanned (e.g. by 'ps'), hide the entry for
765 * any process where the executable has MAGIC_HIDE in its name.
766 */
767 if (dir_is_proc == 1)
768 {
769#ifdef PROC_DEBUG
770 printk("PROC %s\n", dirp_current->d_name);
771#endif
772 task_ptr = fetch_task_struct(my_atoi(dirp_current->d_name));
773 if (task_ptr != NULL)
774 {
775#ifdef PROC_DEBUG
776 printk("PROC %s <> %s\n", task_ptr->comm, hidden);
777#endif
778 if (strstr(task_ptr->comm, hidden) != NULL)
779 hide_it = 1;
780 }
781 }
782 /* If it is a regular directory, hide any entry with
783 * MAGIC_HIDE in its name.
784 */
785 else
786 {
787 if (strstr (dirp_current->d_name, hidden) != NULL)
788 hide_it = 1;
789 }
790
791 if (hide_it == 1)
792 {
793#ifdef FILE_DEBUG
794 printk(" -->HIDDEN %s\n", dirp_current->d_name);
795#endif
796 if (dir_table_bytes > 0)
797 {
798 status -= dirp_current->d_reclen;
799 memmove (dirp_current,
800 (char *) dirp_current + dirp_current->d_reclen,
801 dir_table_bytes);
802
803 /* Set forward_bytes to 0, because now dirp_current is the
804 * (previously) next entry in the dirp table.
805 */
806 forward_bytes = 0;
807 dirp_prev = dirp_current;
808 }
809 else
810 {
811 status -= dirp_current->d_reclen;
812 if (dirp_prev != NULL)
813 dirp_prev->d_off = dirp_offset;
814 }
815
816 }
817 else
818 {
819 dirp_prev = dirp_current;
820 if (dir_table_bytes == 0 && dirp_prev != NULL)
821 dirp_prev->d_off = dirp_offset;
822 }
823
824 /* Next entry in dirp table.
825 */
[327]826#if SH_KERNEL_NUMERIC < KERNEL_VERSION(2,6,27)
[1]827 if (dir_table_bytes > 0)
828 dirp_current = (struct dirent64 *) ( (char *) dirp_current +
829 forward_bytes);
[327]830#else
831 if (dir_table_bytes > 0)
832 dirp_current = (struct linux_dirent64 *) ( (char *) dirp_current +
833 forward_bytes);
834#endif
[1]835 }
836
837 /* Copy our modified dirp table back to user space.
838 */
[96]839#ifdef FILE_DEBUG
840 printk("STATUS64 AT END %ld\n", status);
841#endif
[90]842 dummy = (unsigned long) copy_to_user(dirp, dirp_new, status);
[96]843#ifdef FILE_DEBUG
844 printk("COPY64 to user: %ld\n", dummy);
845#endif
846
[1]847 kfree (dirp_new);
848 unlock_kernel();
849 return (status);
850}
851#endif
852
853#ifdef LINUX26
[327]854static struct module *sh_find_module(const char *name)
[1]855{
856 struct module *mod;
857 struct list_head * modules = (struct list_head *) SH_LIST_MODULES;
858
859 list_for_each_entry(mod, modules, list) {
860 if (strcmp(mod->name, name) == 0)
861 return mod;
862 }
863 return NULL;
864}
865#endif
866
867/* The initialisation function. Automatically called when module is inserted
868 * via the 'insmod' command.
869 */
870#ifdef LINUX26
871static int __init samhain_hide_init(void)
872#else
873int init_module(void)
874#endif
875{
876
[331]877#ifdef INIT_DEBUG
878 printk("INIT 0\n");
879#endif
880
[1]881 lock_kernel();
882
[331]883#ifdef INIT_DEBUG
884 printk("INIT 1\n");
885#endif
886
[1]887 /* Unfortunately this does not fully prevent the module from appearing
888 * in /proc/ksyms.
889 */
890#ifndef LINUX26
891 EXPORT_NO_SYMBOLS;
892#endif
893
[331]894#ifdef INIT_DEBUG
895 printk("INIT 1a (%d)\n", SYS_getdents);
896#endif
897
[1]898 /* Replace the 'sys_getdents' syscall with the new version.
899 */
900 old_getdents = (void*) sh_sys_call_table[SYS_getdents];
[331]901#ifdef INIT_DEBUG
902 printk("INIT 1b\n");
903#endif
[1]904 sh_sys_call_table[SYS_getdents] = (unsigned long) new_getdents;
905
[331]906#ifdef INIT_DEBUG
907 printk("INIT 2\n");
908#endif
909
[1]910#ifdef __NR_getdents64
911 old_getdents64 = (void*) sh_sys_call_table[SYS_getdents64];
912 sh_sys_call_table[SYS_getdents64] = (unsigned long) new_getdents64;
913#endif
914
[331]915#ifdef INIT_DEBUG
916 printk("INIT 3\n");
917#endif
918
[1]919#ifdef LINUX26
920 {
[90]921#if defined(SH_MODLIST_LOCK)
[1]922 spinlock_t * modlist_lock = (spinlock_t * ) SH_MODLIST_LOCK;
[90]923#endif
[327]924#if SH_KERNEL_NUMERIC >= KERNEL_VERSION(2,6,30)
925 struct mutex * sh_module_mutex = &module_mutex;
926#else
927#if (SH_KERNEL_NUMERIC >= SH_KERNEL_MIN)
928 struct mutex * sh_module_mutex = (struct mutex *) SH_MODLIST_MUTEX;
[90]929#endif
[327]930#endif
[90]931
932 struct module *mod;
933
[91]934#if SH_KERNEL_NUMERIC >= SH_KERNEL_MIN
[331]935#ifdef INIT_DEBUG
936 printk("INIT 4 0\n");
937#endif
[327]938 mutex_lock(sh_module_mutex);
[90]939#endif
940
[331]941#ifdef INIT_DEBUG
942 printk("INIT 4 1\n");
943#endif
944
[327]945 mod = sh_find_module(SH_INSTALL_NAME"_hide");
[331]946
947#ifdef INIT_DEBUG
948 printk("INIT 4 2 (%d)\n", mod == 0 ? 0 : 1);
949#endif
950
[1]951 if (mod) {
952 /* Delete from various lists */
[90]953#if defined(SH_MODLIST_LOCK)
[331]954#ifdef INIT_DEBUG
955 printk("INIT 4 3a\n");
956#endif
[1]957 spin_lock_irq(modlist_lock);
[331]958#ifdef INIT_DEBUG
959 printk("INIT 4 3b\n");
[90]960#endif
[331]961#endif
[1]962 if (removeme == 1)
963 {
[331]964#ifdef INIT_DEBUG
965 printk("INIT 4 4a\n");
966#endif
[1]967 list_del(&mod->list);
[331]968#ifdef INIT_DEBUG
969 printk("INIT 4 4b\n");
970#endif
[1]971 }
[90]972#if defined(SH_MODLIST_LOCK)
[331]973#ifdef INIT_DEBUG
974 printk("INIT 4 5a\n");
975#endif
[1]976 spin_unlock_irq(modlist_lock);
[331]977#ifdef INIT_DEBUG
978 printk("INIT 4 5b\n");
[90]979#endif
[331]980#endif
[1]981 }
[331]982
[91]983#if SH_KERNEL_NUMERIC >= SH_KERNEL_MIN
[331]984#ifdef INIT_DEBUG
985 printk("INIT 4 6a\n");
[90]986#endif
[331]987 mutex_unlock(sh_module_mutex);
988#ifdef INIT_DEBUG
989 printk("INIT 4 6b\n");
990#endif
991#endif
[1]992 }
993#endif
994
[331]995#ifdef INIT_DEBUG
996 printk("INIT 4 7a\n");
997#endif
[1]998 unlock_kernel();
[331]999#ifdef INIT_DEBUG
1000 printk("INIT 4 7b\n");
1001#endif
[1]1002 return (0);
1003}
1004
1005/* The cleanup function. Automatically called when module is removed
1006 * via the 'rmmod' command.
1007 */
1008#ifdef LINUX26
1009static void __exit samhain_hide_cleanup(void)
1010#else
1011void cleanup_module(void)
1012#endif
1013{
1014 lock_kernel();
1015
1016 /* Restore the new syscalls to the original version.
1017 */
1018 sh_sys_call_table[SYS_getdents] = (unsigned long) old_getdents;
[327]1019
[1]1020#ifdef __NR_getdents64
1021 sh_sys_call_table[SYS_getdents64] = (unsigned long) old_getdents64;
1022#endif
1023
1024 unlock_kernel();
1025}
1026
1027#ifdef LINUX26
1028module_init(samhain_hide_init);
1029module_exit(samhain_hide_cleanup);
1030#endif
1031
1032
Note: See TracBrowser for help on using the repository browser.