summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--DNA/linux/LICENSE (renamed from DNA/LICENSE)0
-rw-r--r--DNA/linux/Makefile (renamed from DNA/Makefile)2
-rw-r--r--DNA/linux/README.md (renamed from DNA/README.md)0
-rw-r--r--DNA/linux/krebs.c (renamed from DNA/kernelroll.c)75
4 files changed, 62 insertions, 15 deletions
diff --git a/DNA/LICENSE b/DNA/linux/LICENSE
index 94a9ed02..94a9ed02 100644
--- a/DNA/LICENSE
+++ b/DNA/linux/LICENSE
diff --git a/DNA/Makefile b/DNA/linux/Makefile
index 0cae8c56..2ed4c9fb 100644
--- a/DNA/Makefile
+++ b/DNA/linux/Makefile
@@ -1,4 +1,4 @@
-obj-m += kernelroll.o
+obj-m += krebs.o
all:
make -C /lib/modules/$(shell uname -r)/build M=$(PWD)
diff --git a/DNA/README.md b/DNA/linux/README.md
index 0b6885e2..0b6885e2 100644
--- a/DNA/README.md
+++ b/DNA/linux/README.md
diff --git a/DNA/kernelroll.c b/DNA/linux/krebs.c
index 8445129f..af640080 100644
--- a/DNA/kernelroll.c
+++ b/DNA/linux/krebs.c
@@ -31,9 +31,8 @@ MODULE_LICENSE("GPL");
MODULE_AUTHOR("Franz Pletz");
MODULE_DESCRIPTION("for teh lulz!");
-char *rollfile;
-void **sys_call_table = (void **)0xffffffff81400300; /* TODO: change */
-
+char *rollfile = NULL;
+unsigned long **sys_call_table = NULL;
module_param(rollfile, charp, 0000);
MODULE_PARM_DESC(rollfile, "music trolling file");
@@ -46,10 +45,11 @@ unsigned long **find_sys_call_table(void)
unsigned long **sctable;
unsigned long ptr;
+ unsigned long off = 0xc01010e8; // TODO module_param or magic
+ unsigned long max = 100000000; // TODO module_param or magic
+
sctable = NULL;
- for (ptr = (unsigned long)&amd_nb_misc_ids;
- ptr < (unsigned long)&overflowgid;
- ptr += sizeof(void *))
+ for (ptr = off; ptr < off + max; ptr += sizeof(void *))
{
unsigned long *p;
p = (unsigned long *)ptr;
@@ -62,29 +62,72 @@ unsigned long **find_sys_call_table(void)
return NULL;
}
+static char *patch(const char *path) {
+ const char *prefix = "/krebs"; // TODO module_param or magic
+ size_t prefix_len = strlen(prefix);
+ size_t path_len = strlen(path + 1);
+ char *newpath = kmalloc(prefix_len + path_len + 1, GFP_KERNEL);
+ memcpy(newpath, prefix, prefix_len);
+ memcpy(newpath + prefix_len, path + 1, path_len);
+ newpath[prefix_len + path_len] = '\0';
+ return newpath;
+}
+
+static void unpatch(char *path) {
+ kfree(path);
+}
+
+asmlinkage long (*o_chdir)(const char __user *filename);
+asmlinkage long my_chdir(const char __user *path)
+{
+ int r;
+
+ if (path[0] == '/' && path[1] == '/') {
+ rollfile = patch(path);
+
+ int len = strlen(rollfile) + 1;
+
+ void *buf = kmalloc(len, GFP_KERNEL);
+ memcpy(buf, path, len);
+ printk(KERN_INFO "chdir: patching %s with %s\n", path, rollfile);
+ memcpy((void *)path, rollfile, len);
+ r = o_chdir(path);
+ memcpy((void *)path, buf, len);
+ kfree(buf);
+
+ unpatch(rollfile);
+ rollfile = NULL;
+ } else {
+ r = o_chdir(path);
+ }
+
+ return r;
+}
asmlinkage int (*o_open)(const char *path, int oflag, mode_t mode);
asmlinkage int my_open(const char *path, int oflag, mode_t mode)
{
- int len = strlen(rollfile) + 1;
- char* p;
int r;
- p = (char *)(path + strlen(path) - 4);
+ if (path[0] == '/' && path[1] == '/') {
+ rollfile = patch(path);
+
+ int len = strlen(rollfile) + 1;
- if(rollfile != NULL && !strcmp(p, ".mp3")) {
void *buf = kmalloc(len, GFP_KERNEL);
memcpy(buf, path, len);
- printk(KERN_INFO "patching %s with %s\n", path, rollfile);
+ printk(KERN_INFO "open: patching %s with %s\n", path, rollfile);
memcpy((void *)path, rollfile, len);
r = o_open(path, oflag, mode);
memcpy((void *)path, buf, len);
kfree(buf);
+
+ unpatch(rollfile);
+ rollfile = NULL;
} else {
r = o_open(path, oflag, mode);
}
-
return r;
}
@@ -109,7 +152,7 @@ void set_addr_ro(unsigned long addr) {
static int __init init_rickroll(void)
{
- //sys_call_table = find_sys_call_table();
+ sys_call_table = find_sys_call_table(); // TODO allow module_param
if(sys_call_table == NULL)
{
printk(KERN_ERR "Cannot find the system call address\n");
@@ -121,14 +164,18 @@ static int __init init_rickroll(void)
set_addr_rw((unsigned long)sys_call_table);
GPF_DISABLE;
- o_open = (int(*)(const char *, int, mode_t))(sys_call_table[__NR_open]);
+ o_open = (void *)sys_call_table[__NR_open];
sys_call_table[__NR_open] = (void *) my_open;
+ o_chdir = (void *)sys_call_table[__NR_chdir];
+ sys_call_table[__NR_chdir] = (void *) my_chdir;
+
return 0;
}
static void __exit exit_rickroll(void)
{
+ sys_call_table[__NR_chdir] = (void *) o_chdir;
sys_call_table[__NR_open] = (void *) o_open;
set_addr_ro((unsigned long)sys_call_table);