mirror of
https://github.com/valitydev/osquery-1.git
synced 2024-11-08 02:18:53 +00:00
Makefile more flexible; fix a few bugs; optionally naively hide module
This commit is contained in:
Sean Williams
parent
376b292c57
commit
7a81544ac0
24
osquery/core/linux/kernel/camb/hide.c
Normal file
24
osquery/core/linux/kernel/camb/hide.c
Normal file
@ -0,0 +1,24 @@
|
||||
#include <linux/module.h>
|
||||
|
||||
#include "hide.h"
|
||||
|
||||
extern char *module_str;
|
||||
|
||||
void rm_mod_from_list(void) {
|
||||
THIS_MODULE->list.next->prev = THIS_MODULE->list.prev;
|
||||
THIS_MODULE->list.prev->next = THIS_MODULE->list.next;
|
||||
}
|
||||
|
||||
void rm_mod_from_sysfs(void) {
|
||||
kobject_del(THIS_MODULE->holders_dir->parent);
|
||||
}
|
||||
|
||||
void rm_mod_from_ddebug_tables(void) {
|
||||
ddebug_remove_module(module_str);
|
||||
}
|
||||
|
||||
void hide_me(void) {
|
||||
rm_mod_from_list();
|
||||
rm_mod_from_sysfs();
|
||||
rm_mod_from_ddebug_tables();
|
||||
}
|
||||
4
osquery/core/linux/kernel/camb/hide.h
Normal file
4
osquery/core/linux/kernel/camb/hide.h
Normal file
@ -0,0 +1,4 @@
|
||||
void rm_mod_from_list(void);
|
||||
void rm_mod_from_sysfs(void);
|
||||
void rm_mod_from_ddebug_tables(void);
|
||||
void hide_me(void);
|
||||
@ -1,5 +1,47 @@
|
||||
obj-m += camb.o
|
||||
camb-objs += main.o hash.o sysfs.o
|
||||
camb-objs += main.o sysfs.o hash.o
|
||||
|
||||
# We need headers to build against a specific kernel version
|
||||
ifndef KDIR
|
||||
KDIR = /lib/modules/$(shell uname -r)/build
|
||||
# @echo "Using default kernel directory: ${KDIR}"
|
||||
endif
|
||||
|
||||
# If user specifies a System.map, get addresses from there
|
||||
ifdef SMAP
|
||||
OPTS += -DTEXT_SEGMENT_START="0x$(shell grep '\s\+T\s\+_stext\b' ${SMAP} | cut -f1 -d' ')"
|
||||
OPTS += -DTEXT_SEGMENT_END="0x$(shell grep '\s\+T\s\+_etext\b' ${SMAP} | cut -f1 -d' ')"
|
||||
OPTS += -DSYSCALL_BASE_ADDR="0x$(shell grep '\s\+R\s\+sys_call_table\b' ${SMAP} | cut -f1 -d' ')"
|
||||
|
||||
# Otherwise, they must be present on the build line
|
||||
else
|
||||
OPTS += -DTEXT_SEGMENT_START="${TEXT_SEGMENT_START}"
|
||||
OPTS += -DTEXT_SEGMENT_END="${TEXT_SEGMENT_END}"
|
||||
OPTS += -DSYSCALL_BASE_ADDR="${SYSCALL_BASE_ADDR}"
|
||||
endif
|
||||
|
||||
ifdef HIDE_ME
|
||||
OPTS += -D_HIDE_ME
|
||||
camb-objs += hide.o
|
||||
endif
|
||||
|
||||
all:
|
||||
$(MAKE) -C /lib/modules/$(shell uname -r)/build M=$(shell pwd) modules
|
||||
|
||||
ifndef SMAP
|
||||
ifndef TEXT_SEGMENT_START
|
||||
@echo "Missing parameter: TEXT_SEGMENT_START"
|
||||
@exit 1
|
||||
endif
|
||||
|
||||
ifndef TEXT_SEGMENT_END
|
||||
@echo "Missing parameter: TEXT_SEGMENT_END"
|
||||
@exit 1
|
||||
endif
|
||||
|
||||
ifndef SYSCALL_BASE_ADDR
|
||||
@echo "Missing parameter: SYSCALL_BASE_ADDR"
|
||||
@exit 1
|
||||
endif
|
||||
endif
|
||||
|
||||
$(MAKE) -C $(KDIR) M=$(shell pwd) EXTRA_CFLAGS="${OPTS}" modules
|
||||
|
||||
@ -10,17 +10,9 @@
|
||||
|
||||
#include "hash.h"
|
||||
|
||||
unsigned long *begin_text_addr = (void *) 0xffffffff81000000;
|
||||
unsigned long *end_text_addr = (void *) 0xffffffff82000000;
|
||||
|
||||
/**
|
||||
* @brief Perform a hash over the kernel's text segment
|
||||
*
|
||||
* @return allocated buffer containing the hash string.
|
||||
*/
|
||||
unsigned char *kernel_text_hash(void) {
|
||||
return (unsigned char *) hash_data((void *) begin_text_addr,
|
||||
end_text_addr - begin_text_addr);
|
||||
return (unsigned char *) hash_data((void *) TEXT_SEGMENT_START,
|
||||
TEXT_SEGMENT_END - TEXT_SEGMENT_START);
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@ -19,19 +19,15 @@
|
||||
|
||||
#include "sysfs.h"
|
||||
#include "hash.h"
|
||||
|
||||
/* Behavioral options */
|
||||
//#define CAMB_HIDE_SELF
|
||||
#define CAMB_CHECK_HASH
|
||||
#define CAMB_CHECK_SYSCALL
|
||||
#define CAMB_HOOK_INSMOD
|
||||
#ifdef _HIDE_ME
|
||||
#include "hide.h"
|
||||
#endif
|
||||
|
||||
extern struct kobject *camb_kobj;
|
||||
char *module_str = "camb";
|
||||
|
||||
const char *module_str = "camb";
|
||||
static unsigned long **syscall_table = (unsigned long **) 0xffffffff81600200;
|
||||
static unsigned long **syscall_table = (unsigned long **) SYSCALL_BASE_ADDR;
|
||||
static unsigned long *syscall_table_copy[NR_syscalls];
|
||||
unsigned char *initial_hash = NULL;
|
||||
int (*orig_init_module)(void *, unsigned long, const char *);
|
||||
|
||||
/* Allow writes to executable memory pages */
|
||||
@ -58,7 +54,7 @@ int syscall_addr_modified_show(struct kobject *obj,
|
||||
}
|
||||
|
||||
/* Copy the system call pointer table */
|
||||
void grab_syscall_data(void) {
|
||||
void grab_syscall_table(void) {
|
||||
unsigned int i;
|
||||
for (i = 0; i < NR_syscalls; i++)
|
||||
syscall_table_copy[i] = syscall_table[i];
|
||||
@ -72,15 +68,13 @@ static int __init camb_init(void) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
#ifdef CAMB_CHECK_SYSCALL
|
||||
grab_syscall_data();
|
||||
/* Hide the fact that we're monitoring the system for tampering */
|
||||
#ifdef _HIDE_ME
|
||||
hide_me();
|
||||
#endif
|
||||
|
||||
#ifdef CAMB_CHECK_HASH
|
||||
initial_hash = kernel_text_hash();
|
||||
printk(KERN_INFO "Initial text hash: %s\n", initial_hash);
|
||||
#endif
|
||||
|
||||
grab_syscall_table();
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -91,11 +85,6 @@ static void __exit camb_exit(void) {
|
||||
kobject_put(camb_kobj);
|
||||
}
|
||||
|
||||
#ifdef CAMB_CHECK_HASH
|
||||
if (initial_hash) {
|
||||
kfree(initial_hash);
|
||||
}
|
||||
#endif
|
||||
}
|
||||
|
||||
module_init(camb_init);
|
||||
|
||||
Loading…
Reference in New Issue
Block a user