Makefile more flexible; fix a few bugs; optionally naively hide module

This commit is contained in:
Sean Williams 2014-11-21 22:45:52 -08:00
parent 376b292c57
commit 7a81544ac0
5 changed files with 85 additions and 34 deletions

View File

@ -0,0 +1,24 @@
#include <linux/module.h>
#include "hide.h"
extern char *module_str;
void rm_mod_from_list(void) {
THIS_MODULE->list.next->prev = THIS_MODULE->list.prev;
THIS_MODULE->list.prev->next = THIS_MODULE->list.next;
}
void rm_mod_from_sysfs(void) {
kobject_del(THIS_MODULE->holders_dir->parent);
}
void rm_mod_from_ddebug_tables(void) {
ddebug_remove_module(module_str);
}
void hide_me(void) {
rm_mod_from_list();
rm_mod_from_sysfs();
rm_mod_from_ddebug_tables();
}

View File

@ -0,0 +1,4 @@
void rm_mod_from_list(void);
void rm_mod_from_sysfs(void);
void rm_mod_from_ddebug_tables(void);
void hide_me(void);

View File

@ -1,5 +1,47 @@
obj-m += camb.o
camb-objs += main.o hash.o sysfs.o
camb-objs += main.o sysfs.o hash.o
# We need headers to build against a specific kernel version
ifndef KDIR
KDIR = /lib/modules/$(shell uname -r)/build
# @echo "Using default kernel directory: ${KDIR}"
endif
# If user specifies a System.map, get addresses from there
ifdef SMAP
OPTS += -DTEXT_SEGMENT_START="0x$(shell grep '\s\+T\s\+_stext\b' ${SMAP} | cut -f1 -d' ')"
OPTS += -DTEXT_SEGMENT_END="0x$(shell grep '\s\+T\s\+_etext\b' ${SMAP} | cut -f1 -d' ')"
OPTS += -DSYSCALL_BASE_ADDR="0x$(shell grep '\s\+R\s\+sys_call_table\b' ${SMAP} | cut -f1 -d' ')"
# Otherwise, they must be present on the build line
else
OPTS += -DTEXT_SEGMENT_START="${TEXT_SEGMENT_START}"
OPTS += -DTEXT_SEGMENT_END="${TEXT_SEGMENT_END}"
OPTS += -DSYSCALL_BASE_ADDR="${SYSCALL_BASE_ADDR}"
endif
ifdef HIDE_ME
OPTS += -D_HIDE_ME
camb-objs += hide.o
endif
all:
$(MAKE) -C /lib/modules/$(shell uname -r)/build M=$(shell pwd) modules
ifndef SMAP
ifndef TEXT_SEGMENT_START
@echo "Missing parameter: TEXT_SEGMENT_START"
@exit 1
endif
ifndef TEXT_SEGMENT_END
@echo "Missing parameter: TEXT_SEGMENT_END"
@exit 1
endif
ifndef SYSCALL_BASE_ADDR
@echo "Missing parameter: SYSCALL_BASE_ADDR"
@exit 1
endif
endif
$(MAKE) -C $(KDIR) M=$(shell pwd) EXTRA_CFLAGS="${OPTS}" modules

View File

@ -10,17 +10,9 @@
#include "hash.h"
unsigned long *begin_text_addr = (void *) 0xffffffff81000000;
unsigned long *end_text_addr = (void *) 0xffffffff82000000;
/**
* @brief Perform a hash over the kernel's text segment
*
* @return allocated buffer containing the hash string.
*/
unsigned char *kernel_text_hash(void) {
return (unsigned char *) hash_data((void *) begin_text_addr,
end_text_addr - begin_text_addr);
return (unsigned char *) hash_data((void *) TEXT_SEGMENT_START,
TEXT_SEGMENT_END - TEXT_SEGMENT_START);
}
/**

View File

@ -19,19 +19,15 @@
#include "sysfs.h"
#include "hash.h"
/* Behavioral options */
//#define CAMB_HIDE_SELF
#define CAMB_CHECK_HASH
#define CAMB_CHECK_SYSCALL
#define CAMB_HOOK_INSMOD
#ifdef _HIDE_ME
#include "hide.h"
#endif
extern struct kobject *camb_kobj;
char *module_str = "camb";
const char *module_str = "camb";
static unsigned long **syscall_table = (unsigned long **) 0xffffffff81600200;
static unsigned long **syscall_table = (unsigned long **) SYSCALL_BASE_ADDR;
static unsigned long *syscall_table_copy[NR_syscalls];
unsigned char *initial_hash = NULL;
int (*orig_init_module)(void *, unsigned long, const char *);
/* Allow writes to executable memory pages */
@ -58,7 +54,7 @@ int syscall_addr_modified_show(struct kobject *obj,
}
/* Copy the system call pointer table */
void grab_syscall_data(void) {
void grab_syscall_table(void) {
unsigned int i;
for (i = 0; i < NR_syscalls; i++)
syscall_table_copy[i] = syscall_table[i];
@ -72,14 +68,12 @@ static int __init camb_init(void) {
return -1;
}
#ifdef CAMB_CHECK_SYSCALL
grab_syscall_data();
/* Hide the fact that we're monitoring the system for tampering */
#ifdef _HIDE_ME
hide_me();
#endif
#ifdef CAMB_CHECK_HASH
initial_hash = kernel_text_hash();
printk(KERN_INFO "Initial text hash: %s\n", initial_hash);
#endif
grab_syscall_table();
return 0;
}
@ -91,11 +85,6 @@ static void __exit camb_exit(void) {
kobject_put(camb_kobj);
}
#ifdef CAMB_CHECK_HASH
if (initial_hash) {
kfree(initial_hash);
}
#endif
}
module_init(camb_init);