Commit cf9cf743 authored by Tyler Nichols's avatar Tyler Nichols

Fixed a bug that was causing crashes.

parent 2ef0f00b
...@@ -19,7 +19,9 @@ ...@@ -19,7 +19,9 @@
unsigned long long *syscall_table = NULL; unsigned long *syscall_table = NULL;
//unsigned long *syscall_table = (unsigned long *)0xffffffff81801400;
asmlinkage int (*original_write)(unsigned int, const char __user *, size_t);
...@@ -106,8 +108,8 @@ static int find_sys_call_table (char *kern_ver) { ...@@ -106,8 +108,8 @@ static int find_sys_call_table (char *kern_ver) {
strncpy(sys_string, strsep(&system_map_entry_ptr, " "), MAX_VERSION_LEN); strncpy(sys_string, strsep(&system_map_entry_ptr, " "), MAX_VERSION_LEN);
//syscall_table = (unsigned long long *) kstrtoll(sys_string, NULL, 16); //syscall_table = (unsigned long long *) kstrtoll(sys_string, NULL, 16);
syscall_table = kmalloc(sizeof(unsigned long long), GFP_KERNEL); syscall_table = kmalloc(sizeof(unsigned long *), GFP_KERNEL);
kstrtoull(sys_string, 16, syscall_table); kstrtoul(sys_string, 16, syscall_table);
kfree(sys_string); kfree(sys_string);
...@@ -197,19 +199,11 @@ char *acquire_kernel_version (void) { ...@@ -197,19 +199,11 @@ char *acquire_kernel_version (void) {
return parsed_version; return parsed_version;
} }
/* asmlinkage int new_write (unsigned int x, const char __user *y, size_t size) {
* TODO Find a way to resolve this address dynamically. printk(KERN_EMERG "[+] write() hooked.");
* For now, find this value using:
* sudo cat /boot/System.map-$(uname -r) | grep 'sys_call_table' return original_write(x, y, size);
* And hard code it here. }
*/
//unsigned long *syscall_table = (unsigned long *)0xffffffff81801400;
//asmlinkage int (*original_write)(unsigned int, const char __user *, size_t);
//asmlinkage int new_write (unsigned int x, const char __user *y, size_t size) {
// printk(KERN_EMERG "[+] write() hooked.");
//
// return original_write(x, y, size);
//}
static int __init onload(void) { static int __init onload(void) {
printk(KERN_WARNING "Hello world!\n"); printk(KERN_WARNING "Hello world!\n");
...@@ -217,12 +211,16 @@ static int __init onload(void) { ...@@ -217,12 +211,16 @@ static int __init onload(void) {
find_sys_call_table(acquire_kernel_version()); find_sys_call_table(acquire_kernel_version());
printk(KERN_EMERG "Syscall table address: %llx\n", *syscall_table); printk(KERN_EMERG "Syscall table address: %lx\n", *syscall_table);
// write_cr0 (read_cr0 () & (~ 0x10000)); if (syscall_table != NULL) {
// original_write = (void *)syscall_table[__NR_write]; write_cr0 (read_cr0 () & (~ 0x10000));
// syscall_table[__NR_write] = &new_write; original_write = (void *)syscall_table[__NR_write];
// write_cr0 (read_cr0 () | 0x10000); syscall_table[__NR_write] = &new_write;
write_cr0 (read_cr0 () | 0x10000);
} else {
printk(KERN_EMERG "[-] onload: syscall_table is NULL\n");
}
/* /*
* A non 0 return means init_module failed; module can't be loaded. * A non 0 return means init_module failed; module can't be loaded.
...@@ -231,9 +229,13 @@ static int __init onload(void) { ...@@ -231,9 +229,13 @@ static int __init onload(void) {
} }
static void __exit onunload(void) { static void __exit onunload(void) {
// write_cr0 (read_cr0 () & (~ 0x10000)); if (syscall_table != NULL) {
// syscall_table[__NR_write] = original_write; write_cr0 (read_cr0 () & (~ 0x10000));
// write_cr0 (read_cr0 () | 0x10000); syscall_table[__NR_write] = original_write;
write_cr0 (read_cr0 () | 0x10000);
} else {
printk(KERN_EMERG "[-] onunload: syscall_table is NULL\n");
}
printk(KERN_INFO "Goodbye world!\n"); printk(KERN_INFO "Goodbye world!\n");
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment